Why you should hire a medical device security engineer

Leon Lerman, Cynerio co-founder and CEO explains why having one single person ultimately responsible for securing medical devices ensures patient safety is always at the top of the agenda.

The number of vulnerabilities, ransomware cases and cyberattacks being identified on healthcare organizations is on the rise, and therefore protecting medical devices is becoming a high priority. Today, even basic everyday attacks on hospitals that aren’t specifically targeting medical devices can threaten patient safety due to the vulnerable nature of the devices used within these organizations that were not built with security in mind. 

However, securing medical devices is complicated. It requires collaboration between experts who understand enterprise security and biomedical engineering, as well as being familiar with medical devices. Hospitals often don’t have full visibility into all of the devices on the network and therefore devices are often hidden and as a result can’t be managed. Additionally, practitioners who are already stretched to the limit providing patient care are often unaware of security procedures or are reluctant to slow down patient treatments by following them. For example, caregivers often share passwords because looking up a forgotten password takes up valuable time. According to a Ponemon Institute study the vast majority (80 percent) of device makers and healthcare delivery organizations rate the level of difficulty in securing medical devices as “very high.”

By appointing a Medical Device Security Engineer (MDSE) hospitals can have one person ultimately responsible for protecting medical devices. A MDSE should have a background in both biomedical devices and enterprise cybersecurity and is responsible for interfacing with the different departments within the healthcare organization to define, communicate, and enforce medical device security policies.  Because there are new recommended policies, new medical devices and new tools to discover and manage being introduced all of the time, the duties of an MDSE are constantly evolving. Based on the current realities though, here are some duties that everyone can agree on.

Educate

Perhaps the most important duty for the MDSE is to raise awareness of the potential risk and convince all the stakeholders to get on board including caregivers, biomed technicians, procurement and IT. An MDSE needs to be an excellent communicator who understands the unique perspective of every person involved in order to convince them to change their habits to be more security aware. Sample duties include educating procurement to avoid those devices with a high security risk, convincing doctors that they need to give up on their favorite products because they are not secure, informing suppliers that obsolete operating systems with vulnerabilities are no longer tolerated, and fostering collaboration between biomed and IT departments to share medical device knowledge and expertise.

Keep a complete and current inventory

Managing the enormous inventory of medical devices in circulation, such as glucometers and intravenous pumps is no small task, especially as their numbers are growing and more devices are being connected to the network. An MDSE needs to ensure that the medical organization has full visibility for all devices, even those added to the network by vendors on a trial basis. It’s very important to understand where the medical devices are and what their role is in medical workflows and clinical processes. This understanding really helps the security professionals to understand the importance of the device, prioritize the risk accordingly and apply the right controls to properly protect the assets and their communications without interrupting hospital operations.

Do a risk assessment

Each device on the network needs to have the relative risk assessed. This assessment needs to take into account not only the device itself but also the wider ecosystem which connects to the device - including gateways, interface engines, terminal servers, workstations etc. Devices’ characteristics that the MDSE needs to know include if patient information is stored on the device, if treatment decisions are based on data generated by the device, the level of authentication used, if the device connects directly to the vendor’s network to do upgrades and maintenance, if the device can be patched when a security vulnerability is identified, and if communications over the hospital’s internal network are encrypted. This includes properly prioritizing the risks and deciding on a proper action plan to perform remediation.

Adhere to industry standards

An MDSE needs to be aware of technical standards at the industry level and have a full understanding of the regulatory landscape. This includes knowing Food and Drug Administration (FDA) and Office of Civil Rights (OCR) best practices and manufacturer disclosure policies. This also includes keeping up to date with The Medical Device Innovation, Safety and Security Consortium (MDISS) which provides coordinated information and analysis to support timely response activities and of course HIPAA (Health Insurance Portability and Accountability Act of 1996) privacy and security rules.

Implement preventive measures

The MDSE needs to take all preventive measures necessary to respond to all known device vulnerabilities. Patches should be applied when available, and compensating controls should be put into place to limit devices’ exposure – this includes access control lists and network micro segmentation. All controls should be continuously evaluated to ensure that they continue to lower the organization’s risk over time.

An MDSE has a lot to do to pack into a single position, but there are tools that can help minimize mundane tasks and improve efficiency. Monitoring tools can automatically identify and classify devices on the network and assist with risk assessments. Clinical workflows and device communications can be modeled, and device behavior can be monitored so that suspicious behavior can be identified, and the appropriate personnel can be alerted.

Having one single person ultimately responsible for securing medical devices ensures that patient safety is always at the top of the agenda. By being equipped with the necessary tools, having the right security and biomedical knowledge and support from management, an MDSE can make securing medical devices a reality.