Medical Device Security Through the

Patient-Safety Lens

Benefits

Advanced Security & Efficiency

6501 East Greenway Parkway, 103-479 Scottsdale, AZ 85254

DO NOT DISTRIBUTE. This document is confidential and property of First Health Advisory. ​​

DO NOT DISTRIBUTE. This document is confidential and property of First Health Advisory. ​​

Introduction

Most healthcare organizations adhere to the required Health Insurance Portability

and Accountability Act (HIPAA) risk assessment. While this documentation displays

known network vulnerabilities, the risk action plans to remediate security gaps often

sits on the shelf. You wouldn’t leave windows and doors open in a storm – then why

are organizations leaving open thousands of medical device endpoints?

Medical device and IoMT security, including vulnerability and patch management, is one of the largest unsolved puzzles in healthcare. The reason for the many remediation gaps will vary by the size or maturity of an organization. But at its core, software update and patch delays are caused by knowledge and staffing gaps, a lack of visibility and complete inventories, and the sheer complexity and scope of the IoT, OT, and medical device infrastructure.

Take, for example, one of the most referenced stats from healthcare stakeholders: Most healthcare delivery organizations have no idea how many devices are operating on the network at once. The average hospital network carries at least 10 devices per hospital bed. Even a small hospital can host more than 150 device families with inventories made up of thousands of medical devices. When the typical hospital environment has tens of thousands of endpoints,[1] including HVAC systems and other OT technologies that directly connect to patient-facing technologies, the lack of visibility is more than problematic.

Compounding these challenges are vendor “solutions” – touted cure-alls for a systemic challenge that not even the best health systems in the country have solved. In one of the most candid interviews, a CISO of one of the largest US health systems admitted that they simply cannot patch everything, nor do they have the ability to monitor and swiftly remediate all vulnerability disclosures (or know whether the vulnerable software is used within their device ecosystem). Instead, they’ve calculated what’s considered acceptable risk for the enterprise and maintain devices within that threshold.[2]

That same discussion detailed a less commonly understood issue with medical devices and IoMT: many device vendors and manufacturers have access to these devices to

Centralized Patch Management | Olin Dillard & Matt Dimino 1

DO NOT DISTRIBUTE. This document is confidential and property of First Health Advisory. ​​

perform software updates to remediate discovered flaws. However, gaps in communication between the third party and the network defender has seen some of these devices updated – while in use in the healthcare setting. While not at the forefront of device security conversations, it’s a serious issue facing hospital networks and one that could impact the quality of care and patient safety.

Gaps in communication between vendors and healthcare network defenders, combined with a lack of accurate inventories or visibility into the scope of vulnerabilities within the network, have created far too many blind spots, with an unequal number of solutions. To be clear, there are healthcare partners and device vendors who don’t fall into this category. But in an environment where devices could injure patients if they suddenly restart or go offline, it becomes painfully clear that even one ill-timed patch is too many.

The sheer volume of devices, lack of reliable visibility, and staffing constraints have most providers simply accepting a certain level of risk as a norm – but just how much risk is unclear. And some care delivery organizations have simply put medical device/IoMT security and overall patch management to the side due to the labor and time expenditures they simply cannot afford.

When health systems with adequate resources, budgets, and staff admit that solving patch management challenges tied to devices is not possible, how then can the industry expect those struggling with basic cyber hygiene to secure these devices?

For First Health, the response is to take the legwork out of patch management to support over-burdened providers. We pull from and are continuing to scour vulnerability disclosures and work with manufacturers to understand needed remediation measures, while working to identify device technical configurations and capabilities and continuously leveraging advanced tools to determine if and where critical vulnerabilities are found on the network. Our vetted methodology has been thoroughly researched, managed, monitored, and evaluated by the First Health team and device manufacturers.

The result is a knowledge bank that empowers leaders to take charge on patch management for clinical and operational devices. By leveraging complete inventories and basic security tools, providers can begin to effectively schedule and implement required patches. This data is paramount to reducing the risk of vulnerable endpoints and formulating effective patch management plans rooted in prioritization: the way to apply software updates and patches.

Centralized Patch Management | Olin Dillard & Matt Dimino 2

DO NOT DISTRIBUTE. This document is confidential and property of First Health Advisory. ​​

Nearly all healthcare delivery organizations perform annual risk assessments as required by the Health Insurance Portability and Accountability Act (HIPAA). The findings will typically result in an action plan that targets these vulnerabilities and steps the security team can take to close those gaps. It’s the resource, staffing, and knowledge gaps that leave many providers struggling to follow-up, leaving these well-laid plans on the shelf collecting dust.

