Beruflich Dokumente
Kultur Dokumente
HANDBOOK FOR
CONNECTED MEDICAL
DEVICES
THE RISK
MITIGATION
HANDBOOK FOR
Connected medical devices represent a huge challenge for
healthcare leadership. They are inherently vulnerable to cyber threats
and successful cyber attacks can have terrible consequences, yet
CONNECTED
traditional cybersecurity measures cannot be applied to these
devices, and may even risk interfering with critical clinical operations.
In this guide we explain the problem of connected medical devices
1
THE RISK MITIGATION HANDBOOK
FOR CONNECTED MEDICAL DEVICES
2
THE RISK MITIGATION HANDBOOK
FOR CONNECTED MEDICAL DEVICES
3
THE RISK MITIGATION HANDBOOK
FOR CONNECTED MEDICAL DEVICES
81%
compromised
32% 10–15
top concern devices per bed
81% of healthcare organizations 32% of healthcare organizations Hospitals maintain 10–15
reported they were compromised by say medical devices are their top connected medical devices per
a cyber attack in the past two years security concern bed, with over 3.7 million devices
in active use
5
THE RISK MITIGATION HANDBOOK
FOR CONNECTED MEDICAL DEVICES
Tier 1 Tier 2
Higher Cybersecurity Risk Standard Cybersecurity Risk
The device is: The device is: Software Vulnerabilities Authentication Networking
Capable of connecting to another Capable of connecting to another
medical or non-medical product, to device or network, but cannot
a network, or to the Internet directly harm patients
OR OR
A cybersecurity incident affecting Capable of directly harming patients
the device could directly harm one but cannot connect to a network
or more patients
Patient Safety Privacy Service Disruption
6
For more details on risk assessment, refer to the Second Phase below.
01 FIRST
PHASE
Understanding the Connected
Device Environment
7
01 FIRST
PHASE
Why Is It Difficult to Create an Inventory of ■ Devices are sensitive—active network ■ Large number and variety of devices—
Connected Medical Devices? scanning can disrupt medical device there may be tens of thousands of
operation, so you must use passive devices of different types, vendors,
You cannot simply run a network scan and identify medical discovery. and versions.
devices like you would on a regular IT network: ■ Invisible to network discovery tools— ■ Ongoing flux—devices are constantly
traditional tools will not discover the added, replaced, or removed from the
vast majority of connected medical network, often without involving IT, so
devices, or may falsely indicate that discovery needs to be ongoing.
the device is a Windows workstation.
Most connected medical devices do
not advertise their information, and
detecting them over the network
requires careful analysis of traffic at
the application layer.
9
01 FIRST
PHASE
Understanding the Connected
Device Environment
Step 1.
Discovery Focus on high quality data that can help
you determine risks and vulnerabilities.
Aim to build a database of medical devices with data In particular:
about each device.
█ Device type
█ Department and room
█ Vendor
█ Model
█ IP address
█ Operating system
█ Application software version
█ Latest security patch
Step 2.
Network Mapping and Clinical Context
Understanding a device’s network behavior lets you understand Clarify the clinical use of each device and, by extension, its
how exposed it is to external and internal threats. exposure to risks. This data can be extremely difficult to obtain
Try to obtain the following information for each of your without the aid of automated tools.
connected devices:
Clinical Context Information How It Can Help
What other devices does it Does it communicate Which connections to and from ■ Any security effort must avoid
communicate with? externally over the Internet? interfering with critical dataflows
this device are clinical data
transfers? Which are non-clinical ■ By recognizing clinical workflows, you
Does this device have Does the device need to
unnecessary access to other communicate with the device
communications such as control can accurately identify anomalies that
channels? could impact important information
devices, networks, or the vendor on an ongoing basis?
flows
Internet?
Are Internet communications ■ Devices with PHI are more likely to be
Does this device transfer or store
Is this device’s network normal for this type of device?
Protected Health Information targeted by cyber criminals
communication isolated in a
VLAN? Is this device’s Internet
(PHI)? ■ There is a need to secure data as well
communication isolated in a as the device itself
What types of protocols are VPN tunnel? ■ The device needs to comply with
used? relevant standards and regulations
Where does the device send Is the device directly involved in ■ Prioritize security efforts on
or receive Public Health patient care? For example, patient connected devices that are directly
Information (PHI) data, and involved in patient care or may
which type of PHI?
monitors, infusion pumps, and
cause direct harm to patients
pacemakers. Is it an FDA Class III
device (a device that sustains or
11 supports life)?
02 SECOND
PHASE
Risk Assessment
12
02 SECOND
PHASE
RISK ASSESSMENT
Once you have a better understanding of your connected medical
devices, and have built an inventory of the devices, their context,
and network behavior, you can use this inventory to assess the
risks affecting each device and their impact on the organization.
Step 1.
Identify Device Vulnerabilities and Remediation
Opportunities
Collect data about vulnerabilities for each of your device Just as important, discover the owner of the device and
models, operating systems, and application versions. your level of access for remediating security issues.
13
02 SECOND
PHASE
Risk
Assessment
Step 2.
Identify Network-Level Risks
Internet connection
Check if the device connects to other systems over the Internet,
for example to a third-party company or the manufacturer for
maintenance or updates.
Encryption
Check if the device transmits or receives unencrypted dataflows.
