Medical Devices Security
“Thinking of cybersecurity solely as an IT issue is like believing that a company's entire workforce, from the CEO down, is just one big HR issue.”
According to Frost & Sullivan’s Internet of Medical Things (IoMT) forecast to 2021 report, by 2020, 30 billion connected IoT and medical devices are expected to be a part of the healthcare ecosystem.
This explosion of connected devices in the already vulnerable healthcare sector is a growing concern for healthcare providers, medical device manufacturers, the government, and the public at large.
Medical Technology Cyber Risks
Technology continues to transform the way healthcare is delivered, the growing security risks inherent in the growth of medical devices, are increasingly connected to hospital networks, the internet and other medical facilities.
Healthcare organizations typically have 300% to 400% more medical equipment than IT devices and the two trends are contributing to the increasing attack surface rather than reducing it. As medical devices become ever more sophisticated, the need for effective cybersecurity to assure the functionality and safety of the medical devices becomes increasingly more important.
The cyber threat is not only to the protection of sensitive data, but the number one priority is to ensure patient’s safety and lives.
Managing Medical Devices Differently
Due to the distinctive clinical nature of most medical devices, there are several challenges involved in the identification, evaluation, and eventual remediation of these devices. While medical devices come with a “one size does not fit all”, they generally share the same features as other devices connected to an organization’s network, including:
Potentially vulnerable operating system
ePHI transmitted across the network to multiple devices
Wired and wireless technologies capabilities
Internet access availability
It is important to understand that there are also some unique differences between medical devices and other devices on these internal networks:
Many medical devices do not have protection or the capability for third-party software installation (e.g. anti-virus or end-point encryption)
No procedures to patch security vulnerabilities or inconsistent in process, often requiring original equipment manufacture’s (OEM) approval prior to any software updates
Medical devices are often connected directly to patients meaning that it ‘could’ put patient care at risk, if not managed correctly
Medical device’s operating systems tend to be older than current supported operating systems
Upgrading or patching medical devices could render them inoperable, placing patient care and data at risk
According to various cybersecurity reports, 75 percent of medical devices in healthcare organizations will be running unsupported operating systems by 2020.
Security by Design
Securing medical devices begins in the design phase and should be considered throughout the system development lifecycle (SDLC) process.
We have extensive experience of conducting testing on a wide range of networked medical devices. Our assessments are based on IEC 62443-4-2, UL-2900-2-1 and FDA guidance aligning compliance to regulations.
Map the system topology into a dataflow describing the relationships between all system components and identify threats across the entire system architecture to identify the whole system’s attack surface and evaluate the impact and risk of each threat.
Identify all system components with functional security requirements (e.g. authentication, access control, validation, transport layer security, etc.).
Evaluate the suitability and risk of the functional security solutions for these requirements, if they exist.
Evaluate the system’s resilience to volatile across its features and interfaces.
Medicare Network provides a comprehensive security assessment that looks at the security posture and ensure a secure baseline for device design and implementation. Medical devices are notoriously vulnerable to cyber-attacks because security is often an afterthought when the devices are designed and maintained by the manufacturer.
If your team doesn’t have the expertise or bandwidth to address the new cybersecurity requirements, our security consultants and professional advisors can help.
Maximizing Patient Safety by Reducing Risk
Medicare Network security testing services ensure medical devices meet the highest standards for security and align our testing with UL2900, which is recognized by international bodies as a benchmark security standard for medical and other connected devices.
Partnering with Medicare Network and leveraging our world-class security testing services, will greatly improve your medical equipment’s security posture and ensure your customers, and patients are protected.
Medical Device testing baseline consist of the following:
Functional and non-functional requirements
Secure design and architecture review
Identify key documentation and operational guides
Auditing, logging and monitoring controls of key activities
Robust identity and access control management
Secure storage of data, (e.g. segregation, cryptographic techniques, etc.)
Data transmission controls, (e.g. cryptographic techniques, etc.)
Vulnerability identification, remediation and mitigation
Whether in the design phase or have had products already in production, Medicare Network medical device testing service can help secure and protect your medical devices from compromise of a cyber-attack.
The Partnership You Can Count On
Don’t let a skills gap or staffing shortage stand in the way of your success.
Purpose built solutions help your organization achieve business outcomes with confidence. Anything's possible when you put the power of certainty to work.