From cutting-edge to legacy devices

BD Institute for Medication Management Excellence

From cutting-edge to legacy devices: maintaining product security in the hospital

PUBLISHED: Feb 25, 2019

David Scott, CISSP-ISSEP, CRISC

Hospitals face significant barriers to medical device security

In today’s environment, there’s a constant need to drive a balance between functionality and security, where medical device manufacturers mitigate against threats while meeting the clinical demand to deliver a robust, interoperable and safe product for treating patients. Three barriers to medical device security come to mind, and they all involve the critical relationship between manufacturers and healthcare organizations: asset management, the changing threat landscape and compressed timeline requirements.

Asset management

To secure devices effectively for clinical use, organizations need to understand what those devices are and how they are operationally integrated. It’s critical for an organization to track assets. Evolving remote support solutions, enhanced secure connectivity and increased vigilance in inventory management all have the potential to improve security.

The changing threat landscape

Another top barrier is the speed at which the threat landscape changes for medical devices, and a manufacturer’s ability to anticipate and respond to these threats in real time. Organizations should evaluate their vendor’s responses to emerging threats, such as the timeliness of issuing software updates or applying patches to a device. Medical technology companies need to be agile with their development and release processes, which require time for validation and verification prior to providing an update.

Compressed timeline requirements

Too often, manufacturers compress contractual incident response and vulnerability timeline requirements. Manufacturers need to issue well-defined compensating controls and mitigations to reduce security risk—but it’s reactive. We know that proactively improving security awareness and prioritizing security hygiene from an organization-wide perspective is important. For these reasons, companies need to actively collaborate with customers to ensure they have the necessary information to better secure their products.

FDA’s changing guidelines: an approach to releasing patches and upgrades

The FDA’s pre- and post-market guidance and recommendations in the recently released Safety Action Plan are building blocks of an effective product security framework, which integrates product security requirements across all stages of a development lifecycle. In addition to being part of good security hygiene, routine patching and updates are critical components of complying with mandatory Quality System Regulations (QSRs) for medical devices, which require that medical device manufacturers address all risks, including cybersecurity risk. The FDA has made updates to their market guidance to make it very clear: cybersecurity for medical devices, including security patching and sustainment, is not optional.

Building a strong vulnerability disclosure program

A good vulnerability disclosure program must be built on a foundation of transparency and collaboration. That means there is transparency and collaboration among healthcare providers, partners, regulatory agencies, security researchers and patients. We cannot secure what we don’t know, and no one in the medical device or healthcare ecosystems can effectively implement adequate security alone. We’re all partners in security and therefore need open and constant communication to maintain a healthy partnership.

Companies should be committed to complete, coordinated vulnerability disclosure, along with providing recommended mitigations or compensating controls within 30 days of being notified of a potential vulnerability. In addition, it’s important to maintain strong partnerships with the FDA, Department of Homeland Security/ICS CERT and HHS, as well as international regulatory organizations, and to include relevant parties from those organizations in every disclosure a manufacturer completes.

Securing legacy or "unpatchable" medical devices

As part of an effective plan for legacy devices, understanding how many end-of-life or end-of-support devices customers have in their environment, is key. It’s also critical to ensure that antivirus/antimalware and other endpoint solutions are up to date and functioning properly. In some cases, isolating impacted devices through a network segmentation or virtual LAN configurations can be very effective. At BD, we’ve found it helpful to integrate other existing intrusion detection, SIEM or SOC capabilities to maximize defenses our customers have in place. Finally, it’s important to work closely with customers to create a timely, scalable technical upgrade plan that helps them manage those legacy devices out of their infrastructure.

Learn more

Each month on the BD Institute for Medication Management Excellence blog, thought leaders explore topics of critical importance to medication management, and provide additional ways to learn.

Now that you've read about how to maintain product security in the hospital, take a deeper dive by learning about next generation interoperability, which will require vigorous cybersecurity standards.

true