Securing medical devices is becoming increasingly crucial as threat-actors are growing more and more hostile and continuously targeting healthcare organisations. Connected devices and life-saving machines, such as those providing direct patient care, ancillary care support devices and critical operating technologies and control systems are essential to securing the patient journey. These devices are vital to ensuring patient safety and delivering the best possible quality of care, which is why it is important that the health industry deploys proper security; especially as any attacks on medical equipment can potentially lead to loss of life.
Due to increased connectivity, the healthcare device ecosystem now expands to include all elements of healthcare organisations’ technology infrastructure, enlarging the cyber-threat landscape along with it. As a result, healthcare organisations are having to implement higher security and follow regulations and technology standards in order to protect themselves, their patients and their data. This must be done efficiently and quickly without impacting overall patient care and experience.
With the growing threat of attack, there are some best practices and guidance that health services around the globe should follow to enhance their information security and organisational resilience.
Turning regulatory requirements into health industry security strategy
Regulations and certain technology standards are a necessary part of building a strong cybersecurity culture within healthcare organisations. They must ensure they manage issues like certification criteria, compliance schedules, non-compliance penalties and overlapping requirements. By following these, healthcare providers are able to shape their security strategies to cover the following:
Risk management: When it comes to risk management healthcare organisations are both compliance-based and focused on clinical outcomes and patient safety. Within the NHS, organisations risk is articulated by the maintenance of medical device software and the segmentation and security control deployment. That being said, a majority of organisations have varying compliance levels driving their security technology adoption. As such, risk needs to be standardised within this industry, before healthcare organisations begin using threat-related data sets for emergency management and business continuity planning.
Regulation overlapping: Overlapping regulation requirements give health organisations the opportunity to invest in and prioritise different elements of their security strategy. This way, they can improve their incident response and stretch costs.
Real-time data: Despite most health organisations having executive-level risk support, this appears to mainly focus on information security data as opposed to medical devices and infrastructure. Unfortunately, many still lack the necessary real-time analysis into vulnerabilities in medical devices and systems, their behaviour and the operational workflows. In addition, many organisations continue to use legacy monitoring equipment with new imaging modalities, which enhances the need for vulnerability management.
Balance device security with patient care
Considering the fact that medical device security is heavily reliant on IT, healthcare organisations are having to understand the operational implications of implementing adequate cybersecurity without impacting patient safety. In order to effectively estimate response time to emergencies and security incidents, organisations within the health industry must focus on baselining business continuity metrics for data loss and system downtime. Knowing how long people take to complete machine maintenance tasks is a vital part of the process of improving cyber resilience.
Leveraging utilisation data to improve threat modelling
Utilisation context is not only critical to driving security incident and response, but also to monitoring clinical workflows, analysing device utilisation, enhancing efficiency of clinical procedures and assuring the integrity of clinical data. In order to secure themselves, healthcare organisations must minimise alert fatigue and response time. It is vital they focus their efforts on real-time reporting and IT operations integrations to optimise their security.
Delivering contextual recovery and response
Healthcare teams must combine CVE knowledge with safety recall data in order to securely utilise new technology and connected systems. Connecting legacy devices to other assets and networks leaves them vulnerable to cyber-attacks, which is exacerbated by the fact that these devices are susceptible to vulnerabilities. In the worst-case scenario, devices with firmware such as implants or pacemakers, that don’t have the capacity to install security software, could even be life threatening.
Reducing the impact of cyber-attacks on healthcare
In order to reduce the impact of cyber-attacks, healthcare organisations must have solid risk frameworks and efficient response tactics and threat models. This can be done by prioritising simulations and testing workflow disruptions and system outages. This will help healthcare and IT teams to better understand their risk telemetry, how long their systems take to recover, and the user impact of degraded performance. By following these steps, organisations will be better prepared to defend themselves against and mitigate any impact from cyber-attacks on their systems.
UK healthcare organisations are already on the right path to building a strong cybersecurity culture, however there are still ways to go. It’s a common mantra within the cybersecurity community that you cannot protect what you do not know. Ultimately, visibility is an integral part of securing an organisation’s assets, particularly within the healthcare sector where neither patient care nor security should be sacrificed. Being aware of all devices on the network and how they are behaving will help healthcare organisations identify suspicious behaviour and detect and stop attacks before they can evolve.
By Oscar Miranda, Chief Technology Officer for healthcare at Armis
