Medical Device Security CHIME Edition 2018
What Are the Greatest Challenges and How Can They be Overcome?
While funding and strategy development have increased for security overall, healthcare organizations are bombarded from all sides by security attacks. Due to the patient-safety risks, many feel particularly vulnerable when it comes to medical device security. This report—a collaborative effort between the College of Healthcare Information Management Executives (CHIME), the Association for Executives in Healthcare Information Security (AEHIS), KLAS, and provider organizations—aims to examine the current state of the industry and identify best practices for improvement. 148 interviewed provider organizations shared how confident they feel in their medical device security strategies, the most common challenges they face, their perceptions of the security and transparency of major medical device manufacturers, and the best practices they leverage to overcome medical device security challenges.
Patient Safety a Top Concern with Unsecured Medical Devices
Citing patient safety as a top concern, most respondents are neutral about or not confident in their current medical device security strategy, with CISOs and CIOs more likely to report concern. The most common frustrations for unconfident organizations are the limitations placed on them by a lack of needed support from device manufacturers, including manufacturer recommendations that may conflict with the need to effectively deliver patient care. Almost as common are internal issues related to basic—but hard-to-master—security tasks, such as understanding what assets exist in their organization, which have been patched, which are connected to their network, and what systems those devices are talking to, all issues that get addressed as organizations develop their medical device security programs. About one-fifth of respondents feel that the inherent risks of medical devices—several of which are outside of their control—will prevent them from ever feeling confident.
The 39% of respondents who express confidence in their device security strategy’s ability to protect patient safety most often point to their security processes and policies—including access limitations, network segmentation, and regular device monitoring and risk assessment—as the source of their confidence. To support these processes and policies, many leverage security technologies, such as access controls, asset tracking, firewalls, and medical device monitoring. Strong executive support (financial and organizational) and cross-department collaboration also drive confidence, as evidenced by the fact that large IDNs, who more commonly have greater financial resources, are more likely to be confident in their strategies.
Root Causes of Medical Device Security Struggles
Safeguarding medical devices requires a joint effort from both provider organizations and device manufacturers. Yet regardless of their level of confidence, interviewed organizations are almost unanimous in citing manufacturer-related factors as a cause of their medical device security issues. A CISO explained, “I think there needs to be a coordinated effort between the manufacturers, the provider sites, and the regulators. I wish there were some other way for us to address this issue, but without that three-way partnership, I just don’t see how things will work out.”
Manufacturer-Related Factors: Legacy Medical Devices a Universal Challenge
There is a gap between how long organizations expect to be able to use a device and how long vendors feel they can keep a device up to date and secure. As a result, nearly all interviewed organizations have struggled with out-of-date operating systems or the inability to patch a device throughout its expected life cycle. Currently, many manufacturers do not allow customers to patch devices themselves (or void warranties if they do). Insufficient security controls, insufficient encryption, and hardcoded passwords are each cited as manufacturer-caused issues by about half of respondents. Adding to provider organizations’ frustration, on average, almost one-third of medical device vendors decline to offer contract provisions favorable to security. However, some manufacturers have been receptive to standardized security contract language proposed by forward-thinking provider organizations, a practice becoming more commonplace in the industry.
Organizational Factors
Poor Asset Visibility & Ambiguous Security Ownership the Top Challenges
Aside from manufacturer-caused issues, there are also organizational factors that hinder better medical device security. In this research, organizations most often highlight poor asset/inventory visibility and ambiguous security ownership. Organizations may be at serious risk if they lack visibility into what devices are connected to their network or what information is being sent and received by those devices. Additionally, shared ownership of medical device security can create confusion, and organizations with shared ownership are less likely to report confidence in their security strategy’s ability to protect patient safety. As one CISO explained, “When everybody is in charge, nobody is in charge.” Difficulties in these two areas often stem from a lack of adequate resources—whether that be in the form of staff shortages, budget constraints, process issues, or inadequate technology.
Organization Best Practices
Foundational Defenses: Technology & Due Diligence
The process of securing a medical device begins before the device is even installed and consists of due diligence overseen by solid governance and clear ownership. In completing their due diligence, organizations must perform risk assessments, ensure the inclusion of security provisions in their contracts, and ensure they receive a software bill of materials. Once the device is in place, network segmentation, antivirus software, and vulnerability scanning are some of the most common and basic technologies used to ameliorate risk. By disconnecting unnecessary medical devices from their network, organizations can mitigate risk and reduce the impact of a security event.
Patching Strategies
Out of necessity, organizations are resourceful when it comes to patching. They actively reach out to vendors to find out when patches are available; sometimes they patch devices themselves, and sometimes they have the vendor do it for them. They have also begun requesting that vendors use contract language that clearly outlines patching responsibilities and timelines.
Third-Party Software and Services
Nearly 75% of respondents use or plan to use third-party software or services to improve medical device security. Network access control (NAC) is most often used to segment networks and approve/deny access. Cisco is used most widely, followed by ForeScout and Aruba. To reduce costs and clearly define ownership, other organizations outsource their clinical engineering. Traditional clinical engineering vendors Aramark, Sodexo, and TRIMEDX have begun to also be used for device security. Some respondents use vulnerability-scanning tools from Tenable and Qualys. Up-and-comers CloudPost and Zingbox are gaining traction, offering comprehensive security platforms that help with network discovery, anomalous-behavior detection, blacklisting, and microsegmentation.
Overall Healthcare Security Trends
Writer
Elizabeth Pew
Designer
Jess Wallace-Simpson
Project Manager
Robert Ellis
This material is copyrighted. Any organization gaining unauthorized access to this report will be liable to compensate KLAS for the full retail price. Please see the KLAS DATA USE POLICY for information regarding use of this report. © 2024 KLAS Research, LLC. All Rights Reserved. NOTE: Performance scores may change significantly when including newly interviewed provider organizations, especially when added to a smaller sample size like in emerging markets with a small number of live clients. The findings presented are not meant to be conclusive data for an entire client base.