Premium Reports
Medical Device Security 2018

Medical Device Security 2018
What Are the Greatest Challenges, and How Can They Be Overcome? A KLAS/CHIME Benchmarking Report

Authored by: | Read Time: 36 minutes

While funding and strategy development have increased for security overall, healthcare organizations are bombarded from all sides by security attacks. Due to the patient-safety risks, many feel particularly vulnerable when it comes to medical device security. This report—a collaborative effort between the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Security (AEHIS), KLAS, and provider organizations—aims to examine the current state of the industry and identify best practices for improvement. 148 interviewed provider organizations shared how confident they feel in their medical device security strategies, the most common challenges they face, and the best practices they leverage to overcome medical device security challenges.

Want to see full details?


About KLAS and CHIME

Using the voice of healthcare software and services customers, KLAS has measured healthcare IT vendor performance since 1997. Today, KLAS collects and publishes customer feedback on over 800 products and services. Roughly 30,000 providers work with KLAS each year. Since healthcare IT is often a nuanced and complex discussion subject, over 98% of KLAS research is collected in live conversations over the phone, to ensure accuracy and clarity. All interviews are strictly anonymous, and participants are granted broad access to the feedback of other participants. Vendor access to KLAS’ findings is available through subscription and individual report purchases.


The College of Healthcare Information Management Executives (CHIME) is an executive organization dedicated to serving chief information officers (CIOs), chief medical information officers (CMIOs), chief nursing information officers (CNIOs) and other senior healthcare IT leaders. With more than 2,700 members in 51 countries and over 150 healthcare IT business partners and professional services firms, CHIME provides a highly interactive, trusted environment enabling senior professional and industry leaders to collaborate, exchange best practices, address professional development needs, and advocate the effective use of information management to improve the health and healthcare in the communities they serve. For more information, please visit chimecentral.org.


The Association for Executives in Healthcare Information Security (AEHIS) was launched in 2014 to provide an education and networking platform to healthcare’s senior IT security leaders. With over 850 members, AEHIS is advancing the role of the chief information security officer (CISO) through education, collaboration, exchange of best practices, and advocacy in support of secure health information for the protection of both healthcare organizations and consumers. For more Information, please visit aehis.org.



Patient Safety a Top Concern with Unsecured Medical Devices

Citing patient safety as a top concern, most respondents are neutral about or not confident in their current medical device security strategy, with CISOs and CIOs more likely to report concern. The most common frustrations for unconfident organizations are the limitations placed on them by a lack of needed support from device manufacturers, including manufacturer recommendations that may conflict with the need to effectively deliver patient care. Almost as common are internal issues related to basic—but hard-to-master—security tasks, such as understanding what assets exist in their organization, which have been patched, which are connected to their network, and what systems those devices are talking to, all issues that get addressed as organizations develop their medical device security programs. About one-fifth of respondents feel that the inherent risks of medical devices—several of which are outside of their control—will prevent them from ever feeling confident.

The 39% of respondents who express confidence in their device security strategy’s ability to protect patient safety most often point to their security processes and policies—including access limitations, network segmentation, and regular device monitoring and risk assessment—as the source of their confidence. To support these processes and policies, many leverage security technologies, such as access controls, asset tracking, firewalls, and medical device monitoring. Strong executive support (financial and organizational) and cross-department collaboration also drive confidence, as evidenced by the fact that large IDNs, who more commonly have greater financial resources, are more likely to be confident in their strategies.



Root Causes of Medical Device Security Struggles


Safeguarding medical devices requires a joint effort from both provider organizations and device manufacturers. Yet regardless of their level of confidence, interviewed organizations are almost unanimous in citing manufacturer-related factors as a cause of their medical device security issues. A CISO explained, “I think there needs to be a coordinated effort between the manufacturers, the provider sites, and the regulators. I wish there were some other way for us to address this issue, but without that three-way partnership, I just don’t see how things will work out.”


Manufacturer-Related Factors: Legacy Medical Devices a Universal Challenge


There is a gap between how long organizations expect to be able to use a device and how long vendors feel they can keep a device up to date and secure. As a result, nearly all interviewed organizations have struggled with out-of-date operating systems or the inability to patch a device throughout its expected life cycle. Currently, many manufacturers do not allow customers to patch devices themselves (or void warranties if they do). Insufficient security controls, insufficient encryption, and hardcoded passwords are each cited as manufacturer-caused issues by about half of respondents. Adding to provider organizations’ frustration, on average, almost one-third of medical device vendors decline to offer contract provisions favorable to security. However, some manufacturers have been receptive to standardized security contract language proposed by forward-thinking provider organizations, a practice becoming more commonplace in the industry.



Organizational Factors


Poor Asset Visibility & Ambiguous Security Ownership the Top Challenges


Aside from manufacturer-caused issues, there are also organizational factors that hinder better medical device security. In this research, organizations most often highlight poor asset/inventory visibility and ambiguous security ownership. Organizations may be at serious risk if they lack visibility into what devices are connected to their network or what information is being sent and received by those devices. Additionally, shared ownership of medical device security can create confusion, and organizations with shared ownership are less likely to report confidence in their security strategy’s ability to protect patient safety. As one CISO explained, “When everybody is in charge, nobody is in charge.” Difficulties in these two areas often stem from a lack of adequate resources—whether that be in the form of staff shortages, budget constraints, process issues, or inadequate technology.


Organization Best Practices


Foundational Defenses: Technology & Due Diligence
The process of securing a medical device begins before the device is even installed and consists of due diligence overseen by solid governance and clear ownership. In completing their due diligence, organizations must perform risk assessments, ensure the inclusion of security provisions in their contracts, and ensure they receive a software bill of materials. Once the device is in place, network segmentation, antivirus software, and vulnerability scanning are some of the most common and basic technologies used to ameliorate risk. By disconnecting unnecessary medical devices from their network, organizations can mitigate risk and reduce the impact of a security event.


Patching Strategies
Out of necessity, organizations are resourceful when it comes to patching. They actively reach out to vendors to find out when patches are available; sometimes they patch devices themselves, and sometimes they have the vendor do it for them. They have also begun requesting that vendors use contract language that clearly outlines patching responsibilities and timelines.


Third-Party Software and Services
Nearly 75% of respondents use or plan to use third-party software or services to improve medical device security. Network access control (NAC) is most often used to segment networks and approve/deny access. Cisco is used most widely, followed by ForeScout and Aruba. To reduce costs and clearly define ownership, other organizations outsource their clinical engineering. Traditional clinical engineering vendors Aramark, Sodexo, and TRIMEDX have begun to also be used for device security. Some respondents use vulnerability-scanning tools from Tenable and Qualys. Up-and-comers CloudPost and Zingbox are gaining traction, offering comprehensive security platforms that help with network discovery, anomalous-behavior detection, blacklisting, and microsegmentation.


Overall Healthcare Security Trends




ABOUT THIS RESEARCH

This report constitutes KLAS’ first look at the current state of medical device security and the strategies and technologies provider organizations are using to tackle this increasingly important challenge. The research was produced through a collaborative effort between the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Security (AEHIS), KLAS, security professionals at provider organizations, and other healthcare-provider executives with the goal of answering the following questions:

  • How confident are provider organizations in their medical device security programs?
  • What are the main challenges provider organizations face in securing their medical devices? Which of these challenges are created by device manufacturers, and which stem from issues internal to the customer organizations themselves?
  • How are provider organizations tackling medical device security challenges, and what third-party technologies and services are they leveraging to help with their medical device security programs?
To answer these questions, KLAS conducted 148 interviews with chief information security officers (CISOs), chief information officers (CIOs), chief technology officers (CTOs), and other professionals at provider organizations across the country. To ensure that the gathered feedback represented the largest possible number of impacted clinicians and patients, the interviews were conducted mainly with individuals from hospitals and integrated delivery networks (IDNs). Additionally, some input was gathered from midsize and large physician practices (11+ physicians).

For the purposes of this report, medical devices are defined as biomedical devices used by healthcare-delivery organizations in the pursuit of patient care. This definition excludes patient-use devices (such as pacemakers) as well as non-biomedical devices (such as laptops and tablets). The average per-organization number of medical devices cited in this report refers specifically to connected devices, though respondents’ comments and feedback regarding their security strategies, struggles, and best practices often encompass both connected and unconnected medical devices.


INTRODUCTION

Security attacks bombard healthcare organizations from all sides, and the security of medical devices—specifically those connected to organizational networks—is an area in which many organizations feel particularly vulnerable given that security breaches involving medical devices have the potential to jeopardize both patient safety and the privacy of patients’ protected health information (PHI).

In attempting to secure their medical devices from attack, provider organizations encounter several challenges. First, medical devices generally have long expected product life cycles, making it difficult for provider organizations to secure unpatched or out-of-date devices and for manufacturers to maintain security after a device is introduced to the market or has been used for longer than the manufacturer intended. Second, while the FDA has released pre- and post-market guidance regarding medical device security, manufacturers have been slow to indicate to customers that security is a priority. One indicator of this is the lack of strong security provisions in their contract language—there are few incentives for them to add such provisions and few consequences when they don’t. When a breach occurs, it is largely the provider organizations that must deal with the fallout, including financial penalties, bad press, and damaged patient relationships.

With this report, CHIME, AEHIS, and KLAS hope to provide clarity regarding how organizations are addressing medical device security through people, processes, and technologies and how the challenges can best be addressed by provider organizations, the manufacturers, and the government.

PATIENT SAFETY A TOP CONCERN WITH UNSECURED MEDICAL DEVICES

18% of interviewed organizations have had medical devices impacted by malware or ransomware in the past 18 months. While few of these events have compromised PHI or required government intervention through an OCR audit, only 39% of respondents feel confident or very confident that their medical device security strategy protects patient safety and prevents disruptions to patient care. While provider organizations have made headway in developing and maturing their overall security programs—a difficult and time-consuming process—progress has been slow, particularly when it comes to securing medical devices.

As shown in the charts below, a respondent’s confidence level can be influenced by his or her job level and organization size. Executives are slightly less confident than other respondents. This is sometimes caused by the fact that C-levels have access to a more holistic view of their organization’s security and are therefore aware of threats that siloed departments might not know about.

Smaller organizations, such as clinics and community hospitals, are less confident than larger organizations. Large IDNs are likely to have more funding to use for investing in their security programs and implementing advanced security technologies. In fact, a higher percentage of larger organizations either currently use or are planning to implement third-party software to help manage and secure their medical devices, the impact of which KLAS intends to measure in future research. Additionally, larger organizations are more likely to be targeted by cyberattacks, so many of them have more mature security programs and have already adopted standardized security policies and procedures. Finally, due to their size, larger organizations typically have more power to negotiate contract language with their medical device vendors. Smaller organizations may not have such influence unless they are aligned with a nearby IDN or group purchasing organization (GPO).

Top Reasons for Confidence in Medical Device Security

Examining the reasons behind confident organizations’ success can help other organizations improve their own strategies.

Confident organizations most frequently cite solid security processes and policies as the source of their assurance. The processes and policies mentioned include allowing only authorized users to access medical devices, regularly monitoring and assessing device risk, and having network segmentation. A VP of information security shared, “We are very confident in our security strategy. . . . We have a risk-assessment process, and we don’t allow things to come in from a device if we haven’t evaluated it. That process doesn’t fix all of the old skeletons in our closet, but it stops any problems from getting worse. We are doing a really good job at assessing the risks so that we can mitigate and document them.” Organizations highlight the fact that simply having security procedures and policies in place is not enough—success comes only if the entire organization is bought in to these processes.

Another frequently mentioned driver of confidence is having strong security technology, an area in which larger organizations are more likely to have the financial resources to invest. Much of this technology—including firewalls, antivirus software, network access control (NAC) solutions, asset tracking/management, and medical device monitoring—focuses on identifying and mitigating medical device vulnerabilities. A manager of cybersecurity shared, “We have strong compensating controls to protect devices and the integrity of patient care. We have taken a very defense-in-depth strategy for our network, starting with our firewalls. We really enforce rules to block any traffic that doesn’t have a specific need to be here. There is an approval process that people have to go through to get a rule put in place to allow traffic through in the first place. We don’t have any exposed RDP servers or surfaces for someone to affect us with ransomware. We also have an intrusion-prevention system, which monitors traffic patterns and detects and blocks suspicious patterns if they get through the firewall.”

26% of organizations report that cross-department collaboration contributes to their confidence. This collaboration helps staff members stay focused on what they can do to improve security and may include enterprise-wide security education to help staff members understand their role in keeping medical devices secured. The success of the collaboration can depend on how well organizations communicate across departments, especially in organizations where biomedical engineering and IT or information security departments share responsibility. A CTO shared, “We are fairly confident in our security strategy for our medical devices. The strategy we have is to protect our perimeter. We try to prevent somebody from getting into our environment. Then we focus on education with our medical staff and clinical staff. If they see something on a pump or an alert that does not seem right, the staff needs to report it. We want the staff to know what a malware situation looks like on a regular device or a clinical device.”

A small number of organizations say that C-level support for their medical device security strategy gives them confidence. A CISO shared, “We have a team dedicated to device security, which we have a big focus on. The executives have bought into the idea, and we have a considerable budget.” Larger organizations are more likely to have dedicated C-level security leadership who can promote security within the organization.

Top Reasons for Lack of Confidence in Medical Device Security

31% of interviewed organizations are not confident that their security strategy protects patient safety and prevents disruptions to care. Another 30% are neutral (neither confident nor unconfident). Since comments from both groups were primarily negative, feedback from the two groups was combined for the purposes of analysis. The top reasons organizations lack confidence are given in the chart below.

37% point to a lack of support from their medical device manufacturer as a top reason they are concerned about their medical device security. Without manufacturer support for patches, provider organizations are limited in what they can do to secure their devices. Additionally, some manufacturers use their contracts to shift as much responsibility as possible onto provider organizations. A CISO shared, “We have gotten some vendor resistance; vendors have said that we can’t put our software on their machines. Those vendors have said that they will no longer support devices that do not come back up after we apply our software.” (More information regarding how manufacturers impact medical device security is given in later sections of the report.)

Poor asset and inventory visibility and patching issues are other often-mentioned reasons that organizations lack confidence in their strategy for medical device security. Traditional biomedical engineering asset management solutions, which are used primarily to manage maintenance, lack some of the detailed information organizations need to secure their medical devices. Without information such as which devices are connected to their network, organizations are limited in what they can do to mitigate vulnerabilities and install necessary patches. A director of information systems shared, “Our biggest struggle is asset management. We need to really understand what equipment we have networked and what our patching practices are for that equipment. We don’t have our arms wrapped around that. I can’t be confident at all in our security strategy until we have those things figured out.” 

Other organizations are still developing their security program. This includes working to implement regularly scheduled risk assessments, assign dedicated security staff, and develop robust processes and policies. Comprehensive security strategies aren’t implemented overnight, and progress for many is slow. For example, collaboration across departments can be challenging, yet success depends on organizations communicating regularly about how each department can ensure security. A CISO shared, “I am not very confident in our medical device strategy, but we have only just started. We are still in the infancy of our broader strategy. . . . We are putting in a new SIEM software to review everything. We are also putting in governance processes with our clinical process team. We are incorporating our IT risk assessment process into the purchasing process. Our business associate agreement has a vulnerability-management clause in it.”

About one-fifth of organizations who lack confidence in their strategy feel that medical device usage comes with inherent security risks and despite their best efforts will continue to present an unacceptable level of risk. These respondents are unsure whether they will ever feel confident that their medical devices are secure. Some mention the limitations of patching legacy devices or certain biomedical equipment, and others say that there is little they can do if an intruder enters their network. A CISO shared, “I have extensive knowledge of medical-device security. I have helped multiple organizations establish a strategy for medical-device security. I understand the dangers associated with medical devices and their connectivity to a network. I also understand what infusion pumps can do, and what patient monitors can do, so in regard to medical devices, I am very uncomfortable right now.”

SAFEGUARDING MEDICAL DEVICES REQUIRES A JOINT EFFORT FROM MANUFACTURERS AND PROVIDER ORGANIZATIONS

There are two parties whose actions can impact the degree to which a medical device is secure—the manufacturers who produce the devices and the provider organizations who use them. And both must navigate a web of government policies, including HIPAA regulations, FDA policies, and JCAHO standards. Nearly all respondents (96%) report that the medical device manufacturers contribute to their security issues. 68% also acknowledge their own organization’s role in creating medical device security issues.

Gaps on either or both sides can lead to vulnerabilities, so the two groups must work together to create reliable medical device security. As one CISO put it, “I think there needs to be a coordinated effort between the manufacturers, the provider sites, and the regulators. I wish there were some other way for us to address this issue, but without that three-way partnership, I just don’t see how things will work out. Until we can all get on the same page and talk through how the regulatory process is driving poor security practices, providers are going to have to acquiesce to substandard products and devices because we can’t all speak the same language.” The following two sections outline the medical device security challenges that are specific to medical device manufacturers and those that are specific to provider organizations.

WHAT MANUFACTURER-RELATED FACTORS CONTRIBUTE TO POOR MEDICAL DEVICE SECURITY?

In recent years, new threats, the overall volume of legacy devices, and an increase in the need for connectivity have shifted the medical device security landscape, leaving both manufacturers and provider organizations scrambling to catch up. While there are strategies and processes that provider organizations can refine on their end, many feel they are mainly at the mercy of the medical device manufacturers, who are seen as hiding behind the FDA’s medical device policies and guidelines or as using them as an excuse to not make their devices more secure.

Medical Device Manufacturers and the FDA

Though KLAS did not specifically ask about FDA policies, respondents repeatedly mentioned the runaround they get from device manufacturers when it comes to the FDA’s policies. The chart below summarizes the content of respondents’ comments about the relationship between their device manufacturers and the FDA.

The majority of respondents who mentioned the FDA report that their medical device manufacturers blame the FDA policies, claiming the policies prevent them from making devices more secure. Some medical device manufacturers won’t patch their devices because they claim doing so would require the device to undergo another 510(k) certification, a common industry misperception. Some provider organizations feel that manufacturers just use this as an excuse to not put resources toward patching their devices or to not do so in a timely manner. Additionally, some manufacturers won’t allow customers to alter the devices themselves, add antivirus software, or run vulnerability scans, claiming that the provider organization is not qualified to do so or claiming that the changes would invalidate the FDA certification, violate the terms of the warranty, or break legacy operating systems. “We are almost held hostage by vendors,” explained a CISO. “We implement updates when vendors give us the updates. There is nothing else we can really do, especially when vendors throw things in our face and tell us that FDA will void the warranties. Vendors like to march the FDA certifications in front of us.”

While most respondents feel their vendors use the FDA policies as an excuse, some specifically mention that various manufacturers have made progress in improving their approach to security, especially since the WannaCry ransomware attack in 2017. Some feel that perhaps their peers blame the medical device manufacturers because they have insufficient resources to patch their devices themselves.

35% of respondents who commented on the FDA mentioned that unclear FDA policies make it easier for manufacturers to abscond responsibility for medical device security, resulting in this responsibility ultimately falling to provider organizations. These respondents feel that ambiguous language from the FDA has allowed medical device manufacturers to interpret the FDA policies as guidelines or recommendations, rather than mandatory regulations. One such CISO shared, “We see the FDA’s guidelines as mandatory. Our manufacturers have told us that certain guidelines from the FDA are not mandatory; they are just recommendations and best practices. However, when we told the FDA about what the manufacturers said, the FDA . . . said certain things were indeed mandatory. The problem was the FDA didn’t make those mandatory guidelines very clear.”

One-third of respondents say that even if the FDA policies are clearly defined, they are currently ineffective in holding manufacturers accountable. These respondents explain that while manufacturers are required to disclose security risks within 30 days and address those risks within 60 days, they are not held accountable to resolve them. Additionally, some respondents point out that when a cyberattack occurs, provider organizations are the ones who are held responsible, not the device vendors. A medical device security consultant shared, “I would love to see the FDA start adding audits to their current OCR audits. I want to see them expand their facility audits. When the FDA finds issues with manufacturers’ devices, they need to enforce penalties and fines. That is what will really get people to heed the FDA’s advice and start making changes now.”

