In this session, we welcome Shankar Somasundaram, CEO of Asimily, Priyanka Upendra, Quality Compliance Director at Banner Health, and Carrie Whysall. Director of Managed Security Services at CynergisTek.
Together, they will discuss medical device security, covering all you need to know from medical device assessments to remediation efforts. Attendees will leave this session knowing how to apply what they have learned about medical device security in real life.
4. CTEK SUMMIT
2020
4
Shankar Somasundaram, CEO
Asimily
• Asimily is a company focused on Healthcare, Medical and Connected Device Inventory,
Cybersecurity, and Operational Management working with Health systems across the country
• Shankar has been involved on the topic of medical devices since 2011.
• Shankar has been a contributor and part of many industry frameworks like NIST, TIR 57 and
more!
5. CTEK SUMMIT
2020
5
Carrie Whysall, Director, Managed Security Services
CynergisTek
• Carrie has over 24 years of experience in healthcare information services over half of which are
focused in security.
• In her role as Director of Managed Security Services, Carrie is responsible for executing strategic
business initiatives and driving CynergisTek's growth strategies for security services including
Vendor Security Management (VSM), Managed Security Services (MSS), and Medical Device
Security.
• Prior to joining CTEK, Carrie served as a Senior Director of Security for Ascension Information
Services.
8. CTEK SUMMIT
2020
8
Insufficient
Visibility
• Lack accurate
connected
medical device
inventory
Medical Device Ecosystem is Complex
• Significant number of vendors,
device types & software platforms
• Device managed across a maze of
ownership and support
Unable to Update
• Medical devices
can rarely be
patched
• Updates often not
available
Legacy Systems
• Many devices
have Windows
95 98, 2000,
XP, & 7
• Longer life
expectancy
Culture
• Communication
gap between
CE/IT
• Limited training
and knowledge
Technical &
Operational
Dependencies
• Proprietary
networks
• Wireless
requirements
• Computer hardware
Medical Devices are Proprietary
• Highly specialized
• Automated microprocessor
driven
• Store and collect sensitive
information
Lack of Tools
• Limited tools and lack of knowledge
of tools to inventory connected
medical devices
• Cannot actively scan medical devices
Lack of Security Controls
• Standard IT technical security controls don’t
apply
• Administrative controls can impede clinical care
• Physical controls are difficult to manage
Medical
Device
Security
Challenges
9. CTEK SUMMIT
2020
Why Medical Device Security Services?
• Medical devices are increasingly
connected to the internet and have
limited control over access
• Most HDO’s do not have accurate
connected medical device inventory
• Between 10-15 connected medical
devices per hospital bed / 300%-400%
more medical equipment than IT
devices
• Average of 6.2 Vulnerabilities per
medical device
• 60% of all medical devices are un-
patchable
• Most connected medical devices are
unmanaged
• Risk of breach due to devices holding
large amounts of PHI
• An attack has the potential to cause
patient harm
• Attacks affect device availability and
organization reputation
9
10. CTEK SUMMIT
2020
10
Stage 1
Risk Assessment
Stage 2
Program
Development
Stage 3
Program
Management
Provides a blueprint for:
• Implementing organizational medical device security practices
• Remediating vulnerable network connected medical devices
• Reducing organizational risk through increased governance and
oversight
This includes recommendations for developing a comprehensive medical
device security program.
Develop security best practices into ongoing medical device management
processes:
• Improved asset management processes including inventory validation
• Consistent medical device risk assessment procedures
• Standardized implementation and configuration processes
• Formal incident response protocols and documentation
Continuous support and management:
• Assisting with the medical device procurement process
• Managing ongoing vulnerability reporting and remediation planning
• Providing medical device security training and awareness
presentations
• Facilitating incident response and formal device disposition
processes
Medical Device Security Services
11. CTEK SUMMIT
2020
11
Stage 1: Risk Assessment
The Medical Device Security Risk Assessment provides the organization with a one-time
assessment to identify and categorize medical device risk management strategies.
Medical Device
Security Program
Evaluation:
Documentation Review
Onsite Data Collection
Remediation
Recommendations
Level of Effort
Summary
Lifecycle Management
Integration
Passive Network
Discovery Tool Results:
Passive Network
Scanning
Device Inventory
Attributes
Security & Network
Data
Vulnerability
Identification
Remediation
Recommendations
Medical Device
Security Risk
Classification:
Risk Criteria
Identification
Device Specific Risk
Categories
Remediation Strategies
by Risk Category
Recommended
Remediation Plan
1Program Assessment Technical Assessment Risk Mgmt. Strategy2 3
12. CTEK SUMMIT
2020
12
Stage 2 & 3: Program Development &
Management
Medical Device
Procurement
Medical Device
Installation and
Inventory Management
Medical Device
Continuous
Support/Maintenance
Medical Device Incident
Response Management
Medical Device
Disposition/Retirement
Procurement Management
- New Medical Device Security Assessment
- Vendor/Third-Party Service Provider Risk Assessment
- Risk Acknowledgment Documentation
Installation & Inventory Management
- Standardized Implementation Workflow
- Inventory Gap Analysis
- Inventory Validation & Reconciliation Process
Continuous Support & Maintenance
- Network Tool Monitoring & Reporting
- Internal Security Posture Review
- Biomed Specific Security Training
Incident Response Management
- Threat Notifications
- Medical Device Security Incident Consultation
Disposition/Retirement
- Media Sanitization Assurance
- Recommendations for Replacement/Retirement
Lifecycle Management Approach
Organizational medical device support and management utilizing
processes to ensure the safe and full functionality of the device at each
stage of a medical device’s lifecycle.
