Building Your Medical Device Cybersecurity Protocol

Posted by Gerry Blass

5 ways to evaluate and maintain your medical device cybersecurity

Medical device cybersecurity has become significantly more important in the age of digital health. There are essential actions health systems must take to protect themselves – and their patients. This blog offers 5 guidelines to evaluate and maintain your medical device cybersecurity.

There’s no shortage of news coverage on the ever-present need for improved medical device cybersecurity. From pacemakers to insulin pumps and beyond, medical devices are attractive targets for hackers.

But even more appealing, according to Modern Healthcare’s article on medical device cybersecurity, are connected devices or machines that can provide a path directly into a health system’s network. These include devices gathering, examining or storing patient data within the hospital such as MRI machines and vital signs monitors.

Medical devices don’t always incorporate the same type of encryption as other technologies or healthcare IT systems. Now, in the age of digital health, this deficiency makes medical devices more vulnerable as access points to a health system’s entire network. Says the Modern Healthcare article:

“Hacking a device like a networked MRI machine as a way into a Wi-Fi network. That could provide access to a health system’s network, where hackers could wreak all sorts of havoc, ultimately risking patient safety by potentially interrupting care by holding electronic health records hostage; breaching protected health information; taking down the system entirely; or simply causing devices to malfunction.”1

How can hospitals and health systems protect themselves – and more importantly, patient safety – with proper medical device cybersecurity protocol?

We have 5 guidelines to get you started:

  1. Ensure your IT and compliance teams are in lockstep with each other.IT departments should be responsible for monitoring medical devices and raising any issues with the compliance team. Compliance is responsible for – without any internal political pressure – monitoring and addressing the organization’s information security and risk management programs. To avoid any conflicts of interest, place your chief information security officer (CISO) outside of the IT department.
  2. Perform an administrative assessment on each device vendor.The administrative assessment must evaluate each vendor’s medical device cybersecurity practices such as:
    • Documented HIPAA security rules
    • Data storage and usage of data centers
    • Configuration of unique user IDs and passwords
    • Independent security certifications or validations (e.g., SOC, HITRUST, NIST)
    • Protocols for remote access
    • Usage of audit logs
    • Policies for data retention, disposal and destruction
    • Disaster Recovery (DR) plans and procedures
    • Holding liability insurance
    • How the medical device is supported after sale (by the vendor or by third party)
    • Physical security on the device itself

    The GRC (Governance, Risk and Compliance) management portal engineered by ComplyAssistant contains a 120-question medical device cybersecurity questionnaire from Sensato’s National Medical Device Task Force. Sensato is a cybersecurity solutions firm located in Red Bank, New Jersey. ComplyAssistant and Sensato formed an alliance in 2017 to provide comprehensive cybersecurity solutions to the healthcare industry. A primary solution is MD-COP+ (Medical Device Cybersecurity Operations Program).

    The 120-question set is included with MD-COP+ and has been vetted by medical device vendors, the FDA, MITRE, and various hospital associations such as NJHA and GNYHA. Its objective is to determine if vendors have proper medical device cybersecurity standards in place.

    ComplyAssistant gathers a list of devices, administers the 120-point assessment via its portal, and rates responses based on a risk levels. The cybersecurity solutions provided in MD-COP+ round out a holistic solution approach to help vendors and healthcare providers manage and mitigate information security risk and protect patient safety.

  3. Perform a technical assessment on each device.This assessment evaluates each device to ensure it meets the technical and operational requirements of HIPAA, NIST 800-53 and FDA Post Market Guidance for medical device cybersecurity. The MD-COP+ program includes penetration testing, vulnerability assessment, medical device monitoring, and breach detection as part of its holistic solutions.
  4. Outline and enforce role-based usage of medical devices throughout your system.Only approved clinical and technical staff should have access to medical devices. This access is limited to anyone caring for the patient and authorized IT personnel who maintain the devices.
  5. Become a member of an Information Sharing and Analysis Organization (ISAO).Healthcare is a primary target for attack due to mass migration of hard copy health data to electronic, and the high value of health and financial data. Attackers are good at sharing information, and the practice has proven effective as evidenced by the large number of incidents. Healthcare organizations should emulate the hackers by sharing information, which is key to awareness and risk management. Joining an ISAO – like the Sensato-ISAO included in the MD-COP+ solution – provides healthcare organizations with ongoing access to threat intelligence, vulnerability disclosure and community-based best practices and support. Medical device vendors are also motivated to join an ISAO and share their risk profile and reduce their own medical device cybersecurity liabilities.

While medical device cybersecurity is becoming more important in this age of digital health, there are actions health systems can take to protect themselves – and their patients. Evaluate your vendors and their devices, protect access to the devices once they are implemented at your facility, and have escalation procedures in place for any security events.

1 (sourced 3/27/18)

Interested in more information on medical device cybersecurity? Check out these resources from the FDA: