Cybersecurity Practice #9: Medical Device Security Cybersecurity Practice 9: Medical Device Security Health care systems use many diagnostic and therapeutic methods for patient Data that may PHI treatment. These range from be affected technological systems that capture, 9.M.A Medical Device Management render, and provide detailed images of 9.M.B Endpoint Protections Medium Subscans to devices that connect directly to 9.M.C Identity and Access Management Practices the patient for diagnostic or therapeutic 9.M.D Asset Management purposes. Such devices may have 9.M.E Network Management 9.L.A Vulnerability Management straightforward implementations, such Large Sub9.L.B Security Operations and Incident Response as bedside monitors that monitor vital Practices 9.L.C Procurement and Security Evaluations signs during an inpatient stay, or they 9.L.D Contacting the FDA may be more complicated, such as Attacks Against Connected Medical Devices that Key Mitigated May Affect Patient Safety infusion pumps that deliver specialized Risks therapies and require continual drug library updates. These complex and interconnected devices affect patient safety, well-being, and privacy, and they represent potential attack vectors in health delivery organizations’ (HDOs’) digital systems. As such, these devices should be robustly designed and properly secured.
This section focuses on the methods that HDOs can employ to protect connected medical devices. Specifically, it addresses the actions that HDOs are permitted to take, how to align with the Medical Device and Health IT Joint Security Plan, and how to best work with device manufacturers and the U.S. FDA. Any device that connects directly to a patient for diagnosis or therapy should undergo extensive quality control to that it is safe for use. Rigorous stipulations, managed by the FDA, are in place for the development and release of such systems. The organizations that produce these devices, referred to as device manufacturers, should comply with regulations. Organizations that purchase devices and use them for the treatment of patients are the clinical providers. In the context of this relationship, they are the HDOs. Given the highly regulated nature of medical devices and the specialized skills required to modify them, it is ill-advised for HDOs to make configuration changes without the support of the device manufacturer. Doing so may put the HDO at risk of voiding warranties, result in legal liabilities, and, at worst, harm the patient. Therefore, traditional security methods used to secure assets cannot necessarily be deployed in the case of medical devices. For example, one cannot simply apply a patch to a vulnerable component of the OS that runs a medical device. In 2018, the Healthcare Sector oordinating ouncil’s Joint ybersecurity Working Group released a guidance document for device manufacturers on developing and releasing secure medical devices.39 39. Medical Device and Health IT Joint Security Plan, 2018. 87
