1

10 Challenges in Managing Medical Device Cybersecurity

Session #139, March 7, 2018

Juuso Leinonen, Senior Project Engineer, ECRI Institute

2

Juuso Leinonen,

Has no real or apparent conflicts of interest to report.

Conflict of Interest

3

Agenda

• ECRI Institute - Evaluating Medical Device Cybersecurity

• Medical Device Cybersecurity - 10 Problems and 10 Solutions

• Questions and Answers

4

Learning Objectives• Identify 10 key issues that are problematic with managing medical

device cybersecurity

• Formulate solutions that could be implemented in your facility to better address the identified key issues

• Recognize and discuss about the limitations and potential difficulties with implementation of proposed solutions

5

ECRI Institute

• Independent, not-for-profit research institute

• Mission:

Improve patient safety, cost effectiveness, and quality of healthcare

6

Top 10 Health Technology Hazards 2018

– #1 Ransomware and Other Cybersecurity Threats to Healthcare Delivery Can Endanger Patients

7

ECRI – Medical Device Cybersecurity• Increased ECRI member interest in cybersecurity

• Increase in reports by ECRI members in relation to cybersecurity

• ECRI’s response:

– Incorporate security assessment in ECRI’s medical device evaluations

– Publish guidance articles specific to medical device security

• Cybersecurity: The Essentials

– Aid health systems with inventory based security risk analysis

8

1. Inadequate Medical Device Software Inventory

2. Impractical Medical Device Patch Installation

3. Hard-to-Secure Legacy Devices

4. Insecure Medical Device Design

5. Vulnerability Scanning Disrupting Medical Devices

6. Medical Device Server Management

7. Remote Server Access Control

8. Vendor Reluctance to Share Information

9. IT and Clinical Engineering Collaboration

10.Cloud Services for Medical Devices

10 Challenges

9

1. Inadequate Medical Device Software Inventory

• Inadequate details recorded in the asset management database about software versions, operating systems, and networking

• Processes not in place to update asset details after software updates

• Some asset management solutions not built to accommodate software and networking details

• ECRI Top 10 Health Technology Hazard 2017 - Software Management Gaps Put Patients, and Patient Data, at Risk

10

1. Solutions

• Establish a procedure to request software details from vendor during purchasing

• Record software version and networking details during acceptance inspection

– Ensure asset management database is configured to accommodate networking details

• Verify accurate asset records during e.g., annual preventive maintenance

11

2. Impractical Medical Device Patch Installation• Patch deployment

– Most medical devices require manual updates

– Update may require a vendor field service technician

• Updates can directly impact care delivery

– Equipment downtime

• Thousands of medical devices from hundreds of vendors

– Patching requires an independent approach from normal IT assets

12

2. Solutions

• Develop a process that identifies patching needs and outlines practical implementation

– E.g., identify and patch medical devices during preventive maintenance

• Patch implementation must evaluate clinical workflow impact

– Patch at night vs patch during the day?

• Develop a critical patching plan

– How to respond to e.g., WannaCry with medical device?

13

3. Hard-to-Secure Legacy Devices

• Long useful life of a medical device 7 -10 years

• Unsupported OS platforms not uncommon with medical devices

– e.g., Windows XP

• Not designed with security in mind

• Important to Note!

– Just because you identify a device that is considered vulnerable, doesn't mean there are more secure alternatives available

14

3. Solutions• Identify legacy devices in your inventory

• Establish a process to assess legacy devices on continuous basis

– Replacing all legacy devices simply isn’t possible!

• Replace legacy devices as practicable by assessing:

– Clinical benefits/need

– Security risk

– Ability to update software

– Expected useful life remaining

– Total replacement costs

15

4. Unsecure Medical Device Design

• Many medical devices have not been designed with security in mind

– Need to develop custom compensating controls e.g., close open network ports not in use, firewall configuration