FDA Response

KLAS gave the FDA the opportunity to provide a clarifying statement for this report summarizing their stance on medical device security and the FDA’s expectations for device manufacturers. The following material is their response.

This information can also be found on the FDA's website.

Technical Issues

Regardless of what the FDA does, device manufacturers need to change their approach to help improve the security of their devices. Some manufacturers have begun to be more proactive, but there is still a lot of work to be done. The chart below details the medical device security struggles that provider organizations experience that they attribute mainly to medical device manufacturers.

Note: Other manufacturer issues include devices lacking authentication, lack of manufacturer communication, rigid vendor remote-access policies, manufacturer finger pointing, timeliness of patches, random infections, no antivirus permitted, insufficient hardening of devices, device life cycle, lack of white-listing technology, lack of endpoint protection, embedded OS, lack of manufacturer proactivity, lack of timely risk assessment responses, security not viewed as competitive edge, manufacturer support model, poor device setup, legacy equipment in use, lack of malware protection, devices don’t talk to domain controllers, vendor shared accounts, unknown software bill of materials, security not on manufacturer road map, lack of redundancy, and poor information integrity.

Nearly all respondents report struggles related to out-of-date operating systems or the inability to patch devices, which are both major security risks. On average, respondents say that the manufacturers for almost one-third of their medical devices have told them that the device cannot be patched.

This represents a big gap in security, and organizations have developed various approaches to patching devices, both on their own or through vendor-driven efforts (see figure 15). Still, there are many barriers to patching devices—some manufacturers do not permit customers to patch, some patches require resubmission to the FDA, and other medical devices run on outdated operating systems. A CISO shared, “We have problems patching most of our devices; we can’t patch the infusion pumps because there is no update mechanism, and we have older operating systems. . . . The vast majority of patching is done by the vendors, so we can only patch a small percentage of devices ourselves. One vendor even refused to talk to us about the WannaCry ransomware.”

Another manufacturer-caused security gap is insufficient security controls. Over half of respondents report this struggle and must create compensating controls to close the gap. When manufacturers fail to include updated security features for their devices, unauthorized users can access sensitive information. Because security is changing so rapidly and because medical device development comes with such high costs, it is difficult for vendors to push out security features quickly enough. A CISO explained this problem: “The life cycle for medical devices is rather long, which is understandable because the process costs so much. The value the devices deliver indicates that the devices aren’t at the end of their life after a few years. . . . We have worked with our vendors to make sure that they say they will support future generations of operating systems so that we can stay current. We have talked with some bigger vendors, and those vendors are wanting to add more rigorous developments and test the software before it is put on the devices. That way, the devices will be better secured. The big vendors said they want to do other big things. That is great, but we want to see the vendors actually deliver on what they say.”

Roughly half of respondents report issues related to hardcoded passwords or the absence of encryption for their medical devices. In an effort to make it easier for technicians to resolve issues or gain remote access to their devices for maintenance, some manufacturers hardcode passwords into their medical devices or have generic administrative passwords. These hardcoded passwords create a significant vulnerability since ex-employees—of either the manufacturer or the provider organization—can still access these devices after they are no longer employed. Even worse, some of these hardcoded passwords can be acquired by anyone through a simple internet search. To compensate for this vulnerability, some manufacturers use rotating hardcoded passwords. However, this does not completely resolve the problem since employees of one organization could still access the networks of other provider organizations that use the same device and since some of the password rotations can still be found via an internet search. A director of information security described a situation in which her organization turned to YouTube to find a password. Some organizations do deploy IAM solutions to harden their devices and change passwords, essentially forcing the manufacturer’s hand where they can.

Those that mention lacking encryption explain that some devices allow nonauthorized users to download data onto an external storage device, such as a USB or an SD card. A CISO explained this major vulnerability: “I am very concerned about the fact that our MRI machines will allow users to just download data onto an SD card. I once had to demonstrate to a vendor how vulnerable their devices were. Last year, we had issues with wireless vulnerability because one of our vendors didn’t support the most recent wireless standards. Those kinds of issues are the things that keep me up at night.” There are also concerns about unencrypted PHI that resides on or passes through various devices.

Contract Language

In addition to technical issues, many organizations are affected by the language of their medical device manufacturers’ contracts, which may or may not include provisions that hold both parties accountable. Even when contracts imply shared responsibility for the security of medical devices, there can be financial strings attached. A CISO explained this difficulty: “It is a little distasteful for me when device manufacturers sell us their base product and then charge more for the security package. Security is not an option or an add-on. It is a core function of the equipment. Device manufacturers have no business providing equipment without the security piece. It is like selling someone a car and charging extra for the airbags. Nobody would buy a car without airbags because those are a standard feature.”

