Risk Assessments/Management, Security Architecture, Endpoint/Device Security, IoT, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Strong medical device security awareness stifled by inventory, knowledge gaps

Health care providers are increasingly aware of the need to secure the vast landscape of medical devices. However, the sector yet to meet necessary inventory and security measures to stymie this critical threat.

In fact, the latest Armis report shows 63% of health care delivery organizations have been impacted by a security incident caused by unmanaged devices or IoT in the last two years. And 26% of those entities lack policies that would secure both work and personal devices.

Armis researchers surveyed more than 2,000 professionals in May, which showed most users don’t pay attention to major cybersecurity attacks against critical infrastructure and operational technology entities, such as the attack against Colonial Pipeline in early May. This creates a major gap in security awareness, considering the 65,000 ransomware attacks deployed in the U.S. in the last year and the continued rise in cyber events.

As noted by Armis Strategic Product Director Sumit Sehgal, the health care sector could be the next frontier for attackers, particularly as 60% of health care employees responded that they don’t believe their personal devices pose a security threat to their organization.

The current medical device landscape

Throughout the course of the pandemic, health care providers swiftly onboarded new technologies and processes aimed to innovate and support patient care in troubling circumstances.

“COVID-19 pushed health care to be proactive. They took governance processes that could previously take eight years and implemented tech innovations into just eight months,” said Sehgal. “Security is better because most everyone understands that they need to know where their assets are and how to secure them.”

“But it’s still not easy to understand where those assets are, as many employ historic processes that the organization’s culture does not address,” he continued. “Technically, there’s no excuse: you should know what you have. And there are many tools that can accomplish that. But even advanced tools can’t tell you who owns it – or what it means to the organization in terms of risk.”

In 2019, the College of Healthcare Information Management Executives (CHIME) outlined the biggest health IT security gaps facing provider organizations, in response to Sen. Mark Warner, D-Virginia, seeking comment on how to improve overall cybersecurity in the health care sector.

The burden to protect patient privacy falls solely on the shoulders of providers. Oft challenged by constrained resources and staffing challenges, connected medical devices and IoT pose even greater hurdles driven by struggles with patch management and data inventory.

“Real-time patch information loop is nearly impossible,” CHIME members stressed, at the time. “They have information about a ‘point in time,’ however most would not be aware of a vulnerability and thus a patch, until after a vulnerability scan is complete.”

“In some organizations that run scans 24 hours a day, a need for a patch may not present until 48 hours at the earliest,” they added. “The CIOs and CISOs suggested that while real-time patch status may be known for certain devices, it does not exist for many.”

What’s more, it may not be possible to eliminate all vulnerabilities even with an added cybersecurity investment.

Data inventory poses its own challenges: most are not as comprehensive as needed and often due to reasons outside of the provider’s control. CHIME also noted that many security leaders have reported routinely finding devices or apps that previously didn’t operate on the provider’s network.

Medical device security gaps are also caused by a lack of streamlined processes for procuring devices, IT, and systems across the enterprise. A 2018 CHIME-KLAS report found the average number of connected medical devices within the health care environment totaled about 10,000.

Security firm leaders have repeatedly reported that during assessments of health care environments, providers are routinely asked how many devices are operating on the network. The estimates are typically far fewer than the actual tally, by thousands of devices.

In fact, even a small hospital environment can host more than 150 device families, which can total thousands of medical devices.

Though it’s been two years since the CHIME report, much of the challenges facing health care entities remain the same. A 2021 Masergy report, sponsored by Fortinet, showed cloud and connected medical device security are the biggest IT challenges facing healthcare entities under the current landscape.

For Sehgal, the ongoing threat landscape and continued security gaps confirm the need for all health care providers to “go down a path of introspection.”

“With the spread of telemedicine in the last year, the care delivery model has changed," he said. "Many providers aren’t as concerned with brick and mortar to provide care,” said Sehgal. “The importance of assets is changing.”

Addressing the knowledge gap

The Armis report findings show multiple areas that reflect the state of IoT and conceptual understanding of health care device ecosystems. Sehgal explained most entities are aware that medical device security is a critical area, but the operational transition has not occurred.

There are several reasons for the delayed shift, including a knowledge gap on how to transition a medical device, IoT, or biotech strategy and implement it into a security environment. 

“It hasn’t manifested yet, due to resource issues and alert fatigue, as well,” said Sehgal. “There’s a massive amount of data coming over to these teams. They’re comfortable dealing with the switch to IT, but not with connected IoT, like infusion pumps. Many aren’t comfortable taking action, as there’s an overlap of roles and responsibilities.”

Education is another contributing factor, from both a regulatory and compliance perspective. Sehgal noted there’s also an imbalance in terms of understanding the risk devices pose to the enterprise itself, as well as overall patient safety and clinical risks.

IT or security teams don’t always understand the nuances of the security and communication of these devices. He explained that entities frequently consider the security of medical devices as an issue that exists – but primarily for other providers and that it’s less likely to occur within their environment.

As the former chief information security officer of Boston Medical Center, Sehgal has seen a shift in the focus hospitals place on security. Previously, data theft was the primary concern. But the threat landscape in recent years has forced providers to consider the impact security events will have on business operations and patient care.

With biotech roles emerging into security positions, there’s a simultaneous learning inertia with understanding how to create security to enable business operations.

For example, reverse engineering malware requires an entirely different skillset than leveraging security to enable business operations, he explained. A security or biotech team may focus on securing energy pumps, but fail to address the security of the elevator system.

“If the elevator system goes down, what will happen? They can’t manually move patients at scale. And that’s where the learning inertia comes in. Many health care campuses easily create new initiatives to increase bed capacity, improve water management, and automate building processes but fail to tackle key security needs,” said Sehgal.

“The goal is to secure the patient journey. But medical devices aren’t the only element these teams need to worry about,” he added. “Many simply don’t know how to properly prioritize. It’s about understanding risk tolerance from an enterprise perspective that includes cost and clinical safety, while ensuring doctors can work or deliver service if data is impacted.”

Awareness and security are getting better for many health care entities, but as a whole, the industry is not there. Sehgal noted that health care has moved to automate processes that were previously done manually, but many crucial elements are still being tackled using outdated, and oft ineffective methods.

The first thing Sehgal tells organizations, particularly smaller hospitals and critical care, is that they don’t need to tackle the device problem alone. These entities should leverage existing, trusted partnerships with IT providers or service vendors already contracted with the organization for insights into ways to address security gaps.

"Health care is very good at responding to unanticipated emergencies, but horrible at implementing planned situations."

Armis Strategic Product Director Sumit Sehgal

Contracting with a managed security service provider (MSSP) can also assist with filling knowledge gaps, as well as resources for vulnerability scanning, inventories, and other valuable security needs.

Combatting health care’s greatest threats

In health care, ransomware and data breaches frequently receive the most media attention. However, those are symptoms of health care’s security posture, not the cause. The cause is often system vulnerabilities or insiders, such as clicking on a malicious link in a phishing email or the exploit of a bad application.

“Ransomware is the condition that happens when you have poor cyber hygiene,” Sehgal stressed. “Ransomware isn't the problem: it’s a result of the issue.”

To get at the core issues, health care security teams need to understand their threat models, he explained. Every security team tackles the process in some way: assessing the risk process, figuring out functions, and testing processes and communications to determine how the enterprise will be impacted during a compromise.

For Sehgal, a more realistic threat modeling process from a security perspective will address the true impact of an event to create an impact scenario. When done correctly, incorporating baseline behaviors, a security team can achieve a full picture of the environment, its processes, and the impact of potential service disruptions.

In order for health care to move the needle on cyber hygiene and overall device security, security teams must first tackle accurate threat modeling.

The second focus area is to better understand clinical workflows, including inference diagrams and the communication pathways and functions of systems. Sehgal noted that this area is one of the sector’s greatest weaknesses: many don’t know the normal data pathways within the health care environment.

“It’s simply not addressed,” he noted. “So if two systems normally talk two or three times within an hour, and suddenly there are 800 instances within an hour, a security team must understand what is happening during that event.”

“The device ecosystems these teams have to protect is important. But what is normal for communication between devices? There first needs to be a baseline environment and how it functions to compare for when spikes occur or other nuances of change,” Sehgal added.

Technology can support the process, but it’s most effective when the team first addresses what’s normal in terms of clinical workflows.

The last key focus area is developing and implementing a response process, built on good threat intelligence from either the internal security team or an outside cybersecurity partner. However, there’s a vast difference between response and recovery – and what that means during a security incident.

The ability to swiftly respond to an incident can thwart long-time outages or further damage to the network.

To accomplish this, security teams need to have the authority and support to swiftly respond to abnormal activity. Sehgal stressed that it must come from the board level, with leadership empowering the security team to take hold of security events.

Looking ahead

For security, there are two things preventing the industry from moving the needle forward. First, there’s the mindset that asserts it’s not my concern, as it’s not happening to the entity or nearby providers.

As for the impact of medical device compromises on patient safety, Sehgal said there are certainly instances of exploits occurring in the wild. But with siloed departments, there are significant issues with accurate reporting between biotech and security teams.

Further, the majority of U.S. health care providers are driven by profit margins and costs.

“Health care is very good at responding to unanticipated emergencies, but horrible at implementing planned situations, as seen with the COVID-19 response compared with plans for mergers and acquisitions,” Sehgal said.

“The way health systems are structured, with many providers insuring their organization, it proves challenging to change behaviors,” he continued. “If I’m a CISO and I come to the board with a cyber risk that will cost $60,000, but the entity can self insure for a few million, it can simply absorb the risk costs rather than address the security issue.”

Sehgal sees a current shift in these processes, as the costs of attacks increase. For example, the Ireland Health Service Executive ransomware attack and ongoing seven-week outages will cost the country’s health system at least $600 million.

These massive outages and impacts on patient care should serve as a wake-up call to other providers. Entities impacted by cyberattacks hemorrhage money, as it disrupts operations and potential revenue, Sehgal stressed.

Additionally, the impact of modern day attacks is about much more than data loss and material impact. It boils down to understanding whether an entity can recover in a short amount of time.

Most entities, including those that have fallen victim, have backup plans and processes in place, which are routinely tested, explained Sehgal. However, those tests don’t go far enough for assessing what happens during an extreme event like ransomware, where secondary data centers can fail and paper documenting processes don’t go far enough to account for long periods of downtime.

To better tackle medical devices and overall health care security, entities should review detailed voluntary guidance previously provided by the Department of Health and Human Services. The detailed insights are tailored to the size and needs of the organization.

“You can’t boil the ocean. Over the course of several months, look at your IT strategic plan, and where you see operation margins headed as an organization. Focus on those key areas needed for care to reduce the scope,” Sehgal noted. “It allows you to understand the purpose of building a security architecture and the tasks become more manageable.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds