To conduct such an exercise, it is best for the cybersecurity team to work with the clinical engineering teams and establish a profiled scan template in the vulnerability management software. This template should allow the scan to be executed only against a specific nonproduction network and only by specific individuals. To provide further assurance that the vulnerability scan cannot cause harm to the medical device while it is connected, the scanners’ IP addresses scanners should be blocked as part of the segmentation strategy noted above. When these preparations are complete, the clinical engineering teams can be granted access to the scanning software in a restricted manner that allows the scan to be run only against the network used for preventative maintenance. Vulnerabilities discovered can be shared with the information security office to determine the relative risks. Upon classification of these risks, the teams should contact the device manufacturer and work together to develop and implement a remediation plan. 9.L.B
Security Operations and Incident Response
NIST FRAMEWKORK REF: PR.IP-9, DE.CM-8, DE.CM-1, DE.CM-7
Expanding on the SOC and IR processes found in Cybersecurity Practice #8: Security Operation Center and Incident Response, HDOs can provide better monitoring, detection, and response activities around their medical device ecosystems. Using the segmentation strategy outlined above, HDOs should monitor for malicious activity into and within the segment. To provide visibility into the daily operations of the medical device systems, the following sources should be configured to send logs to the HDO’s log management systems, SIEMs, or both:
Firewalls providing segmentation to the medical device network segment
Information systems that control the operation of the medical devices
Netflow data from the medical device network segment
Intrusion prevention systems in front of the medical device network segment
Logs from any deception technology deployed in the medical device network segment
Using these logs as a source, plays can be enumerated and added into IR playbooks, as described in Table 13. Table 13. Incident Response Plays for Attacks Against Medical Devices
93