You wouldn’t leave all your windows and doors open in a storm, why then are you leaving thousands of security gaps open to exploit?

Not only does each gap provide an opportunity for attackers, failing to act may reflect poorly in the event of an audit after a security incident. On the other hand, the Public Law 116-321, or what some deem a ‘Safe Harbor’ law amended the HITECH Act, codifying 405(d) and NIST recognized security practices. The law directed the Department of Health and Human Services to take into account an entity’s use of recognized security practices during an audit and within 12 months of a reported security incident, to determine possible enforcement actions.

As a result, leveraging your risk management action plan can provide documentation that your team discovered vulnerabilities and are taking steps to reduce the risk of compromise.

As noted, it’s true that visibility, capacity, and staffing gaps are simultaneously hindering effective patch management in the clinical setting. And there’s no easy way to tackle medical device and IoT security challenges. What centralized patch management has accomplished, however, is a means for applying targeted, validated patching to medical devices in a safe and managed way, while allowing centralized visibility of current and historical patch state of joined devices through accurately aggregating and centralizing our clients’ own data. The process can stop the current state of ‘ad hoc’ application of patches in the clinical setting.

Centralized patch management targets clients’ fleet, enabling healthcare delivery organizations to validate and safely patch and/or update devices in a timely manner and on a recurring basis, based on tailored reporting mechanisms. It does not completely remove the need for human intervention but empowers leaders to safely apply patches to medical devices, provides visibility of what has and hasn't been patched, improves

Centralized Patch Management | Olin Dillard & Matt Dimino 3

DO NOT DISTRIBUTE. This document is confidential and property of First Health Advisory. ​​

documentation for compliance, and supports identification of appropriate patching windows for timely remediation.

In one narrative,[3] a healthcare CISO noted that some manufacturers do not provide effective communication on when a patch or software update may be applied. As a result, devices have been updated in the middle of surgery – when in use to support patient care. This type of misstep could drastically impact patient outcomes.

By better scheduling device updates through a change window, providers can reduce these similar risks. With a centralized solution, network defenders can leverage a reporting function to determine patch schedules and what the patch addresses. The result is improved governance and effective change management processes to reduce the overall risk to patients and the healthcare network.

An idea has emerged in some enterprise hospital settings that automation can enable all patches to be immediately scheduled and/or applied, as a cure for systemic challenges. However, this viewpoint is problematic: Even with the application of automation tools, network defenders will still need to monitor alerts, understand patching schedules, patient safety risks, and a host of other challenges that require human intervention, including coordinating with manufacturers to validate remediation and software updates.

Network defenders can’t simply automate specific risk reduction tasks for medical devices when they’re in clinical use. For example, automation cannot solve the possible patient safety risks posed by patching in an ad hoc way, or at the wrong time. In the enterprise environment, automating may find higher success. But it’s not appropriate for patient-facing devices and other care products used in the clinical setting. And there must be safeguards in place to initiate the appropriate triggers to remediate vulnerabilities.

There’s a serious amount of effort required to manage any tool in the clinical setting meant to ‘automate.’ The reality is that automated isn’t as it’s described: network defenders will need to manage, monitor, acknowledge, and maintain the “automated” tool, just like any other security product on the network.

Debunking the ‘Automation’ Myth

Centralized Patch Management | Olin Dillard & Matt Dimino 4

DO NOT DISTRIBUTE. This document is confidential and property of First Health Advisory. ​​

Leadership Buy-In to Put Action Plans to Work

The reality is that healthcare security teams are already overwhelmed, drinking from a firehouse of information, vulnerabilities, and news stories on the latest sophisticated target or attack method. Adding in a group of devices that are unmanageable from a vulnerability perspective has left many network defenders unable to tackle prioritization of remediation, patching, or software updates.

The biomedical team is crucial to these efforts, but it will require leadership buy-in to make these necessary changes. Siloed departments in healthcare lead to disjointed priorities, while overall knowledge and staff gaps have many provider organizations at a standstill. What’s needed is leadership support to invest the time needed to prioritize vulnerability and patch management, leveraging basic tools likely already installed on the network.

Providers need a combination of people, processes, and technology to have a successful privacy and security program, even before it’s applied to a specific area like medical devices. It’s crucial then to have leadership support when addressing such a complex, labor-intensive project.

With a thorough assessment, an organization gains clear visibility into all of the organization’s risks and vulnerabilities – and there’s thousands of them. Engaging with a consultant or conferring with the leadership team around vulnerability management can support the categorization of vulnerabilities and prioritization of remediation, which can be pulled into an action plan that outlines the specific measures for what needs to be done to mitigate these flaws.

or some, the plan leads to continued vulnerability management measures implemented as budgets and resources allow. For others, those action plans are placed onto the shelf until the next year during the next HIPAA-required risk assessment. To be clear, this holding pattern is often not caused by an unwillingness to secure known vulnerabilities. Inaction steams from a lack of staffing support and leadership buy-in, or even knowledge gaps into just how to mitigate.

cknowledging the problem and working with your team or outside consultants to take action and begin the shift forward into real vulnerability solutions.

Centralized Patch Management | Olin Dillard & Matt Dimino 5

For those struggling to impart the need for cyber investments to leadership, conversations must center on patient safety and losses, rather than a return on investment. Security leaders should focus on patient safety risks, as well as the likelihood and cost of disruptions to business operations, care quality, legal and reputational harms, and lost revenue.

Network defenders should pull examples of key talking points and references:

IoMT and medical devices are leveraged by threat actors to gain a foothold onto the network, often going unnoticed by clinicians and the IT team. Leaving these endpoints open to attacks can lead to ransomware attacks, data theft, and disruptions to the device function, while providing attackers with a foothold onto the healthcare network.[4]

Costs of ransomware- or cyber-induced network outages continue to rise. The latest estimates confirm each day of unscheduled downtime costs at least $1 million per day. Public examples include the overall costs of a monthslong downtime reported after cyberattacks by Point32 Health ($107.M operating loss), CommonSpirit ($160M directly tied to cyberattack/outage), Universal Health Services ($67M in lost revenue and recovery), and other numerous examples.

Data confirms outages caused by cyber incidents directly impact patient safety. Failure to provide appropriate security measures in order to sustain the continuity of care increases care morbidity. These situations lead to lawsuits, reputational harms, and regulatory fines. [5]

Use real-world examples tied to specific risks uncovered in your network to drive home the point. In the last two years alone, numerous supply-chain cyberattacks brought on by vulnerability exploits have led to system disruptions, data theft, and unplanned network downtime. Healthcare was among the hardest hit by the exploit of the MOVEit vulnerability, with entities continuing to report data impacts months after the initial exploit.[6]

Compliance and accreditation requirements are to include security perspective, particularly DNV, requires healthcare organizations to leverage a proactive, risk-based approach to patient safety. The Sept. 5 revision to its NIAHO standards also added requirements to address cybersecurity issues within the healthcare environment.

Centralized Patch Management | Olin Dillard & Matt Dimino 6

DO NOT DISTRIBUTE. This document is confidential and property of First Health Advisory. ​​

Centralized patch management is ideal for healthcare entities who’ve gone through a thorough risk assessment and are looking for actionable, effective support for the complexity of patch management and overall medical device challenges. Clinical security challenges can feel overwhelming. Relying on well-defined change management processes and raising leadership awareness can provide the broad support needed to tackle this key patient safety issue.

Co-Authors:

Olin Dillard

EVP, Clinical & Organizational, Security & Technology,

First Health Advisory

Matt Dimino

Chief Security Officer, Clinical & Organizational, Security & Technology,

First Health Advisory

Centralized Patch Management | Olin Dillard & Matt Dimino 7

DO NOT DISTRIBUTE. This document is confidential and property of First Health Advisory. ​​

[1] “Medical Device Security 2018”; KLAS/CHiME Benchmarking Report; October 2018

[2] “Nothing is a Standalone Device: How a Complex Ecosystem Leaves Medical Device Security in Flux”; J, Davis for SC Media; August 2021

[3] “Nothing is a Standalone Device: How a Complex Ecosystem Leaves Medical Device Security in Flux”; J, Davis for SC Media; August 2021

[4] HHS 405(d) Health Industry Cybersecurity Practices, Volume 2; 405(d) Task Force; 2018; Update 2023

[5] “Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US”; JAMA Open Network; Dameff, MD, Tully, MD, Chan, MD; May 2023

[6] “Cybersecurity: The 2023 Board Perspective Report”; Proofpoint; September 2023

Centralized Patch Management | Olin Dillard & Matt Dimino 8

DO NOT DISTRIBUTE. This document is confidential and property of First Health Advisory. ​​