Better Medical Device Classification for Enhanced Risk Management

Effective healthcare cybersecurity necessitates a risk-based approach centered on patient care and how caregivers interact with technology. Cybersecurity teams must collaborate across the organization to stay informed about how various business units are evolving their services, and the changing threat landscape. 

Digital innovations, particularly using cloud technologies and artificial intelligence, underscore how technology is woven into every facet of healthcare delivery. This increasing reliance on technology presents both challenges and opportunities for cybersecurity teams.

The results from a recent report by Claroty Team82 represent one such facet of cybersecurity. For example, the report reveals that 55% of organizations utilize four or more remote access tools to connect devices to the internet, with 22% employing eight or more. Additionally, 79% use at least two non-enterprise-grade remote access tools. 

This data illustrates an urgent need for healthcare organizations to unify their efforts in securing biomedical devices. For cybersecurity teams, this involves gaining a comprehensive understanding of how these devices integrate into the patient care ecosystem, including their functions, data processing capabilities, and interactions with caregivers.

Considerations for Device Patching

To illustrate this point, let’s consider the tactical issue of biomedical device patching. It is the responsibility of cybersecurity teams to evaluate whether a device:

1. Connects directly to a patient

2. Acts as middleware linking multiple devices within a hospital setting

3. Serves as a remote console for data retrieval

4. Is connected to the internet

Understanding these factors is crucial for formulating patching recommendations because:

• The impact of downtime on patient-facing devices depends on whether a patient is currently connected, if medical procedures are scheduled, or if the device is the sole one serving a specific function.

• Middleware downtime can disrupt multiple devices; thus, assessing whether this disruption is acceptable is vital.

• If a device serves as a remote console for viewing data and there are multiple consoles available, the risk associated with its downtime is comparatively lower, allowing for more flexible patching schedules.

Operational Efficiencies Emerge

By identifying which category a device falls into, cybersecurity teams can tailor their patching recommendations. This approach not only enhances operational efficiency but also demonstrates empathy towards patient-facing caregivers by acknowledging their challenges and prioritizing actions that minimize disruption to their work. Instead of simply presenting a long list of unpatched devices and asserting that they pose immediate risks, cybersecurity teams can engage collaboratively with clinical teams to prioritize actions that protect patient care while addressing vulnerabilities.

Cybersecurity professionals often face resistance when advocating for vulnerability remediation because the benefits of high-tech medical devices are often clear to healthcare providers, but the risks are not. 

While highlighting vulnerabilities is essential, it’s equally important to frame cybersecurity as a facilitator of safe and effective patient care rather than merely a compliance function. By contextualizing risks within the broader framework of patient care delivery—considering how devices interact and support clinical workflows—cybersecurity teams can foster stronger partnerships with healthcare providers and even develop clinical security champions.  

This collaborative approach not only strengthens security measures but also aligns cybersecurity initiatives with organizational goals, ultimately enhancing both patient safety and operational resilience.