Skip to main content

No Time to Waste: A Proactive Strategy to Mitigate Medical Device Vulnerabilities

It has become painfully obvious that medical device manufacturers (MDMs) can’t keep up with the ever-expanding list of discovered vulnerabilities affecting the equipment they make and ship to market. Security researchers recently published a report claiming that as many as 75% of 200,000 devices reviewed have security flaws that make them vulnerable to exploitation by threat actors. More than half of those had multiple vulnerabilities, including many that have been known since at least 2019.

Healthcare delivery organizations (HDOs) like hospitals, urgent care clinics, private practices, and more have taken note. And while they rely on the capabilities that connected medical devices provide to deliver a superior quality of treatment, they also recognize that they can’t count on MDMs to address vulnerabilities promptly. Flaws in operating systems and software used to create the devices may include vulnerabilities that aren’t discovered until long after equipment is put in service. And once in service, it may be difficult to patch devices because they are in use providing critical care.

A Bad Time for Healthcare Security

These findings could not come at a worse time for the healthcare industry, which is already besieged by risk. In another recent report, security researchers found that the industrial control systems and other network-connected systems—devices comprising the internet of things (IoT), operational technologies (OT), and the internet of medical things (IoMT)—used in hospital and healthcare environments had seen a 110% increase in vulnerabilities since 2019. And that was before cybercriminals took advantage of the chaos brought on by the Covid-19 pandemic, increasing cyberattacks on healthcare organizations by 55%, along with an expected spike in attacks associated with the war in Eastern Europe.

This dilemma has necessitated a need to find alternative methods to ensure vulnerable medical devices, critical to the treatment of patients, are secured from threats and that the organizations and patients that rely on them are protected. Rather than wait for fixes, organizations have learned that they can take action now to execute security policies capable of segmenting at-risk devices on the network, allowing them to remain in services, and ensuring only the communication necessary for the device to function are allowed.

See. Know. Secure.

The process of isolating medical devices through network segmentation sounds simple, but it is not. Many MDMs lack complete knowledge of how, once deployed, their devices communicate within their respective hospital networks. The communication patterns, although similar, are not the same even for devices that have similar functions. At the same time, HDOs often lack the tools necessary to understand what devices they have and how they work in every given environment. They may not even know how many devices they have operating on their networks as our own research has shown a visibility gap of as large as 30%.

This has created a market for tools that can passively identify devices and automate the process of segmentation, while ensuring medical devices can continue to function correctly. Ordr is one such tool. Ordr is able to scan a hospital’s network and detect and identify all the devices that are connected and operational, providing full visibility of the organization’s complete asset inventory. That includes not only connected medical devices, but building controls, vending machines, exercise equipment, and even consumer-grade devices that may be in use.

Take Action to Mitigate Risk

Once all devices have been identified and inventoried, they are monitored and compared against a baseline of expected activity. This is done either because a certain device is already known to Ordr, or operations are established through use. Because medical devices must operate within narrow parameters, anomalies are easier to identify. Ordr can then apply security policies that keep medical devices on secure VLANs, isolated from other systems. Should an attack occur, automated response ensures that mission critical systems are kept out of harm’s way, limiting an attack’s “blast radius” within the connected environment.

If your organization is concerned over its potential risk exposure due to the use of vulnerable medical equipment, or if you need to take steps to fortify your network against the increasing threat of cyberattacks, get in touch with us. Many of the world’s most respected healthcare providers trust Ordr to protect their networks, patients, and reputations from the effects of a cyberattack. We can help you, too.
 

About the Author

Benjamin Stock is the Director of Healthcare Product Management at Ordr. Previously, Ben worked as the Director of Clinical Equipment Systems and Project Support at SSM Health St. Louis, MO. With more than 15 years of experience in healthcare technology management, his wealth of knowledge in the Clinical Engineering space allows him to be a wonderful advocate for Ordr healthcare customers. Ben is also a Certified Biomedical Equipment Technician (CBET).

Profile Photo of Benjamin Stock