Sponsored by Intermed
By Jon Benedict
In my last article, we talked about the need to have a good solid inventory with both “physical” and “logical” data points for each medical device. Your scanning tools are in place and your boots-on-the-ground team has just left your facility. You may be asking: “Now, what do we do with it?
Understanding it’s probably an unrealistic expectation to successfully defend every single device 100 percent of the time, I recommend performing a risk-based prioritization of the medical device inventory, so you will be able to make better informed decisions about what devices to focus your defense budget on.
What is a risk-based-prioritization? It’s exactly as it sounds, it’s utilizing a numerical scoring system to evaluate and rank the devices from the lowest risk to highest risk.
Once completed, the prioritization will provide clear, tangible metrics to identify where you will get the greatest ROI for your cybersecurity budget by focusing on the devices that pose the greatest threat. Having a risk-based-prioritization of your medical assets should help you more clearly define a realistic goal of what to defend that meets with your organization’s tolerance for risk and also complies with the current information security policies and procedures.
Like so many things in health care cybersecurity, there is no right or wrong way to do this as long as the output successfully defends the devices and patient data.
There are countless methodologies, tools and algorithms out there that calculate perceived risk. When you add in the complexities of FDA 510K devices, this can quickly become more complicated and confusing than it needs to be. In an effort to help demystify which metrics to evaluate, I recommend the following to be some of the core attributes to consider factoring into a risk-based-prioritization (in no particular order):
- The class of medical device, i.e. whether or not it touches a patient directly
- Connectivity to the network and/or the Internet
- The number of patient records stored or transmitted
- The OS/firmware running on the device
- Physical location and/or whether or not a device is mobile and moving around the facility
- Logical location of the device within the network topology
By evaluating these attributes, what we have found is that we can quickly reduce the number of devices we’re trying to protect to somewhere around 25 percent of the medical device install base. For example, if your hospital has 10,000 medical devices, we can narrow that down using a risk-based-prioritization to roughly 2,500 devices to focus your defense strategy on. What seemed to be a daunting and insurmountable task, suddenly seems to be much more manageable when taken one step at a time.
Now that you have your risk-based prioritization completed, you’re able to identify the highest risk devices by manufacturer, model and modality. It’s probably time to get all of your key stakeholders together for a white-board session to start understanding where the devices are in their life cycle, how they are interconnected and the best ways to go about securing them. In some cases, you may find out that patching is no longer supported on older devices, so you may have to consider replacing an older device or accept the risks of keeping it in service. At least you now have solid metrics to help you make those decisions.