15. CTEK SUMMIT
2020
• Scores vulnerabilities using medical device context
• Provides granular recommendations to mitigate risk
Key Capabilities of an Effective Risk
Management Solution
15
• Identify devices and parametersInventory
• Baseline device behavior
• Highlight when a device is not behaving as expected
Vulnerability
Management
• Proactively identifies vulnerabilities
• Narrow down vulnerabilities posing a threat to the network
Vulnerability Scoring and
Risk Assessment
Intrusion Detection
Containment and Micro-
segmentation
Forensic analysis
• Block or quarantine a device as necessary
• Segment or micro-segment a device as required
• Understand how, where, when device is communicating
• Identify the root cause of the problem
IDENTIFY
DETECT
PROTECT
RESPOND
16. CTEK SUMMIT
2020
Multi-Dimensional Approach
16
MEDICAL (& NON-MEDICAL)
DEVICE MASTER DATA RECORD
IT parameters
Medical device parameters
Cyber-security parameters
Network asset utilization
DEVICE RELATIONSHIPS
Device inter-relationships
Data flows
Ability to navigate network
CONTEXUAL RISK
Prioritized list of
devices and alternatives
to patching
PATCH AND MITIGATION
PRIORITIZATION
Vulnerabilities
Configuration
Vulnerability Exploit Vectors
Impact to patient care, data
privacy and operations
RISK MONITORING,
REMEDIATION AND
PREVENTION
Device baselines and device
profiles
Security anomalies
Operational anomalies
Segmentation of devices based
on device context
Blocking or quarantine at
network
18. CTEK SUMMIT
2020
Vulnerability Management
• Not all devices have the same risk
• Even across devices with the same legacy operating system, risks could be
different
• Whether an unpatched vulnerability affects a device is dependent on many
factors:
• Exploitability of the vulnerability for that device in that environment
• Impact of the vulnerability
• How the device is connected
• Security capabilities of the device
• Any other mitigating security controls
• Several factors have to be taken into account before deciding whether a
vulnerability is exploitable and high impact and then if the vulnerability is high
risk, high impact vulnerability, then a workaround can be implemented
18
23. CTEK SUMMIT
2020
Identify The Drivers to CE-IT
Convergence
• Integrating the Healthcare Enterprise (IHE)
• Patient Safety and Quality Outcomes Management
• Tele Health
• Increasing application of:
• RFID, DICOM, Bluetooth, WiFi
• Increased Government/Industry Focus
• FDA, MDS2, other initiatives
• Information Security – integrity, availability, confidentiality
• Cybersecurity, Privacy, Disruption (ransomware, DDoS)
23
24. CTEK SUMMIT
2020
Demonstrate That You Have a
Problem
Conduct a litmus test to identify the extent of the problem
1. Ask for a copy of the Could Not Locate (CNL) list for
previous 12 months
2. Determine if any devices on the list can create and store
ePHI
3. For devices identified in #2 above, ask if you have
reported (or will report) a breach or have a documented
“low probability of compromise” in your files
4. For all remaining devices, ask how any technical
vulnerabilities have been remediated
24
25. CTEK SUMMIT
2020
Adopt a Framework
• Good security hygiene and awareness are key…
• But, there is no one-size-fits-all answer, this is unique to
each org.
• Key factors that make the difference:
• Leadership style
• Leaderships risk tolerance
• Corporate/practice culture
• The message needs to be delivered in a way the recipient can
understand, in their terms
• Training materials you find or get from outside need to be
customized
25
26. CTEK SUMMIT
2020
Develop Management Solutions
• Biomedical devices are not just hardware
• Treat them as computing endpoints
• Treat them as if they contain patient data – many do!
• Protect them from unauthorized physical and network access
• You must presume a breach if lost, stolen, or even out of your control
• Addressing biomedical risks is a management problem
• Accountability stops w/CEO, but departments share responsibility
• The CISO and compliance must act as a team to assess these risks
• Look at tools that can passively scan
• These also interface with the common CMMS applications
• Consider outsourcing the security management to address talent gaps
26
27. CTEK SUMMIT
2020
Key Takeaways
• Assessment
• Assess your inventory with an eye towards risk
• Assess your program or lack thereof
• Don’t forget to include life cycle management
• Remediation Efforts
• Even the same device model can require different strategies
• Be sure to identify all pertinent risk vectors
• Apply what you have learned
• Pick a tool that can help you with your use case
• Partnership is the key CE & IT need to plan together
• Long term strategies are the key to success
27