Medical Devices Are Another Cybersecurity Threat Vector

Internet-connected medical devices – patient monitors, bedside infusion pumps, life support machines, and many more – are necessary for contemporary patient care. Today, there are often ten to fifteen medical devices per bed, all network-connected. And this critical network access capability also introduces the danger of cybersecurity attacks, putting patients in harm’s way. And it goes beyond bedside devices to include critical medical imaging equipment for radiography, magnetic resonance imaging (MRI), computerized tomography (CT), and more. There are several dimensions and risk vectors associated with medical devices:

  • Bringing the machine down via ransomware or malicious hack.
  • Attacking functionality that alters diagnoses.

Both of these conditions put patients’ lives in danger. It’s important to note that any delay in treatment due to a compromised medical device has a direct correlation to an increase in the mortality rate depending on the condition.



“Hospital data breaches significantly increased the 30-day mortality rate for AMI. Data breaches may disrupt the processes of care that rely on health information technology. Financial costs to repair a breach may also divert resources away from patient care. Thus breached hospitals should carefully focus investments in security procedures, processes, and health information technology that jointly lead to better data security and improved patient outcomes.”

-Choi & Johnson, Do Hospital Data Breaches Reduce PatientCare Quality?, Vanderbilt University and National Science Foundation


 

Why Do Medical Devices Need to be Assessed?

The simple answer? Because medical devices are not simple pieces of isolated hardware, they also included sophisticated software components licensed from a third party or developed in-house. For example, many of these pieces of equipment have operating systems, much like traditional computers and mobiles devices, to control and manage operations. But that’s where the similarity ends. There isn’t a “one-click” security patch button for the medical device operating system that the hospital¬† IT (or BioMed) personnel can use on the MRI machine. These complex devices are often tied to specific versions of operating systems or other third-party software. And that becomes the risk vector. When vulnerabilities are discovered, they can’t be patched right away or easily. The hackers know it, and they don’t have to wait.

Understanding What Needs to be Assessed in Medical Devices is Not Easy

Upon request by healthcare provider risk teams, medical device manufacturers may supply a Manufacturers Disclosure Statement for Medical Device Security (MDS2). MDS2 began as an initiative between the Healthcare Information and Management Systems Society (HIMSS) and the National Electrical Manufacturers Association (NEMA). In addition to requesting the MDS2, providers are also medical device companies to supply a Software Bill of Materials (SBOMs) to help them identify risk vectors that now include all these software components.

Understanding Medical Devices

Medical Devices Are Often Managed Separately from IT

Software and services are most commonly managed by IT teams and assessed by IT risk groups in the healthcare industry. On the other hand, medical devices are not managed by IT; they’re managed by BioMed teams assessed by their corresponding BioMed risk groups. And that’s a self-inflicted risk because of fragmentation of risk processes, risk data, and actionable insights. Moreover, there are several other critical issues:

  • There is no unified view of risk across the organization
  • Assessment and risk management productivity drops
  • Response velocity drops because most of the assessments are done in spreadsheets and text documents

How Censinet RiskOps for Medical Devices Solves the Problem

BioMed Teams often manage Medical Devices leading to a fragmentation of risk processes, data, and actionable insights:

  • Censinet enables all risk teams to leverage the same productivity and visibility gains regardless of which team does the assessment
  • Purpose-built for healthcare, Censinet uses artificial intelligence (AI) to parse MDS2 documents and automatically calculate risk and recommended mitigations and remediations
  • The Censinet RiskOps Command Center filters and enables detailed views of medical devices, providing a unified view for CIOs, CSOs, and risk executives
  • The Censinet RiskOps Network has the largest catalog of assessed medical devices
  • The Censinet RiskOps platform allows IT risk and BioMed risk teams to use a common, healthcare-centric framework for assessments and reporting