Non-secure protocols
Check if the device uses protocols that offer weak authentication,
no authentication, or have vulnerabilities.
14
02 SECOND
PHASE
Risk
Assessment
Step 3.
Identify Risk Severity
Ask yourself: What would be the impact of a successful cyber
attack on each of your devices? Unlike attacks on healthcare IT
systems, the impact of an attack on connected devices is not
limited to data security and privacy. A successful cyber attack Patient Safety Privacy Service Disruption
could disrupt clinical care and cause direct harm to patients.
We recommend identifying risk severity according to the FDA Class I Medical Device does not Device failure cannot
three impact metrics in the CVSS risk calculation: Device; low-to- store PHI disrupt patient care
moderate risk to the
Low
■ Confidentialit y— corresponds patient or user
to the risk exposure of Protected
Health Information (PHI) stored in or
transmitted by the device FDA Class II Medical Device stores a small Device failure can
■ Integrity—corresponds to the risk to Device; moderate-to- amount of PHI for a disrupt patient
Medium
patient safety for devices directly used high risk limited time period care but not critical
in patient care around a test or medical treatment
treatment
■ Availability—corresponds to the risk
of service disruption
FDA Class III Device; Device stores large Device failure can
high risk, devices that amounts of PHI disrupt critical medical
sustain or support across multiple tests treatment such as
High
life, are implanted, or or treatments surgery, respiratory
A successful cyber attack could disrupt present high risk of
illness or injury
equipment, or delivery
of life -sustaining
clinical care and cause direct harm to medication
patients.
15
03 THIRD
PHASE
Protecting
Connected Devices
16
03 THIRD
PHASE
PROTECTING
CONNECTED DEVICES
The advantage of our structured process for discovery and risk
assessment is that you can rank devices according to the risks
they represent. Each device should have a risk impact score (for
patient safety, privacy, and service disruption).
Your organization can define an acceptable level of risk, and the
security team can focus on protecting devices whose risk score
is beyond the acceptable level and apply the appropriate security
measures to devices with different risk scores.
Step 1.
Device Hardening
As with any computing device, you must make sure connected Challenges with Hardening Medical
medical devices have the latest security patches and software Devices
upgrades. Configuration must be hardened to enable secure
authentication, close unused ports, limit unnecessary functions ■ Windows security patches need to be
and in general, reduce the attack surface. verified and approved by the device
manufacturer
Most medical devices run on a Windows operating system. However,
applying a patch is not as simple as with a workstation or Windows ■ Clinical engineering must verify
server. patches or updates that do not impact
the functionality of the medical device
Guidelines
18
03 THIRD
PHASE
Protecting
Connected Devices
Step 2.
Network Isolation
A key strategy to securing connected medical devices is to isolate Considerations When Isolating
them, as much as possible, from non-critical clinical communications, Medical Devices
to limit the attack surface. This has two components:
■ Isolate clinical data flows from non-
■ Defining network segmentation to clinical data flows
ensure connected medical devices
■ Clinical communications are essential,
can only communicate with devices or
but any other communication should
systems that are part of their clinical
be blocked
process
■ Blocking external communication to
ensure connected medical devices
never connect to the Internet, unless Guidelines
this is needed to communicate with the
device vendor or other known entities ■ Set strict access policies and network
segmentation to restrict non-essential
communications to/from devices
■ Set segmentation policy to address
risks and vulnerabilities discovered in
your impact analysis
■ Block the device from connecting to
the Internet unless absolutely needed
for the device to function, and only to
known entities
Step 3.
Incident Detection and Response
It is impossible to protect most connected medical devices from Considerations When Monitoring for Guidelines
all potential threats because there will always be critical legacy Security Incidents
devices that cannot be replaced and cannot be fully patched or
isolated, meaning you can limit the attack surface but not eliminate ■ Use passive monitoring such as a ■ Continuously monitor all devices, with
it. In addition, isolation can be a long process, and in the interim, network TAP or mirror port to avoid special emphasis on those with a high
some devices will remain vulnerable. This is why it is critical to interrupting device operations risk score
monitor devices and immediately detect and alert when unusual
■ Leverage information you collected ■ Establish a strategy for comparing
activity takes place.
about the clinical context of each ongoing communication to normal
device to understand what represents clinical communication
normal clinical communication
■ Alert security on any major deviation
■ Compare current behavior to vendor from normal behavior
specifications, past behavior, and
■ Integrate with third parties that can
to the behavior of a peer group of
help perform speedy remediation via
devices in your environment and in
remote action, such as on-demand
other organizations
network segmentation
Step 4.
Metrics and Analytics
Medical device cybersecurity is a long process, which must be
maintained and improved over time to adapt to a changing threat
landscape.
Tracing your progress can help you understand if you are moving
in the right direction and make corrections if your work is not
improving the security situation.
Create a scorecard for medical Set KPIs based on risk of important Identify activities and strategies that Collect data about risk indexes
devices with a timeline of risk scores, devices and monitor improvement; improved KPIs and reduced overall and historical behavior of devices,
ensuring risk is reduced over time tie the KPIs to business goals like risk indexes and use it for better procurement
patient safety and service availability decisions
to get buy-in from leadership
21
19
THE RISK MITIGATION HANDBOOK
FOR CONNECTED MEDICAL DEVICES
22
Thank You!
w w w.cynerio.com