Editor’s Note: This is part one of a two-part cybersecurity column. Next month’s column will include an in-depth review of what should be included in a MDCIR.
Boom! A cyber incident has occurred. What do you do? In a sequence of events, “left of boom” is the set of events that occur in the timeline before the “boom” – the moment of breach/when an attack succeeds and “right of boom” is the set of events that follows. What a defender can know and do ahead of time to both prevent and predict when “boom” will happen is priceless. The use of several tools, services and preparation may not only prevent but also reduce the impact of when an unlikely event happens and allow for a rapid response.
The health care sector has been traditionally trained how to prepare, plan for and respond to natural disasters. We have all experienced another pivot during the latest COVID-19 pandemic.
The industry, however, is less prepared to handle cybersecurity incidents, particularly those involving medical devices. Recent global ransomware and cyberattacks have highlighted the need for more robust cybersecurity preparedness to be executed in an enhanced, effective, real-time response that enables seamless continuity of clinical operations.
Knowing what to do during a cybersecurity incident with a medical device should have the same response as responding to a fire drill, performing cardiac pulmonary resuscitation (CPR) or advanced cardiac life support (ACLS). If all parties are trained to know their role and the skills needed to perform their duties, these things can become second nature. To become familiar with the Medical Device Cybersecurity Incident Response (MDCIR) all staff involved should be part of an annual tabletop exercise that goes through all the steps needed to perform a proper incident response with everyone’s role and responsibilities clearly defined.
There are many things that contribute to the success of an MDCIR, most important are the combined efforts and cooperation of many different groups. Some of the things we do on a regular basis that help contribute to the “left of boom” are establishing the continuous monitoring of medical device networks, updating medical device isolation rules and protocols, maintaining an accurate asset inventory, creating contingency plans, and automating threat prevention controls. Here is a list of things that should also be done at the medical-device level:
Some of the things that are vital after an incident has occurred – to the “right of boom” – are intrusion detection systems (IDS); security operations center (SOC) analyst alerts, review and triage; incident verification and escalation to response; indication of compromise (IOC) data collection and logging; confinement (physical or networking) and eradication.
All these efforts, combined with continuous upkeep of the connected medical devices, help ensure that everything is more secure by providing “defense-in-depth” through multiple mitigations at different layers in the organization and reduces future events from happening. Also having a MDCIR game plan for when “boom” happens, ensures proper preparedness to respond. Because in today’s world it is not a question of “if” you will experience a cybersecurity incident, but it is a matter of “when.”
Steven Hughes is a VISN 21 biomedical engineer at the Department of Veterans Affairs-Sierra Pacific Network.
*By entering your email address, you agree to receive emails regarding TechNation Magazine, Webinars, and Exclusive Promos.
© 2021, TechNation Magazine. Site designed by MD Publishing, Inc.