While watching Keith Whitby, Section Head of Healthcare Technology Management Cybersecurity and Operations at Mayo Clinic, and Pandian Gnanaprakasam, Chief Product Officer at Ordr, discuss strategies for securing connected devices and HIoT in a recent webinar, I found the following to be insightful information that you can apply to your organization’s cybersecurity efforts.
Gaps in Medical Device Security
One of the first steps in securing IoMT and HIoT devices is accounting for the gaps in medical device security. Evaluating equipment coming in, understanding the security risks related to those, and building a plan of mitigating controls that should be applied to equipment are all important aspects of device security, but they must be operationalized.
At Mayo Clinic, previous security assessments were done on an asset by asset basis. This lack of operational framework limited the implementation of device security procedures. Once Mayo Clinic created a standardized process across the organization, the framework could be followed for all medical equipment and new IoT and OT devices.
The Unique Nature of Medical Devices and HIoT
Medical equipment, systems and HIoT are different from standard IoT and IT systems. Hospitals must follow regulatory guidelines from the U.S. Food and Drug Administration (FDA), College of American Pathologists (CAP) and Joint Commission on Accreditation of Healthcare Organizations (JCAHO), while medical devices in physicians' offices do not have to follow the same rules. HloT devices come with their own unique challenges, from unsupported devices to service keys being required.
Security Challenges: Size and Scope
Medical organizations can span large geographical areas, including multiple states and hundreds of buildings. They can also have tens of thousands of connected medical devices, hundreds of vendors and thousands of models. The magnitude of medical device networks challenges IT teams to efficiently secure many devices at once. Networks of devices can have inventory discrepancies, and mismatched data from their CMMS and NAC.
Medical devices have complex systems that require intensive work to patch and manage vulnerabilities. Part of the process of setting a framework for securing HIoT devices involves figuring out who will be implementing security standards and applications. HIot devices need both specially trained IT technicians and unique applications to deploy security solutions.
Mayo Clinic: HTM Role in Cybersecurity
At Mayo Clinic, the cybersecurity team in Healthcare Technology Management is the operational arm of IT. The team has developed a structured system and standardized approach to securing medical equipment and HIoT systems. They ensure equipment meets organizational and cybersecurity requirements throughout its lifecycle.
- Core Team: Mayo Clinic’s Core Team of HTM Cybersecurity developed a security framework for IoT and HIoT based on National Institute of Standards and Technology (NIST) and Association for the Advancement of Medical Instrumentation (AAMI) standards. They also developed a HTM vulnerability management program guide, so that when a vulnerability is found, there is a clear process for remediation.
- Information Security Engineers: Besides technicians, the HTM team also has HTM associate infosec engineers, who create vulnerability management procedures, apply controls to medical devices and add new equipment to Mayo’s network.
- SPAD: The Security, Privacy, Architecture, Data team, or Security Assessment Team manages medical device purchases, device intake assessments, and helps to construct security lifecycle profiles at Mayo Clinic.
Over the past two years, the HTM Cybersecurity Program has added significant security value, improving intake process efficiency, establishing an algorithm to calculate and track security risks, and more.
Mayo Clinic developed their IoT/HIoT device security through proactive security, building upon multiple areas of cybersecurity, including:
- Policy & Process: Setting device security standards and leveraging known security incidents, regulatory compliance as well as internal audit observations
- Lifecycle Profile: Addressing security issues within the equipment lifecycle, creating Security Lifecycle Profiles that provide a roadmap for device security and management from the pre-purchase stage to decommissioning
- Tools Deployment: Creating a security specific manual for devices, documenting what tools need to be deployed for different device types and models
- Fleet Risk Assessment: Adopting a fleet approach rather than device by device security
- Vulnerability Management: Maintaining device security, tracking vulnerabilities and prioritizing remediation
- SPAD: Initial intake triage and categorization of hardware and software, and routing those devices to the appropriate review groups
- Patch Management: Deploying a medical device patch installation automation utility tool
- Training & Industry workgroups: Participating in industry workgroups to contribute medical device security knowledge
How Ordr Can Help
Mayo Clinic identified Ordr as a key tool to execute and automate security operations. Ordr is able to improve data quality for asset inventory, detect networked devices, classify devices, provide insights into connected device actions and help micro-segmentation efforts.
The Ordr Systems Control Engine (SCE) gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. To learn more about how Ordr can enable an effective IoT security strategy for your organization, request a demo.
Watch the full Ordr and Mayo Clinic webinar here: