[Part 3] Medical Device Security Program Development

Listening to the third and final webinar of the Minnesota HIMSS webinar series, Medical Device Security Overview for Healthcare Delivery Organizations with speakers Matt Dimino and Carrie Whysall from CynergisTek, I found the following useful tips when developing a medical device security program.

Medical Device Security

Medical devices are difficult to secure on a technical level. They are expensive and their operating systems typically stay the same while in service. These devices are not easily remotely managed, may not be able to be encrypted, and have default user passwords.

IoMT Security Components

To develop a thorough security program you should plan it in three stages:

Stage 1: Risk Assessment

• Assess the total program risk you have
• Multi-dimensional risk contextualization: consider device master data record, patch/mitigation prioritization, device inter-relationships, & risk monitoring
• Ask yourself what practices are the preceding security program missing

Stage 2: Program Development

• Lifecycle management approach: managing procurement, installation, maintenance, incident response & retirement procedures
• Improve asset management and create network visibility
• Standardize security policies and procedures

Stage 3: Program Management

• Assist with medical device procurement and decommissioning
• Provide IoMT device training and awareness
• Manage continuing vulnerability reporting and remediation programs

Device Risk

When trying to secure your medical devices you should be looking at all of the risk areas. Security vulnerabilities pose a threat to patient safety, medical device availability, and could result in financial loss or unauthorized access to information.

How to Analyze Risk

Risk analysis should follow these steps:

• System characterization: Gather data on hardware & software
• Threat identification: Look at the full spectrum of possible threats
• Vulnerability analysis: Ask how do vulnerabilities impact devices and protocols
• Controls analysis: Look at controls already in place and what is needed
• Likelihood determination: Ask what are the chances of a device being compromised
• Impact analysis: Ask how a compromised asset would affect the organization
• Risk determination: Ask what risk level a device should be placed in
• Controls recommendation: Determine what controls assets need to mitigate vulnerabilities
• Results documentation: Share information and communicate with stakeholders

Risk Criteria & Categorization

When determining device risk level it is important to consider the likelihood of threat occurrence as well as the potential impact of threat occurrence on patients, business, and data.

Risk categorization aids in risk prioritization and remediation. You can categorize risks through device threat modeling: collecting device data, establishing a hypothesis, threat hunting, threat detection, and threat response.

Governance

It takes a team to create and manage a medical device security program. Setting a purpose and objective for this committee is key. The Responsible Accountable Consulted Informed (RACI) Matrix can help organize stakeholders and ensure everyone is aware of their role and responsibilities.

How Ordr Can Help

Developing a medical device security program can be a difficult and lengthy process. Ordr can help.

The Ordr System Control Engine (SCE) gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. Want to experience Ordr on your network? Request a free sensor.

You can watch the full HIMSS webinar here.