Ensuring a solid medical device cybersecurity program

Posted by James Schroeder

ComplyAssistant recently contributed an article on medical device cybersecurity in the August 2018 edition of HCPro’s Briefings on HIPAA. The following blog post covers some of the key points.

Using a medical device security assessment to identify and mitigate vulnerabilities

With a variety of vulnerabilities – including unenforced password protocols, outdated data storage, unencrypted data, unsecured access to networks— medical devices are particularly attractive to would-be attackers. Since medical devices are connected now more than ever, but do not always incorporate the same type of encryption as other technologies, they can create a direct path into a health system’s entire network. Attackers can cause device malfunction or even take down an entire system.

Thus, the need for appropriate medical device cybersecurity is critical. Healthcare organizations must protect their patients, and any sensitive data, by implementing and enforcing a solid medical device cybersecurity program.

The Center for Devices and Radiological Health (CDRH), a division of the FDA, facilitates medical device innovation, and is “modernizing measures to improve the safety of medical devices while continuing to create more efficient pathways to bring lifesaving devices to patients.” In its Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health, the CDRH intends to redefine its approach to medical device cybersecurity, and outlines these five steps it will take to encourage medical device innovation:

  1. Establish a robust medical device patient safety net in the United States.
  2. Explore regulatory options to streamline and modernize timely implementation of postmarket mitigations.
  3. Spur innovation toward safer medical devices.
  4. Advance medical device cybersecurity.
  5. Integrate the Center for Devices and Radiological Health’s (CDRH’s) premarket and postmarket offices and activities to advance the use of a “total product life cycle” approach to device safety.

What is your solution to medical device cybersecurity? Here are 5 steps you can take to ensure a solid medical device cybersecurity program:

    1. Collaborate. Your IT and Compliance teams should be set up to work in concert with each other. IT is responsible for monitoring all medical devices and escalating any issues or breaches to Compliance. Compliance is responsible for monitoring and addressing the organization’s information security and risk management programs. Working together, these departments are the core of maintaining an organization’s security and compliance strategy. (For more on this topic, check out our blog post on why your CISO should be housed outside of the IT department).
    2. Assess. Complete an administrative assessment on every vendor that provides medical devices to the organization. For example, a medical device cybersecurity administrative assessment should include:

      • Documentation of HIPAA security rules
      • How data is stored
      • User access and provisioning
      • Security certifications or validations from independent parties
      • Remote access protocols
      • Documentation and enforcement of policies for data retention, disposal, and destruction
      • Documentation of disaster recovery plans and procedures
      • Continuation of liability insurance
      • Post-sale support on the medical device—whether by the vendor or by a third party

      Complete a technical assessment on each device to ensure it meets the technical and operational requirements of HIPAA, NIST 800-53, and FDA Postmarket Guidance for medical device cybersecurity. The technical assessment should include penetration testing, a vulnerability assessment, medical device monitoring, and breach detection.

    3. Review and update. If your organization uses legacy medical devices, the related business associate agreements (BAAs) may be outdated. Review each BAA and update per your organization’s most up-to-date medical device cybersecurity protocols.
    4. Secure access. Each medical device must only be accessed by approved clinical and technical staff. Document and require role-based usage of medical devices throughout the system. And, limit access to any authorized clinician caring for the patient and authorized IT personnel who maintain the devices.
    5. Share. Join an Information Sharing and Analysis Organization (ISAO) to stay informed on threat intelligence, vulnerability disclosure, and community-based best practices and support.

Medical devices can be easy targets for attackers to access an organization’s entire network. While medical device cybersecurity is crucial, there are actions you can take to protect data and patients. These measures outlined above will serve to protect your organization from attack through a connected medical device.

Want more? Read our blog post on how to build your medical device cybersecurity protocol.

For a consultation and demo, contact ComplyAssistant.