The good news is that the industry seems to be shifting toward contract structures that hold both manufacturers and provider organizations accountable, led by the efforts and transparency of forward-looking provider organizations. Several respondents say that since the WannaCry incident, more device manufacturers have begun to accept contract language that specifies which party is accountable for specific security responsibilities, such as who is responsible for deploying patches. Such language can help manufacturers set proper expectations and effectively communicate with customers about how the manufacturers plan to hold themselves accountable. Likewise, some provider organizations are beginning to set policies that limit them to engaging only with manufacturers that will include specific security language in their contracts, and many report that all recent contracts and future contracts include favorable security provisions.

WHAT ORGANIZATIONAL FACTORS PREVENT PROVIDER ORGANIZATIONS FROM DOING MORE TO ENSURE DEVICE SECURITY?

While most respondents feel that their medical device security issues are a result of lacking support from their manufacturer, there are still things provider organizations can do on their own to bolster security. Many have the basic building blocks for a general security program in place, such as established security governance and ongoing security assessments based on frameworks like NIST and HITRUST. However, this research revealed two areas specifically related to medical device security in which organizations can improve: (1) asset and inventory visibility and (2) ownership of medical device security.

Note: Other organizational issues include unauthorized physical access, privileged account management, internal device hardening, post-acquisition management of information security, lack of IT network architecture design, lack of mature compliance program, software incompatibility, supply chain inconsistencies, physical space issues, quick pace of industry change, lack of microsegmentation, departmental tension, can’t say no to new technologies, immature IAM tools, organizational priorities, and unquantified risk.

Asset and Inventory Visibility

The first guideline of the NIST framework outlines the importance of being able to identify and understand an organization’s security risks. For medical device security, this includes having visibility into the organization’s device assets and inventory. Lack of such visibility is a common problem, reported by nearly half of respondents. Organizations need adequate visibility into all of their devices but especially those that are connected to their networks. It is a serious risk for organizations to be unable to determine which medical devices are connected to their network, let alone whether those devices are segmented and what information they are sending and receiving. Compounding this is the fact that many vendors have not disclosed a software bill of materials that would allow organizations to pinpoint which devices may be at risk. A CISO shared, “The biggest issue is inventory management. Even when I feel good about the inventory, I always ask the team whether things are current. We are always worried about missing a category of devices. The devices can be infested with all kinds of vulnerabilities or other problems, but I am confident that if I know about something and where it is, I can take care of it. The things I don’t know about are what worries me.”

For several respondents, the lack of visibility arises from having competing priorities and insufficient resources. To help bridge the resource gap, some organizations attempt to leverage the inventory management solutions that their clinical engineering teams have typically used for device maintenance. However, there are challenges with this approach, since many of these solutions would need to be altered before they could track devices across an entire organization or provide detailed information about patching, updates, connectedness, and MAC and IP addresses.

Ownership of Medical Device Security

Managing thousands of medical devices is obviously a complex undertaking. To accommodate the complexity, as well as various budget constraints, 33% of interviewed organizations divide the ownership of medical device security across multiple departments, a strategy that for some results in ambiguous security ownership and responsibility. Organizations that take this approach are less confident in their medical device security than those who assign responsibility to a specific department. As one CISO put it, “When everybody is in charge, nobody is in charge.”

Organizations that divide responsibility across multiple departments may find it difficult to define each department’s role. For this model to succeed, organizations need to hold departments accountable for specific security tasks, such as creating the medical device security strategy, finding vulnerabilities, and fixing vulnerabilities with patches. It must also be decided who the departments will report their progress to. Assigning and accomplishing tasks is complicated further by the fact that many different types of medical devices must be considered, devices are often purchased or owned by individual departments, and organizations must identify which ones are running on legacy operating systems and which are connected to the organization’s network. Some organizations that exercise shared ownership are trying to simplify their hierarchy by having departments report their security progress to one person or team. A senior information security engineer shared, “Every single device is different. Most of the time, nobody knows who owns what. There is much clearer ownership in organizations where clinical engineering, information security, and IT all report through the same structure.”

Those organizations that have given ownership of their medical device security to one specific department most often give ownership to the clinical/biomedical engineering department (26%), followed by the IT department (22%), and then the information security department (18%). Interestingly, organizations that give ownership to their information security department report less confidence in their medical device security. It may be that information security teams have a broader perspective of organizational security and have direct exposure to how resource and governance constraints limit their ability to secure their environment, thereby causing them to feel less confident.

Inadequate/Strained Resources Underlying Cause of Issues with Asset Visibility and Ambiguous Ownership

Many provider organizations point to inadequate or strained resources as the underlying source of their poor asset visibility and ambiguous security ownership. In fact, 76% of organizations feel they do not have enough resources to adequately secure their medical devices. Those organizations that don’t report a shortage of resources are more likely to discuss security with their board at least quarterly and are slightly more likely to have a specific department own medical device security. Unsurprisingly, organizations operating with insufficient or strained resources are less confident in the security of their medical devices and find it more difficult to proactively fill security gaps.

Organizations identify several interconnected reasons that their resources are insufficient or strained for managing their medical device security: staff shortages, budget constraints, process issues, and inadequate technology.

Many organizations, especially clinics and small hospitals, struggle to hire staff with security expertise, resulting in staff shortages. Finding resources with cybersecurity experience and healthcare experience is challenging, yet organizations often need to accomplish the even more difficult task of acquiring resources that also have experience with medical devices, something that organizations of all sizes struggle with today. Such resources are a rare find and can come with a steep price tag. Some organizations choose to instead leverage the skills of a consulting firm, but these resources are also expensive. Respondents point out that spending a significant portion of their security budget on advanced security technologies isn’t helpful if they don’t have staff who are proficient in using the solutions. A medical device security analyst shared, “Technology won’t solve problems without people to use it. My director and I have been putting together a strong case to add more people with my same position next year, but that won’t be enough. We add a lot of new devices each year. . . . There is a lot of new work being generated just by our intake process, and that doesn’t even include the devices that we already have. We have a lot of holes to fill, and we are just working on the basics.”

Budget constraints are the second most mentioned factor that causes resources to be strained or insufficient. Naturally, organizations often prioritize patient care outcomes over all else, and since some decision-makers don’t see a direct connection between security and patient outcomes, funding is given to other departments. An information security officer shared, “I feel that we can never have enough people, but we have budget constraints. Whenever we have a choice to hire a new doctor, a new nurse, or a new security adviser, patient care always comes first.” Without proper funding, organizations are unable to acquire the staff and technology necessary for medical device security, and their security programs are hampered. This is especially true when organizations adopt additional medical devices without adjusting their security budget accordingly. One respondent estimated that for every Internet-of-Things device implemented, the organization must spend $1,000 to secure it. Additionally, budget constraints keep some organizations from being able to replace legacy systems that are too old to update.

41% of organizations feel that process issues put a strain on their resources. The lack of refined processes causes some organizations to play hot potato with security responsibilities, passing them back and forth between departments. This can cause significant strain on teams who are already weighed down by other objectives and can complicate the cross-department communication and collaboration that is needed for success with medical device security. An IT security officer shared, “A lot of things could be delegated, but we need a holistic approach in which we get the buy-in from other teams. . . . When we approach the biomed people from an IT security perspective, they basically tell us to back off. The issue is trying to get everyone on the same page without saying that the sky is falling.”

Nearly one-third of organizations say that having inadequate technology strains their resources. Many of these organizations lack sophisticated inventory management systems, and this prevents them from being able to stratify their security risk. Poor integration between systems is another problem, making it more difficult for organizations to get a holistic view of their security vulnerabilities. A manager of information security shared, “Until the asset-inventory and visibility problems get fixed, I cannot answer what else we need to secure our medical devices. Until I know what I have, I do not know what I need.” Furthermore, some organizations lack automated technology for some security processes, and the resulting manual processes can put a significant strain on security personnel.

WHAT BEST PRACTICES DO ORGANIZATIONS IMPLEMENT TO IMPROVE MEDICAL DEVICE SECURITY?

While the challenges and struggles of medical device security may seem insurmountable, provider organizations have developed a variety of strategies to minimize their vulnerability.

Foundational Defenses: Technology & Due Diligence

The process of securing a medical device begins before the device is even installed and consists of due diligence overseen by solid governance and clear ownership. In completing their due diligence, organizations must perform risk assessments, ensure the inclusion of security provisions in their contracts, and ensure they receive a software bill of materials. Once the device is in place, network segmentation, antivirus software, and vulnerability scanning are some of the most common and basic technologies used to ameliorate risk.

By using network segmentation to isolate medical devices from the main network, organizations can reduce the chance of a security event occurring and reduce the impact of the security events that do occur. Some organizations that use network segmentation choose to forgo patching some medical devices, balancing the risk that accompanies unpatched devices against the protection provided by the segmentation.

Still, resources may need to frequently review segmentation policies in order for network segmentation to be a truly effective security measure. Additionally, organizations need to balance network segmentation with the primary function of medical devices, which is to communicate information back to other systems. A CISO explained the dilemma: “There are limitations to network segmentation because so many of these devices are networked and have to communicate back to a PACS or an EMR. So we have to open a port on a firewall or write files to a server; it isn’t like these devices operate within a box. They are connected, and those connections are potential points of egress or ingress. I am not the biggest proponent of segmentation. Its capabilities have been overstated. We have implemented a host of intrusion-prevention things to block SMB-based exploits that target medical devices, but ultimately, they don’t give me a high degree of confidence.”

Additionally, many organizations implement antivirus software and perform vulnerability scans on their medical devices as often as they can. These strategies also come with challenges—some medical device manufacturers charge fees to install antivirus software on their devices or will void their support if a customer installs antivirus software themselves. A systems administrator said, “[Our medical device vendor] says that the only way they will allow us to have antivirus software on the machines without voiding support is if they install and manage the antivirus from their side for a ridiculous amount of money. All of the other vendors say that they don’t have a solution and that there won’t be any antivirus software installed on the machines.” Vulnerability scans can be effective, but provider organizations report having to restrict which devices they scan as some devices will shut down or reboot, causing potential patient-safety issues and loss of productivity.

Patching Strategies

Beyond the basics of network segmentation, antivirus software, and vulnerability scans, organizations also engage in patching to secure their medical devices, though they are more reliant on their device manufacturers in these efforts, since the manufacturers are the ones who develop the patches.

Patching can be a complex problem given the large number of connected medical devices that can be in use at any one organization and given that patches can break existing functionality, can require devices to be removed from patient care use to be updated, and often can’t be deployed remotely. A security and disaster recovery administrator shared how his organization is developing their patching strategy: “When we were first creating a patching strategy, I pushed hard for our organization to develop policies around vulnerability management. I pushed for a customized plan for our devices instead of lumping them in under the same vulnerability-management principles that we use for our desktop computers or servers. We do a full risk assessment for each device, and we use that to draft a vulnerability management plan that covers how we do the patching, who owns the patching, and when we do vulnerability scans. . . . We are learning as we go. We will develop standards, but right now we need to know who owns which devices. That is a big question, especially when we are dealing with vendor-supported devices. We want to know how often devices are being patched or when we are going to get updates for devices, especially when there are security incidents. We want to lay things out in our vulnerability-management plan and have the information available where anyone can see it.”

The majority of organizations patch their devices themselves in-house. A little over one-quarter of organizations use both the vendor and their own resources to patch their devices. A minority of organizations rely solely on the manufacturer. A director of clinical engineering explained his organization’s shared approach: “When we become aware that a patch is available, we install it with the help of our IT department. Usually we are made aware of patches through our hazard-alert and recall process. After a manufacturer sends a notice to a hospital, the notice is routed to the recall and alerts coordinator. Then we follow up with the IT team and the appropriate medical device vendor. We work with our IT team so that they can test things first. We do some of our own patches, and we rely on vendors for some patches. Who creates the patches depends on our workload and the type of device. If a vendor will come on-site and implement a patch for free, then we will let them. Implementing patches can be pretty complex at times.” 

Knowing when patches are available is an important part of a patching strategy. A CISO described how his organization accomplishes this: “My team monitors the certifications and alerts from the vendors. We have an email advisory, and we subscribe to every email list that we can. We have almost all of the vendors’ notifications coming through our email, and then we make sure those emails go to the right teams.”

However, not all vendors proactively create needed patches or send out notifications when patches are available, so many provider organizations must actively pressure vendors for what they need. Other vendors release regularly scheduled patching updates, either monthly or quarterly. When old devices cannot be patched, organizations sometimes choose to upgrade their equipment or simply segment it.

A trend that is emerging in medical device security is for provider organizations to require vendors to include cybersecurity and patching agreements in their contract language along with clear guidelines as to who will be responsible for doing patches. These contracts help both parties have clear expectations as to patching responsibilities and timelines. Some organizations refuse to even consider vendors that are not willing to include security stipulations in their contracts.

Some organizations are also engaging third-party solutions to help with their patching. A CISO stated, “Our medical device strategy is a mix between relying on vendors and doing things internally. We have some in-house clinical engineering, and we have some outsourced clinical engineering. We work with our in-house team and a couple of vendors to round everything up, sort things by how critical they are, and get things out as soon as possible. We also do network segmentation.” The next section of this report explores other areas of medical device security in which provider organizations are utilizing third-party software and services.

Third-Party Software and Services

Three-fourths of respondents currently use or plan to use third-party services or solutions to help them with medical device security. These organizations were asked broadly about the third-party services and solutions they are using or plan to use. In an effort to provide a holistic view of how third parties are used, KLAS asked an intentionally open-ended question that didn’t guide respondents toward any particular type of third-party vendor. Below is a chart of the most frequently mentioned third-party software and solutions being used by respondents.

Respondents most often engage a third party for network access control (NAC), which many use in their network segmentation strategies to overcome challenges with asset visibility and vulnerability management. Organizations report using third-party NAC solutions to authenticate and approve network access based on customized rules and medical device profiling information, like wireless IDs, and to limit medical device communication routes based on intelligent rules.

Organizations also use outsourced device management to reduce the ambiguity of medical device security ownership. Vendors that have been traditionally used for clinical engineering have begun to be leveraged for device security as well. Organizations report using vendors’ resources for firmware and equipment software updates or for inventory blocking and putting RFID tags on devices.

Vulnerability management is another third-party service used, with organizations engaging firms for vulnerability-scanning services, to detect what devices are connected to their network, to identify potential risks, and to perform trend analysis.

Asset management is another commonly used third-party capability, and respondents mention using these solutions for inventory management, issue tracking, software-deployment management, and network-threat detection.

Comprehensive medical device security vendors provide medical device security capabilities across multiple areas. Organizations mention using these vendors to discover connected devices, detect anomalous behaviors, and protect the network through blacklisting or microsegmentation. This both helps provider organizations overcome asset-management struggles and gives organizations increased security controls they wouldn’t typically have with their medical devices.

This material is copyrighted. Any organization gaining unauthorized access to this report will be liable to compensate KLAS for the full retail price. Please see the KLAS DATA USE POLICY for information regarding use of this report. © 2018 KLAS Enterprises, LLC. All Rights Reserved. NOTE: Performance scores may change significantly when including newly interviewed provider organizations, especially when added to a smaller sample size like in emerging markets with a small number of live clients. The findings presented are not meant to be conclusive data for an entire client base.