Photo: Mayo Clinic
Within the last year, healthcare organizations have been proactive in their efforts to align the health industry’s cybersecurity efforts to include medical device security.
Healthcare giant the Mayo Clinic in Rochester, Minnesota, has evaluated and operationalized medical device security technology. It found limitations with traditional cybersecurity solutions, a need for a more targeted technology and best practices for implementing a medical device security solution.
Areas found most successful include defining mission, goals and objectives; determining needs; and aligning to a framework and security solutions.
In his upcoming HIMSS21 educational session, “Securing Medical Devices: Best Practices,” Kurt A. Griggs, manager of information security at the Mayo Clinic, will discuss what the medical device ecosystem is like today, what some of the differences are between medical devices and traditional IT devices, the Mayo Clinic’s approach to securing medical devices, and best practices the clinic has developed.
The medical device ecosystem
The healthcare digital transformation is revolutionizing the medical industry and is transforming today’s medical device ecosystem, Griggs said. The ecosystem is expanding and becoming an environment comprising an increasing number of medical devices and applications that connect to healthcare information systems using networking technologies, he added.
“The transformation is generating rapid advancements in mobile healthcare, big data, virtual reality, smart devices like wearables and medical/vital monitors, predictive healthcare, and artificial intelligence,” he noted. “With these advancements, new technologies are emerging, and manufacturers are developing new and innovative medical devices.
“These devices increasingly are more connected to hospital networks, other medical devices and the Internet,” he continued. “In addition, they are getting smaller, have more computing power, and are increasingly unable to function as standalone appliances.”
These technological advances are improving healthcare, driving better patient outcomes and transforming the medical device ecosystem, he said. However, one must realize connected medical devices are vulnerable to cyber threats and security breaches, which can potentially impact the safety and effectiveness of the medical equipment, he added.
So, in addition, to the positive changes occurring to the medical device ecosystem, there also are new cybersecurity risks being introduced, he said.
“This entire transformation is creating opportunities for healthcare organizations, medical device manufacturers and third-party vendors to work collaboratively to develop new and innovative methodologies to manage medical devices and mitigate the cybersecurity risks,” he said.
Medical devices versus traditional IT devices
In many respects, medical devices appear to be like traditional IT devices. Both use an operating system, may run other software applications, can be connected to a network or other components, and are susceptible to cybersecurity threats.
Therefore, it often is assumed the methods to identify, protect and secure medical devices are the same as those used for traditional IT devices, Griggs noted. This is not necessarily true, and is illustrated in various ways, he said.
“First and foremost, many medical devices have a direct impact on patients and present a significant risk if knocked offline or brought down,” he explained. “Further, medical devices are federally regulated, and the ability to apply controls often is subject to the approval of the medical device manufacturer.
“Medical devices can function for years and are generally not replaced as frequently as traditional IT equipment,” he continued. “These devices are referred to as legacy equipment and often lag far behind the technology advancements occurring with networking and cybersecurity.”
As a result, there are large volumes of medical devices that are incapable of using the latest network security functionality (for example, agents and certificates) or are unable to accept certain types of security controls (for example, changing default passwords or applying antivirus). Also, many medical devices are sensitive to unusual network activity and are easily tipped over, limiting the ability to perform vulnerability scans.
“Finally, medical devices are very specialized and require skilled technicians with clinical engineering degrees and/or specialized vendor training to service, maintain and secure,” Griggs said. “Overall, there are significant differences between medical devices and traditional IT devices, and, if not managed properly, present a substantial risk to patient outcomes.”
Mayo Clinic’s approach to securing medical devices
Mayo’s approach to securing medical devices is risk-based, proactive and repeatable.
“It focuses on assessing the out-of-box risks associated with new equipment, developing a means to mitigate these risks and automating the workflows,” Griggs explained.
“All in all, it is designed to limit and control cyber risks prior to connecting medical devices to the network and creating a mechanism to begin tackling the job of securing the large numbers of legacy devices in our environment. Furthermore, it is fully adaptable to manage new vulnerabilities.”
On the best practices front, the one most noteworthy best practice developed by Mayo is the Security Lifecycle Profile or SLP, Griggs said.
“An SLP is a living document that records all identified risks associated with a specific medical device, based on make, model and operating system,” he concluded. “SLPs are maintained for each asset and used as a checklist to track the application of mitigating controls. In addition, the SLPs also are used to develop device, model and fleet-level risk scores.”
Griggs will offer more detail during his HIMSS21 session, “Securing Medical Devices: Best Practices.” It’s scheduled for August 12, 1:15-2:15 p.m. in Venetian Lando 4301.
Email the writer: [email protected]
Healthcare IT News is a HIMSS Media publication.
Source: Read Full Article