Featured Product
This Week in Quality Digest Live

More Videos

Health Care Features
Three Tips for Adding Flexibility to Your Medtech Manufacturing Supply Chain
Etienne Nichols
How to give yourself a little more space when things happen
How to Comply with HIPAA and EU GDPR in Medical Device Studies
Chris Bush
Penalties for noncompliance can be steep, so it’s essential to understand what’s required
Tiny Magnetic Beads Could Help to Quickly Detect Pathogens
Jennifer Chu
Findings point to faster way to find bacteria in food, water, and clinical samples
New NIST Measurements Aim to Advance Portable MRI Technology
NIST
Smaller, less expensive, and portable MRI systems promise to expand healthcare delivery
Improving Safety with a Computerized Maintenance Management System
Lindsey Walker
A CMMS provides better asset management, streamlined risk assessments, and improved emergency preparedness

More Features

Health Care News
VALIDATE 2023 Convenes in Miami, Oct. 4–5, 2023
Showcasing the latest in digital transformation for validation professionals in life sciences
Clinical Asset Management Leader TRIMEDX Announces Launch of Vigilor
An expansion of its medical-device cybersecurity solution as independent services to all health systems
Nikon Acquires Avonix Imaging
Purchase combines goals and complementary capabilities
Novolyze EMP Adds Predictive Insight, Machine Learning to Boost Food Safety
Better compliance, outbreak forecasting, and prediction of pathogens such as listeria or salmonella
ZEISS Invests in Life-Science Startup InSphero for 3D Cell Culture Research
Links ZEISS research and capabilities in automated, high-resolution 3D imaging and analysis
ArisGlobal Signs Agreement to Acquire Amplexor Life Sciences
Creates one of the most comprehensive regulatory SaaS platforms for the industry
NewTek Medical Sensors Stand Up to Frequent Autoclave Cycles
Resistant to high-pressure environments, and their 3/8-in. diameter size fits tight spaces
Maintaining Quality Assurance in Pharmaceutical Packaging
Easy, reliable leak testing with methylene blue
Video Borescope Inspection Solution
New medical product from Canon’s Video Sensing Division

More News

Dennis Fridrich

Health Care

Managing Medical Device Vulnerabilities With Compensating Controls

Hospitals don’t have room for risk

Published: Tuesday, March 29, 2022 - 12:03

As the number of networked medical devices grows, so too will online threats and vulnerabilities. In this era of interconnectivity, healthcare systems must prioritize medical device security and patient safety.

The heightened risk is drawing the attention of federal regulators, who warn that “it is more important than ever that hospitals have a plan for securing their networked devices—which can number in the tens of thousands in a large organization—before those devices are compromised in a cyberattack.”

The stakes are high. The U.S. Department of Health and Human Services Office of Inspector General has underscored the threats to patient safety when compromised medical devices disrupt critical care. Meanwhile, ransomware attacks on hospitals are soaring, costs are escalating, and cybersecurity insurance premiums are rising.

Faced with such challenges, healthcare providers should embrace a multilayered cybersecurity approach that can expedite remediation and mitigation, and ensure equipment is safe and available.

Why medical device security is a complex task

Several factors present unique challenges in ensuring medical device security.

Hospitals and healthcare systems often lack 100-percent visibility into their inventory—in terms of the number of devices they have, their locations, and the status of each individual device. Inventory visibility is critical to medical device cybersecurity because of the way the devices are maintained and updated. Unlike laptops and hardware, where enterprise-software providers routinely push out updates, medical devices don’t receive pushed updates. So, without inventory visibility provided by a comprehensive clinical asset management solution, whether every medical device is updated with the latest patch or is otherwise risk-mitigated is uncertain. Also uncertain is whether an identified vulnerability is present in any medical device.

The original equipment manufacturer (OEM) must provide either approval of a patch or deliver a validated one before it can be installed. In other instances, legacy devices and their software may no longer be supported, so no patch becomes available. This is especially problematic for older equipment that originally wasn’t intended to be connected to a network now being connected. Although the FDA is seeking a requirement that devices be updated and patched in a timely manner, specific time requirements aren’t required.

A clinical engineering team or information technology team with medical device expertise can identify and deploy compensating controls until a patch is available, or in those instances when a patch will never be available. Compensating controls include measures such as disabling services on the devices, enabling encryption if available, or reviewing and ensuring network routing.

Each medical device must also be individually risk-assessed because the environment of care for each device is unique. A specific compensating control might work on a device in one setting but not in another. For example, take disabling a printer spool because of a vulnerability. Healthcare providers may not need to print from a device in, say, the emergency room. But in the surgery room, the need to print additional imaging results could be immediate.

Some vulnerabilities are more pressing than others. Teams can prioritize work orders based on the degree of risk and how critical a device is to patient care. Clinical engineering solutions can help teams assess the severity of a risk to determine whether a device without an available patch should be replaced.

Medical device cybersecurity is about sound process as well as sound technique.

Why communication is critical to the process

With so many variables in each specific situation and with each device, communication among all stakeholders is paramount.

Health system executives need to know how clinical engineering and IT teams are addressing an issue to understand the potential risks, how the approach reduces potential exposure, what ramifications may occur in how devices operate, and their availability in their specific environment of care. They need to know which devices are available to use and where, and they need to know which devices have vulnerabilities that pose so much risk that they can't be used.

For example, consider the recent Log4j vulnerability. The federal Office of Information Security released a threat brief on Jan. 20, 2022, noting multiple risks and warning healthcare providers that they remain a highly vulnerable target. Short-term and long-term mitigation steps were advised.

Other stakeholders who need to be informed are “boots on the ground” staff. They need to know about the extent of compensating controls because a device’s behavior may change. A clinician, for instance, could believe a device is broken because some functionality has been disabled to mitigate a risk.

Communication with all stakeholders is necessary to ensure patient safety while steps are underway to mitigate the risk.

Medical device safety and security is a complex process of mitigation and management. Patches that must be validated by manufacturers require IT and clinical engineering teams to identify and employ compensating controls until the patch is available. Sometimes a patch isn’t forthcoming, so the compensating control becomes the permanent fix. Compensating controls also must be unique to each device and its environment of care. Stakeholders and staff need clear communication on the risk potential and how compensating controls may affect a device and its availability. And a healthcare system needs 100-percent real-time visibility into its inventory as its cybersecurity baseline for all of this.

Anything less than a multifaceted approach to cybersecurity can leave medical device vulnerabilities unaddressed and compromise care.

Discuss

About The Author

Dennis Fridrich’s picture

Dennis Fridrich

Dennis Fridrich is vice president of cybersecurity for TRIMEDX, an industry-leading, independent clinical asset management company delivering comprehensive clinical engineering services, clinical asset informatics, and medical device cybersecurity. Dennis has nearly 20 years of information technology leadership experience. Previously, he held positions at AIG Trading Group, General Reinsurance, and several small businesses. He earned his Executive Master of Business Administration degree from the University of Connecticut, and a bachelor's degree in computer science from Western New England University.