Cybersecurity and Privacy

Why Due Diligence is Key to Medical Device Security

Explaining how to use medical device

In the movies, hackers make accessing information look so easy, but healthcare organizations are working as hard as they can to keep their organizations safe from cyberattacks. As medical devices become more advanced in their capabilities, there is an increased need to make them safe and secure when it comes to patients’ information and their safety.

“We now look at devices to make sure they are protecting the information,” said HIMSS Director of Thought Advisory Lee Kim. “Wired or wireless, no matter where the information exists or where it’s going, the information has to be kept secure.”

Medical device security protects them from cyberattacks, so both patients and caregivers have the peace of mind to use the best tools available for healthcare.

Challenges to Device Security

Many situations can arise from not having secure devices in healthcare. In the U.S., the Food and Drug Administration tightened security guidelines on them, citing patient safety.

“An example of this is the problem of some medical devices having hard-coded passwords,” Kim said.

She added this could be dangerous when it comes to devices such as those that provide insulin or other devices which are life saving or life sustaining.

“In recent years, the security of medical devices has improved, especially for larger medical device manufacturers,” Kim said.

However, she noted that with smaller or medium-sized manufacturers, one of the challenges could be that security is not necessarily at the forefront of one’s mind.

“Security may be an afterthought after the beta test. Or, you might report a security bug, but it might possibly be ignored by the manufacturer. So, you are left with a vulnerable device—until and if a patch is issued,” Kim said. “The medical device manufacturer, however, has its responsibility in terms of security of the device. However, you need to ensure that the device is as secure as possible on your end as well.”

In addition to having adequate technical controls, Kim believes in having a multi-disciplinary team, including IT, clinicians, legal and procurement to ensure the best device that is appropriate for the organization’s needs is chosen and that any risks associated with the device are adequately mitigated.

“All those hands really need to be on deck and everyone needs to come together and do due diligence, and hopefully the number one priority is that patient safety is kept top of mind,” Kim said.

Shared Responsibility for All Stakeholders

There are many people involved in ensuring that a device is secure before implementation into a clinical setting. “It’s a shared responsibility,” Kim said.

First and foremost, the manufacturers are responsible for ensuring device safety, and not just in the design phase. “The manufacturer needs to be receptive of any bug reports and other any security concerns,” Kim said.

One of the ways manufacturers communicate the security features of a medical device to purchasers is through an MDS2 Form.

“It’s widely accepted. While it’s not mandatory, it’s helpful when you are in the market to buy a medical device,” Kim said. “It lists the security features of the device, according to the manufacturer.”

Some examples of the questions found on the form include:

  • Does the manufacturer have a vulnerability disclosure program for this medical device?
  • Is the manufacturer part of an Information Sharing and Analysis Organization?
  • Can this medical device display, transmit, store, or modify personally identifiable information (e.g., electronic protected health information)?
  • Does the device maintain personally identifiable information temporarily in volatile memory (i.e., until cleared by power-off or reset)?
  • Does the device transmit/receive personally identifiable information via a wireless network connection (e.g., WiFi, Bluetooth, Near-Field Communication, infrared, cellular, etc.)?
  • Can the device be configured to use federated credentials management of users for authorization (e.g., Lightweight Directory Access Protocol, Open Authorization)?

“Many medical device manufacturers have the MDS2 Form as part of the marketing of the device to buyers,” Kim said. “It’s meant to ensure that the purchaser has that information in front of them and uses it as part of the due diligence before purchasing the device.”

Questions to consider before purchasing a device include:

  • How long has the manufacturer been around?
  • Are they responsive and do they handle issues quickly?
  • Are they reputable?

And while the MDS2 Form is helpful, it should not be the only research into a device’s security features.

“You may still want to have a demonstration of the device and interview the company about the device, including any security-related questions,” Kim said.

Best Practices

While vetting the best manufacturer is important, there are other best practices both organizations and medical device manufacturers can take when it comes to being mindful about device security.

A penetration tester may be able to uncover vulnerabilities and notify the medical device manufacturer about them. Incentivizing this through bug bounty programs is one way to go. Another proactive measure is to have a coordinated vulnerability disclosure program, such that medical device manufacturers and researchers work together in a coordinated fashion.

“Bug bounty programs are a great way to potentially uncover zero day vulnerabilities and to have the manufacturer fix it before it comes a real problem,” Kim said. Other easier best practices for medical device security include:

  • Robust physical security, role-based access controls, and appropriate network access controls
  • Intrusion detection and prevention systems
  • Configuration management to track assets and configurations
  • Timely security updates
  • Anti-malware or anti-virus protection, if possible
  • Session timeouts, if possible
  • A zero trust security model

“Have as many layers of security as possible to make things more difficult so it’s out of reach and not low-hanging fruit,” Kim said.

Additional sources:
International Medical Device Regulators Forum Principles and Practices for Medical Device Cybersecurity
Food and Drug Administration Cybersecurity

Healthcare Security Forum

December 6–7, 2021 | Boston & Digital

Technology will continue to revolutionize healthcare, but the results will come up short if we don’t also secure critical data and protect patient privacy and safety. Now more than ever, not only do security leaders have to maintain their ongoing duties, but they are also forced to protect rapidly expanding, remote infrastructures from more exploitative cyberthreats and phishing attacks.

Get prepared at the Healthcare Security Forum