Featured Product
This Week in Quality Digest Live
Health Care Features
Stephanie Ojeda
How addressing customer concerns benefits the entire quality process
Michael King
Augmenting and empowering life-science professionals
Meg Sinclair
100% real, 100% anonymized, 100% scary
Kristi McDermott
Technology and what the future requires for patients and providers to thrive
Alonso Diaz
Consulting the FDA’s Case for Quality program

More Features

Health Care News
Recognized among early adopters as a leading innovation for the life sciences industry
Study of intelligent noise reduction in pediatric study
Streamlines annual regulatory review for life sciences
The company is also facilitating donations to the cause
Mass spectromic analysis from iotaSciences
Showcasing the latest in digital transformation for validation professionals in life sciences
An expansion of its medical-device cybersecurity solution as independent services to all health systems
Purchase combines goals and complementary capabilities
Better compliance, outbreak forecasting, and prediction of pathogens such as listeria or salmonella

More News

Dennis Fridrich

Health Care

Managing Medical Device Vulnerabilities With Compensating Controls

Hospitals don’t have room for risk

Published: Tuesday, March 29, 2022 - 11:03

As the number of networked medical devices grows, so too will online threats and vulnerabilities. In this era of interconnectivity, healthcare systems must prioritize medical device security and patient safety.

The heightened risk is drawing the attention of federal regulators, who warn that “it is more important than ever that hospitals have a plan for securing their networked devices—which can number in the tens of thousands in a large organization—before those devices are compromised in a cyberattack.”

The stakes are high. The U.S. Department of Health and Human Services Office of Inspector General has underscored the threats to patient safety when compromised medical devices disrupt critical care. Meanwhile, ransomware attacks on hospitals are soaring, costs are escalating, and cybersecurity insurance premiums are rising.

Faced with such challenges, healthcare providers should embrace a multilayered cybersecurity approach that can expedite remediation and mitigation, and ensure equipment is safe and available.

Why medical device security is a complex task

Several factors present unique challenges in ensuring medical device security.

Hospitals and healthcare systems often lack 100-percent visibility into their inventory—in terms of the number of devices they have, their locations, and the status of each individual device. Inventory visibility is critical to medical device cybersecurity because of the way the devices are maintained and updated. Unlike laptops and hardware, where enterprise-software providers routinely push out updates, medical devices don’t receive pushed updates. So, without inventory visibility provided by a comprehensive clinical asset management solution, whether every medical device is updated with the latest patch or is otherwise risk-mitigated is uncertain. Also uncertain is whether an identified vulnerability is present in any medical device.

The original equipment manufacturer (OEM) must provide either approval of a patch or deliver a validated one before it can be installed. In other instances, legacy devices and their software may no longer be supported, so no patch becomes available. This is especially problematic for older equipment that originally wasn’t intended to be connected to a network now being connected. Although the FDA is seeking a requirement that devices be updated and patched in a timely manner, specific time requirements aren’t required.

A clinical engineering team or information technology team with medical device expertise can identify and deploy compensating controls until a patch is available, or in those instances when a patch will never be available. Compensating controls include measures such as disabling services on the devices, enabling encryption if available, or reviewing and ensuring network routing.

Each medical device must also be individually risk-assessed because the environment of care for each device is unique. A specific compensating control might work on a device in one setting but not in another. For example, take disabling a printer spool because of a vulnerability. Healthcare providers may not need to print from a device in, say, the emergency room. But in the surgery room, the need to print additional imaging results could be immediate.

Some vulnerabilities are more pressing than others. Teams can prioritize work orders based on the degree of risk and how critical a device is to patient care. Clinical engineering solutions can help teams assess the severity of a risk to determine whether a device without an available patch should be replaced.

Medical device cybersecurity is about sound process as well as sound technique.

Why communication is critical to the process

With so many variables in each specific situation and with each device, communication among all stakeholders is paramount.

Health system executives need to know how clinical engineering and IT teams are addressing an issue to understand the potential risks, how the approach reduces potential exposure, what ramifications may occur in how devices operate, and their availability in their specific environment of care. They need to know which devices are available to use and where, and they need to know which devices have vulnerabilities that pose so much risk that they can't be used.

For example, consider the recent Log4j vulnerability. The federal Office of Information Security released a threat brief on Jan. 20, 2022, noting multiple risks and warning healthcare providers that they remain a highly vulnerable target. Short-term and long-term mitigation steps were advised.

Other stakeholders who need to be informed are “boots on the ground” staff. They need to know about the extent of compensating controls because a device’s behavior may change. A clinician, for instance, could believe a device is broken because some functionality has been disabled to mitigate a risk.

Communication with all stakeholders is necessary to ensure patient safety while steps are underway to mitigate the risk.

Medical device safety and security is a complex process of mitigation and management. Patches that must be validated by manufacturers require IT and clinical engineering teams to identify and employ compensating controls until the patch is available. Sometimes a patch isn’t forthcoming, so the compensating control becomes the permanent fix. Compensating controls also must be unique to each device and its environment of care. Stakeholders and staff need clear communication on the risk potential and how compensating controls may affect a device and its availability. And a healthcare system needs 100-percent real-time visibility into its inventory as its cybersecurity baseline for all of this.

Anything less than a multifaceted approach to cybersecurity can leave medical device vulnerabilities unaddressed and compromise care.


About The Author

Dennis Fridrich’s picture

Dennis Fridrich

Dennis Fridrich is vice president of cybersecurity for TRIMEDX, an industry-leading, independent clinical asset management company delivering comprehensive clinical engineering services, clinical asset informatics, and medical device cybersecurity. Dennis has nearly 20 years of information technology leadership experience. Previously, he held positions at AIG Trading Group, General Reinsurance, and several small businesses. He earned his Executive Master of Business Administration degree from the University of Connecticut, and a bachelor's degree in computer science from Western New England University.