By Nadia ElKaissi, CHTM
As the holidays are approaching, many of us are busy decking the halls and preparing for festive celebrations. But in hospitals, there’s no time to let down our guard when it comes to cybersecurity. With so many high-tech medical devices in use, keeping our digital defenses strong is especially crucial. Understanding the differences between credentialed and non-credentialed scans for medical equipment, and knowing the important questions to ask vendors, can make all the difference in securing a hospital’s network. In this article, we’ll explore why these types of scans matter, and how to ensure you’re evaluating equipment correctly to get the necessary information.
Before we dive into the why, let’s break down the what. Scans are essential for assessing the security posture of medical devices, such as MRI machines, infusion pumps, and patient monitors, that often connect to the hospital’s network. These scans detect vulnerabilities and ensure that devices are not easy targets for cyber threats.
1. Credentialed Scans: A credentialed scan is a thorough scan performed with valid user credentials, allowing in-depth access to the medical device’s internal system. A credentialed scan simulates what an authorized user might see, providing comprehensive information about installed software versions, configurations and potential security risks. This level of access reveals more vulnerabilities and gives HTM a clear view of how to patch weaknesses.
2. Non-Credentialed Scans: These scans are performed without any special access or credentials, simulating an attack by an external threat actor. While they can identify some vulnerabilities, they often miss internal issues such as outdated software version or insecure configurations. Non-credentialed scans provide a limited picture of the device’s security posture, focusing more on perimeter defenses.
Unfortunately, medical devices in hospitals often come with their own set of unique challenges when it comes to cybersecurity. One of the major issues HTM professionals are facing, is that many medical systems are not able to do credentialed scans. So, we must ask the question, why do we need to push for credentialed scanning, if it is not approved for some medical devices? For many medical devices, the risks associated with vulnerabilities goes beyond data breaches. Patient care is at risk if devices such as infusion pumps or ventilators are compromised. In addition, medical devices typically run specialized software, often with outdated operating systems because of regulatory constraints or compatibility requirements. Credentialed scans would provide a detailed view of vulnerabilities and identify outdated software and configurations. These would both help mitigate risk and prioritize patches and updates.
Now, you are probably thinking: Great! Why don’t we just mandate credentialed scans for all medical equipment? While credentialed scanning should always be considered during the procurement process, it is important to understand some medical devices simply cannot have credentialed scans. Medical devices may have restrictions that limit the extent of what can be scanned, either because of the vendor’s proprietary systems or regulatory requirements. In some case, performing a credentialed scan may void warranties or violate service agreements. Additionally, medical equipment can be sensitive to intrusive scans, risking interruptions to essential functions. In these cases, non-credentialed scans, though less comprehensive, may be more suitable where minimal system interaction is necessary.
Vetting equipment and asking the hard questions are crucial, especially during the procurement process or when planning a cybersecurity assessment. Here are some targeted questions to help you fully understand the scanning capabilities and limitations of medical devices:
1. Confirm the scanning techniques that are supported. Question the vendor on whether the device supports both credentialed and non-credentialed scans and which scanning methods are recommended to avoid potential disruptions.
2. Ask if there are any restrictions on credentialed scans. Vendors may place restrictions on performing credentialed scans, citing reasons such as warranty concerns or potential interferences with the device’s normal functions. You need to understand what is permitted and if there are any associated risks you need to be aware of.
3. Determine the recommended scanning schedule and frequency. For instance, many medical systems are scanned after hours to reduce patient care disruption. Make sure to clarify any associated impact.
4. Understand what mitigation options are available if vulnerabilities are found. You need to understand how to address identified vulnerabilities, including if the vendor will provide support for patches, software updates or configuration changes.
Just as Santa checks his list twice during the holidays, HTM professionals must continue to check the cybersecurity list for medical equipment. Understanding the difference between credentialed and non-credentialed scans and knowing the right questions to ask vendors of how to best secure your systems can help you get the best insight into the security posture of your medical devices without compromising clinical functionality. By ensuring a layered approach to scanning and collaborating closely with vendors, HTM professionals can unwrap the gift of cybersecurity this holiday season.
