Guest Column | February 25, 2019

Medical Device Security And Risk Management: Healthcare Delivery Organizations (HDOs) At The Intersection Of The FDA And OCR

By Rich Curtiss, Coalfire

Establishing A Security Policy

When it comes to managing cybersecurity risk associated with medical devices, HDOs find themselves between a rock and a hard place. Misaligned incentives and confusing guidance from multiple directions have made it difficult for HDOs to know what to do. In this confusing climate, the deck may seem stacked against HDOs that want to improve. Fortunately, they are not in the fight alone.

Patient Trust Is Essential

Until recently, medical devices were primarily acquired, configured, and deployed by Healthcare Technology Management (HTM) professionals who worked for the clinical engineering or biomedical department. These departments bore the sole responsibility for maintaining the devices for clinical efficacy and patient safety. Once devices were deployed, clinicians were responsible for operating them.

This division of responsibility worked well until devices started to become “smart” and began requiring connections to the hospital network, inviting a new class of risk. This single, yet profound, change should have triggered a cultural transformation within HDOs and manufacturers to evaluate networked and computerized devices holistically to ensure appropriate cybersecurity controls were in place. But at most HDOs, a lack of regulatory oversight and clear incentives to change, together with a comparable level of confusion among device manufacturers, meant that security never rose to a top-level concern with a clear line of responsibility, despite the potential impact of security incidents on patient safety.

In recent years, healthcare stakeholders have come to understand the link between cybersecurity and patient safety. A recent article follows this link through 30 years of history, beginning with the first software-related safety accidents in the 1980s (e.g., Therac-25) and advancing to the present day, in which vulnerabilities in medical devices can interfere with drug delivery or life-saving therapies.

Framed another way, patients must place their trust in the entire chain of stakeholders involved in the design, production, deployment, and management of their medical devices. Earning that trust means effectively addressing cybersecurity risk in every possible way.

If patients do not trust a device, whether from a safety or cybersecurity perspective, they may elect to avoid life-saving therapy out of misplaced fear. Most patients know of cybersecurity vulnerabilities only when notified by the media or through a manufacturer recall.

Risk And Vulnerability Are Different

Vulnerabilities are a major contributor to cybersecurity risk. How are vulnerability and risk different? A device vulnerability is an internal flaw that allows a threat source or agent to exploit it — a component of risk. Other ingredients of cybersecurity risk may include lack of security controls. These are mechanisms that provide additional cybersecurity layers (e.g., network segmentation, data backups, anti-malware services, firewalls, etc.). A risk rating is defined by assessing the likelihood and impact of a threat exploiting an identified vulnerability. These concepts are clearly defined in NIST Special Publication 800-30, “Guide for Conducting Risk Assessments.”

Many HDOs are getting better at assessing vulnerabilities with software tools like off-the-shelf vulnerability scanners or, in rare cases, penetration testing. Since vulnerability is only one part of risk, the risk determination, HDOs focused exclusively on vulnerabilities may miss the forest for the trees.

To this end, one of the conversations that needs to be taking place is how an HDO can meet the joint regulatory requirements imposed by the FDA and the OCR. Wait a minute! How did the OCR come into the frame? It turns out that many of these connected medical devices create, receive, maintain, or transmit electronic protected health information (ePHI). In doing so, they are under the purview of OCR regulatory requirements as documented in the HIPAA Security Rule.

This requires what I’ll call an OCR-Grade Risk Analysis that is clearly scoped and defined under the title “Guidance on Risk Analysis Requirements under the HIPAA Security Rule.”

Cybersecurity Risk Governance Is A Key Strategy

Well now – quite a pickle, isn’t it? How should an HDO harmonize cybersecurity, vulnerability assessment, and risk management into an effective strategy for medical device security? One of my key themes when discussing an OCR-Grade Risk Analysis is “it isn’t an IT problem, it is an organizational problem.” Similarly, with medical device security and risk management, “it isn’t an HTM problem, it is an organizational problem.” Addressing this requires comprehensive governance and cross-cutting organizational strategies. The newly released Healthcare and Public Health Sector Coordinating Council (HSCC) Medical Device and Health IT Joint Security Plan attests to this strategy.

To briefly illustrate, many HDOs are not confident in their inventory of connected medical devices, the characterization of those devices, and any internal vulnerabilities to those devices that would leave them exploitable to a threat agent like WannaCry or notPetya.

A notional governance strategy would involve a two-part methodology to address medical device cybersecurity and ensure patient safety:

  1. The methodology requires the discovery, identification, device characterization, vulnerability assessment, and monitoring of network-connected devices. This approach promotes the creation or optimization of a medical device inventory, determines whether devices are ePHI assets, integrates security with clinical workflows, and continuously monitors connected devices.
  2. Once a medical device is confirmed to create, receive, maintain, or transmit ePHI, a separate OCR-grade risk analysis must be factored into the strategy to ensure device compliance with OCR regulations. This strategy will fully account for cybersecurity risk and device technical vulnerabilities.

Implement A Plan

Every good strategy needs to be formalized and documented in a plan. There are several steps HDOs can take to initiate the process. The first step is to institute a top-down, corporate governance plan. Governance is key to ensuring all the right HDO stakeholders are cognizant and involved in focusing the medical device security conversation. Following this, it is critical that HDOs create, optimize, or update a medical device inventory through automated discovery, identification, characterization, and vulnerability assessment of network-connected medical devices. You will want to ensure that devices that create, receive, maintain, or transmit ePHI are included in the organization’s OCR-Grade Security Risk Analysis.

In order to keep up with the risks associated with medical devices, you need to implement continuous monitoring of the medical device network for new devices, new vulnerabilities, and new risks that are associated with it. Once implemented, it is key to make sure to align the continuous monitoring with the governance plan and a formalized risk management plan. By taking these steps and repeating as needed, HDOs can feel more secure in the ways in which they manage risk.

About The Author

Rich Curtiss is a Principal, Healthcare Risk Assurance Services at Coalfire, a provider of cybersecurity advisory and assessment services.