By Connor Walsh, CISSP
The health care industry is under attack like it has never been before. In the past two years, 89% of health care organizations experienced a data breach, and it is estimated that the loss of data will rise to $6 trillion in damages in the next three years (as opposed to $3 trillion in 2017). As healthcare technology management (HTM) professionals continue to procure and install networked medical equipment, our role in preventing such attacks continues to grow. This leads to a question some in the HTM field may have trouble answering, how is your patch management policy?
Before we can answer the above question, we must look at the inventory of our networked assets. Device name, location, MAC address, inventory tag, serial number, manufacturer/model, operating system (OS), patching frequency, antivirus, and software version are all critical components and should be captured/recorded for any device that you place on your network. If this information is not known, take the time to begin, and start with your medical servers. As you are going through, if you navigate to the update settings, spot check some of these systems to see the last time they received updates. This will lead us into our next section. Even if you have a device that might have a proprietary embedded OS and unable to take any type of patching, showing due diligence and acknowledging this in your inventory is much better than rolling it out into your environment with no documentation.
As most HTM professionals know, patching policies in the medical device world are far from standard. Every manufacturer and device may have different patch approval policies, whether it is immediate, delayed or no patching approved. This information is captured in the MDS2 forms and should also be considered during any new product evaluation. For me personally, a device that can receive automatic updates from the OS manufacturer for routine and zero-day vulnerabilities (or quick vendor turn-around patch testing) is a valid reason to select one system over another. There are few things more frustrating than when a zero-day vulnerability is discovered and a patch is released, but you unfortunately find yourself waiting weeks for the device manufacturer to test the patch. This process should be streamlined for critical vulnerabilities.
At a minimum, especially this day and age, medical device patching should be performed, or at least reviewed, monthly. All systems in your captured inventory should be looked at and spot-checked to make sure they are receiving the approved patches. Procuring systems that can take all patching, or patching that is applied by the vendor, will not only reduce your workload, but also greatly improve your cybersecurity posture. Additionally, adding this routine patching to your medical equipment management plan will also better prepare your facility for when zero-day vulnerabilities are discovered, such as BlueKeep or SigRed.
If it is not sustainable in your current staffing model to support a monthly patching regime, the time has never been better to put together the justification for additional staffing to help support. Cyberattacks on the health care industry are not going away, and preventing these assaults is a growing role for the average HTM professional. In summary, identifying your assets, procuring cyber-secure medical devices/systems and adding monthly patching to your department policies will all help mitigate the risk of any cyberattack on your medical equipment.
Connor Walsh, CISSP, is a biomedical engineer for the Department of Veterans Affairs. The views expressed here are those of the author and do not necessarily represent or reflect the views of TechNation or MD Publishing.