• Manufacturer recommendations for compensating controls may not be practical

– Take it off the network until fix is developed

– Network segmentation

16

4. Solutions

• Develop practical compensating controls to mitigate security risks

– Disable unused network ports on the end-point device

– Disable unused communication ports e.g., USB

– Deploy assets in dedicated VLANs

– Carefully consider option to disconnect from network

• Ensure to identify and assess any impact to clinical workflow

• Once a device is networked, it's hard to go back

• Leverage purchasing to push manufacturers for more secure device designs

17

5. Vulnerability Scanning Disrupting Medical Devices

• Vulnerability scanning tools are used to normally scan networked IT assets

– Increased interest to scan medical devices

• Some networked medical devices may not be compatible

– ECRI Institute members report medical device systems taken down as a result of vulnerability scanning

• Telemetry system disabled for several hours

18

5. Solutions

• Identify medical devices that cannot withstand any vulnerability scanning

– Ensure only compatible medical devices are scanned

• Consider development of a plan for on-going scanning of compatible medical devices to identify potential security risks

– Scanning may be best done during the day to ensure sufficient clinical staff to respond, if something goes wrong

• Establish a process to evaluate and respond to identified vulnerabilities

– Use results to aid in development of compensating controls

19

6. Medical Device Server Management• Increasing number of medical devices require servers

– Integration of medical device data with EHR

– Database

– Analytics

• Difficulties with medical device server management

– Virtualized environment vs vendor supplied black box

– Lack of support for current server OS

– Lack of support for commercial antivirus software

– Vendor validation of server patches required with medical devices

20

6. Solutions

• Identify servers associated with medical devices

– Record details about the server operating systems, database type etc.

• Utilize virtualized server environment if supported

– Can simplify server management

• Identify and apply compatible antivirus software

– Configure per manufacturer instructions to avoid disruption to device operation

• Document any exceptions to your general IT policies

21

7. Remote Server Access Control• Increasing number of devices require external remote server access

– Maintenance

– Calibration

– Data analytics

• Unsecure external communications

– e.g., Default service passwords, No VPN support

22

7. Solutions• Identify purpose of the remote access

– Is remote access required?

• Define how your facility can keep track of the external access to your medical device server and secure the communication

– Two-factor authentication

– VPN

– Temporary passcodes

– Change default service codes if possible

23

8. Vendor Reluctance to Share Information

• Insufficient information about medical device security

– Poorly filled out security questionnaires and MDS2 forms

– Lack of vulnerability disclosure

– Lack of sufficient information about communication protocols in use vs not in use

– Software bill of materials not provided

– Inactive vendor participation in community vulnerability sharing

24

8. Solutions• Leverage purchasing process to request for security and networking

documentation

– This may include:

• MDS2 form (2013 version) – update pending

• Facility specific medical device security questionnaire

• Network diagrams

• Software bill of materials

• Consider participation in information sharing communities

25

9. Cloud Services for Medical Devices

• Cloud services are becoming increasingly common

– Storing and analyzing patient data

– Ease of use due to centralized data access

• How does the cloud service provider protect your data?

• What is the impact to clinical workflow if service is not available?

26

9. Solutions

• Identify the role of cloud service in clinical workflow

– Develop incident response plan

• Identify what parameters or data will be transferred or stored in the cloud service

• Ensure data protections are clearly outlined in the service agreement

• Ask questions such as:

– If PHI is transmitted, how is it protected?

– Who owns the rights to this transmitted or stored data once it exits the facility?

27

10. IT and Clinical Engineering Collaboration

• Lack of collaboration is still a wide spread problem

– Traditional department division

• CE – medical devices

• IT – workstations, network, servers

• No formal process to assess security risk with medical devices

• No input from IT and clinical engineering during purchasing

28

10. Solutions

• Establish a process for formal input from IT and clinical engineering during medical device procurement

– Establish security requirements for medical devices

• Designate IT and CE medical device security leads to:

– Evaluate product security during procurement

– Assess legacy devices on an on-going basis

– Conduct security risk assessment with medical devices

29

Summary

• Identified 10 problems and 10 practical solutions in managing medical device cybersecurity in a healthcare facility

• There is no silver bullet – medical device cybersecurity requires on-going attention

• Medical device cybersecurity is a shared responsibility between manufacturers, facilities, and the regulatory agencies

30

Questions?

Juuso Leinonen

Senior Project Engineer

ECRI Institute

jleinonen@ecri.org