Explosive growth in smart medical devices has created a new set of challenges for the healthcare industry. To adapt to these changes, health IT risk management experts are seeking new ways to better balance integrated services and security.
While medical devices are regulated in many ways for functionality, with rules or laws put forth by regulatory agencies, these same regulators have fallen short when it comes to prescribing enforceable security standards that sufficiently address today’s interconnected healthcare systems—an issue made particularly complex by the lack of agreement over whether providers or device manufactures should bear the liability burden.
Several regulatory bodies are all working towards improving the situation. Currently, the rules that apply to each medical device depend on how the product is classified by regulatory agencies. Each agency has defined classifications for medical devices and established core risk management standards.
The National Institute of Standards and Technology (NIST) in particular prescribes a number of key risk management standards of which those in the medical device industry must be aware. These standards include both technology-based recommendations for taking stock of and implementing security controls and people-focused guidelines centered around access control. While these standards are not strictly enforceable, they represent a step in the right direction toward a more comprehensive understanding of IT risk.
The Food and Drug Administration (FDA) regulatory efforts are based upon shared responsibility models between healthcare sector stakeholders. It has increased industry transparency around medical device cybersecurity threats and other issues, and it soon plans to publish a significant update to modernize its 2014 pre-market medical device cybersecurity guidelines to address this quickly evolving space. This update is expected to provide customers and users with a “cybersecurity bill of materials,” and will include a list of software and hardware components within medical devices that could be susceptible to vulnerabilities. It will be an important resource to help device users respond quickly to potential threats.
Additionally, the FDA released a pair of cybersecurity-focused playbooks. One looks internally, aiming to help its staff address cybersecurity threats, vulnerabilities and incidents. The other was developed with MITRE and focuses on medical device cybersecurity. It outlines recommendations for preparedness and response so that healthcare delivery organizations are better positioned to build and maintain a more secure environment. It also directly addresses the responsibilities borne by device manufacturers. The playbook describes the types of readiness activities that will better prepare healthcare delivery organizations for cybersecurity incidents. Steps include:
- Developing a medical device inventory and directing preparing works out. Some organizations create viable policies and processes, but don’t test them in practice. Training exercises are critical as it is incredibly risky to build an incident response process and test it for the first time in the middle of an incident.
- Defining leadership roles for decisive action. Who’s in charge? Whom do you call when an incident happens, and in what order? A proper crisis protocol must be established and clearly communicated.
- Weighing the potential impact of product vulnerabilities earlier in the development process. Give product developers more opportunity to understand and address the potential for large-scale, multi-patient impact that may raise patient safety or care concerns.
The MITRE playbook is a step in the right direction, and it will ideally create a culture of awareness and preparedness. Organizations must also recognize that standards are good, but in order to be effective, security procedures and practices must be proactively and continually tested. Sharing of information on medical devices and cyberattacks across a region or the industry before, during, and after a medical device cybersecurity incident will also help the industry be better prepared for attackers that seek to apply the same attack methods across other similar healthcare providers.
As an organization develops an incident response preparedness plan, it is critical to have a firm understanding of the players who built, designed, and tested it, in order to know in advance what actions to take and where to turn for support. Who must be notified and in what order? Who should handle external public affairs in the event of a breach? Who is the right law enforcement representative, should reporting become necessary? Who are your regulatory authorities, and who has the authority to speak to them during an incident? What must be complied with in accordance with breach insurance. These are important questions to ask of your general counsel or legal team as you build out a plan.
Organizations that operate under the assumption that a breach is inevitable will be better prepared in the event one occurs. Building processes designed to respond to and identify the extent of a breach quickly will be critical in not only mitigating the impact of the breach but also in addressing obligations related to breach disclosure. A fast and confident response can prevent an attacker from destroying your environment, stealing medical records, harming patients or misusing your resources to further infiltrate the infrastructure of a partner or customer.
Organizations are seeking new technologies for early detection and collecting threat intelligence required to respond and report on incidents. Deception technology is one of the more popular technologies being rapidly adopted by healthcare organizations of all sizes. Usage is driven by its efficiency in detecting advanced threats from all attack vectors and across all attack surfaces, including medical devices.
Deception changes the asymmetry of an attack and disrupts the attacker’s playbook by making it unclear what is real and what is fake with decoys and lures that mirror-match the production environment. The attacker is tricked into making mistakes that disclose their presence and engage them within the deception environment so that their techniques, methods, and intent can be better understood.
A high-interaction deception environment provides the unique ability to monitor an attacker as they navigate this fake (yet highly authentic) environment, study their methods, and gather threat intelligence that can help shut down an attack, prevent a successful return, and provide insight into what the attacker may have been after.
Concern over medical device security is destined to increase as more internet connected devices are deployed into patient-facing environments. Healthcare organizations, security providers, device manufacturers, and regulators have a shared responsibility to develop and implement practices and standards that have direct impact on reducing risk. We must also understand the limits of traditional security programs while seeking out solutions that deliver greater visibility and improved detection capabilities against threats that impact medical devices, and more importantly, patients themselves.