By Phil Englert
In today’s healthcare landscape, medical devices are no longer isolated instruments. They are networked, data-rich systems integral to patient care. As these technologies become more connected, they become more vulnerable to cyber threats. The risks are real and growing, from ransomware attacks that disable imaging systems to vulnerabilities in patient monitoring systems that could be exploited remotely and render remote monitoring inoperable. Though not identified in the wild, it has been demonstrated that it is possible to alter the medication flow of infusion pumps.
Healthcare technology management (HTM) leaders must move beyond reactive security measures and build a proactive, measurable cyber resilience program to address this challenge. But how do we measure resilience meaningfully to executives, clinicians and technical teams?
The answer lies in metrics. In 2011, MITRE published the Cyber Resiliency Engineering Framework, which offers a structured approach to evaluating an organization’s ability to anticipate, withstand, recover from, and adapt to cyber threats. The framework’s principles (tinyurl.com/mtpaznj9) were updated in 2015 and still apply today. MITRE, in partnership with the National Institute of Standards and Technology (NIST), created the original cyber resiliency framework, NIST Special Publication Developing Cyber-Resilient Systems: A Systems Security Engineering Approach (NIST SP 800- 160v2r1).
The report defines how cyber resiliency metrics can inform investment and design decisions. It establishes a scoring methodology to assess cyber resiliency across different systems. The framework assists in evaluating alternative cybersecurity solutions and helps ensure that cyber resiliency assessments are repeatable and reproducible. This article explores how to apply MITRE’s principles to medical device ecosystems and identifies nine key metrics tailored to three critical stakeholder groups.
MITRE’s framework defines cyber resiliency as the capacity of systems to continue operating under adverse conditions, including cyberattacks. It emphasizes four core goals: anticipate threats before they occur, withstand attacks while maintaining essential functions, recover quickly from disruptions, and adapt to evolving threats and system changes. The framework also outlines metrics that span technical, operational, and mission domains, making it ideal for healthcare environments where patient safety, clinical workflows, and IT infrastructure intersect.
Metrics for Executive Leadership:
Strategic Risk Management
Senior leaders, including the chief information security officer (CISO), need metrics that provide a high-level view of organizational risk and resilience. These metrics should inform investment decisions, regulatory compliance, and enterprise risk posture.
The first executive metric might be the Percentage of Networked Medical Devices with Known Exploitable Vulnerabilities or KEVs. While technical, this metric allows for tracking over time, hopefully a reduction, and a current organizational status, as new vulnerabilities are discovered and exploits are developed. The data for this metric will be derived from vulnerability management platforms (e.g., Tenable, Qualys) integrated with computerized maintenance management systems (CMMS) or IT asset inventories and Software Bill of Materials to identify the components present in the medical device technologies. This metric quantifies exposure across the device fleet. A high or increasing percentage signals systemic risk and helps prioritize remediation efforts.
The Time to Patch Critical Vulnerabilities in Medical Device Technologies is a second metric. Due to its regulated nature, patch availability significantly lags behind the patching cycles of traditional IT endpoints. Tracking this metric and understanding the drivers in the lag may lead to more informed procurement decisions and investment decisions of protective measures, such as more granular segmentation capabilities or network access controls. The data for this metric will come from patch management logs, vendor service records, and CMMS. This metric measures operational agility. Shorter patch times reflect a mature response capability and reduce the exposure window.
The final executive metric, a Medical Device Cyber Risk Score by Facility, is a strategic tool that empowers executive leaders to manage risk, protect patients, and guide the organization toward greater cyber resilience across multiple locations. The data for this metric will be derived from aggregated device risk assessments, network segmentation audits, and vulnerability scans. Providing an organization-wide but site-specific view enables benchmarking across hospitals, guiding targeted investments and interventions.
These metrics help executives understand where the organization stands and where it needs to go. Cybersecurity metrics empower healthcare executives to lead with confidence. They transform abstract threats into actionable insights, enabling leaders to protect patients, safeguard data, and ensure the continuity of care. In an era where cyber resilience is synonymous with patient safety, these metrics are strategic imperatives to drive the resourcing needed to protect patient safety and ensure the mission of healthcare delivery.
Editor’s Note: next month, this column will explore key metrics for clinical leaders and HTM teams, focusing on transforming risk into meaningful improvements in patient care.
