Article

Major Report: Unsecure Medical Devices Need A Fix

Mike Simon

CTO
Back to the News Desk

Healthcare organizations are vulnerable to network intrusions through unsecured devices on their networks. There’s no unified solution yet, as Joseph Marks at the Washington Post reports: 

A government-backed coalition of hospitals and medical device manufacturers took matters into their own hands on Monday. They released a 53-page “joint security plan” outlining a slew of low-hanging fruit protections manufacturers should implement and hospitals should demand.

That’s 53-pages you probably don’t have time to read. Since this is about the Internet of Things, CI Security Chief Technology Officer Mike Simon breaks into the 4 THINGS SECURITY PROFESSIONALS NEED TO KNOW:  

 

Thing 1: The Devices Are Not Secure

Medical device manufacturers are producing devices and systems which do not conform to generally acceptable cyber security standards. While that may be a, “no duh” to most professionals, this is remarkable because healthcare orgs and device manufacturers have agreed to say it in a detailed and public report.

Even if good secure development and testing practices are followed, monitoring vulnerabilities and patch management is critical to safe operation of medical devices.

Achievement of security goals is a process not a state of being. The document spends time on how to use a capability maturity model (CMM) to evaluate progress towards these goals.

 

Thing 2: Uh Oh, You Likely Have New Liability

The report establishes a new baseline for federal expectations about how medical device manufacturers operate and how healthcare providers use the devices. 

The authors go out of their way to say this is not a regulatory document or standard. Suuuure, tell that to the lawyer of a person injured by a breached IoT pacemaker. 

In a court of law, when deciding liability – the court will be presented with regulatory requirements and non-regulatory documentation which support statements about “best practice” and reasonableness. This document means there’s new liability.

 

Thing 3: Structured Security Plans Matter

Line 1440: As a healthcare provider, you _may_ create similar organizational structures.

Appendix H is how this panel of experts imagines what a well-structured cyber security program looks like. They are not wrong.

As a healthcare provider, you MUST already have similar organizational structures. To meet the demands of HIPAA and HITECH, any healthcare organization will have (per the JSP document’s list): 

  • Governance, including a chief cyber security office(r)
  • Security staff
  • Incident Response
  • Program Management
  • Cyber security testing

 

Thing 4: Healthcare is Unique, Standards are Not

There’s a welcome focus on standards from the ISO, CMMI, MITRE and NIST. There’s nothing revolutionary in the proposed use of these standards, but a focus on managing the entire lifecycle of medical devices from a security viewpoint and using common vernacular to describe device security.

This focus on standards which are NOT healthcare specific sends a subtle message. The way to produce and manage secure devices is not unique to healthcare. Standard methods and governance structures can be applied and work well. What is unique to healthcare is the potential impacts of failure, and the predominance of high impact un-managed devices which do not conform to the corporate network hardware and software models.

 

Summary

Two main points come from this report: a universal acknowledgement that the devices now in use in healthcare environments are not secure enough; the path to securing them is clear but will be bumpy and muddy.

Anyone in a healthcare environment needs to have someone monitoring their network. Until the devices are more secure, the vulnerability is too great.

MSSP and Managed Detection and Response provide solutions.

  • MSSP: If a device is breached, you’ll get an alert (likely lots of alerts) and need to check them all out. Now that you likely have more liability, you’ll need a bigger security staff.
  • MDR: You’re hiring a Security Operations Center to watch any anomalies on your network, catching odd behavior from unsecured devices. A real person will look over the anomalies and alert you to the few that need to be mitigated.

If you’re interested in MDR as a solution for IoT, check out these links: