Just as most of the U.S. was heading to the beach or perhaps the backyard barbecue for the long Fourth of July weekend, medical device maker Medtronic warned of a significant vulnerability within its workflow management product, Paceart Optima System.
Healthcare providers use the Paceart Optima System to manage cardiac device data from popular device manufacturers. NIST's NVD ranked the vulnerability at an 8.8 “high” criticality. Compromising this vulnerability could lead to data being “deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration via network connectivity,” according to the vulnerability’s CVE-2023-31222 details.
This vulnerability is the most recent example of connected medical device vulnerabilities and why system flaws that place healthcare systems at-risk are unlike most other types of device flaws. After all, when traditional IoT devices are compromised, perhaps sensors are disrupted, a manufacturing line pauses, or access to equipment gets cut. It can be costly and inconvenient. “When you mess with medical IoT, you now have direct patient safety issues,” says Martin Fisher, director of information security and CISO at Atlanta-based Northside Hospital.
For Fisher and other CISOs and security teams working to defend healthcare systems, successfully defending connected medical devices from attack and disruption begins with an accurate inventory of these connected devices in the organization. “It’s a considerable challenge,” says Fisher.
An accurate asset inventory enables security teams to ensure that devices are adequately secured and monitored, and regularly verify that patch levels are up to date. As a direct result, such asset visibility also helps to improve overall operations and ensure patient safety.
Further, as connected medical devices reach their end-of-life and legacy status, vendors may no longer provide adequate support, such as software updates and patches. Gaining visibility is important so operations and security teams can mitigate risks, such as network segmentation or reducing access levels until the devices are replaced.
Yet healthcare providers face many challenges when trying to gain visibility into their medical IoT assets. One of the most significant associated challenges is that too many connected medical devices do not support agents or APIs that help maintain inventory.
As a result, traditional network and asset management systems overlook these devices.
This creates an uncomfortably risky situation because many connected medical devices are vulnerable. According to the FBI’s 2022 Private Industry Notification report, medical devices currently on the market have, on average, 6.2 vulnerabilities that make these devices vulnerable to attack.
Considering these conditions, it’s clear why gaining visibility and a thorough inventory of these devices is a challenging necessity.
It’s a growing problem. According to Acumen Research and Consulting, the connected medical device market is expected to reach $182 billion by 2030, up from just $31 billion in 2021. “For us, in our hospital environment, medical IoT is just ubiquitous,” says Fisher. “Whether it’s in one’s primary care office, an ambulance, intensive care unit, or an inpatient hospital environment, they are all over.”
Another challenge in gaining visibility into connected medical devices is that traditional network and device security scanners can’t be safely used to identify connected medical devices because these assessment tools may cause too much disruption. “The 405(d) Task Group advises clinical devices not to be actively scanned. We do what many hospitals do and use passive methods to track our medical devices,” says Fisher.
Such tools work similarly to traditional passive network monitors and modern endpoint detection and response tools. They monitor traffic in search of medical device fingerprints. “However, these tools only work if the traffic passes through a chokepoint,” notes Fisher. “You'll never economically catch everything, but if you can gain visibility into the vast majority of your devices, you're in a much better place,” he advises.
Fisher warns of some capability-washing occurring in the market. “There are some vendors out there who are doing good work from a medical device security perspective. At the same time, others are trying to redefine the problem in the specific terms of the solution they offer. One vendor I recently spoke with essentially took a vulnerability management tool and slapped some medical device nomenclature into it. I saw this product five years ago.”
Maintaining adequate connected medical device asset visibility and inventory requires:
Good network design: architect networks, as much as possible, so that connected medical device traffic can be more readily monitored. This may mean ensuring device traffic has to pass through security monitoring tools or on dedicated network segmentation.
Continuous Monitoring: Implement monitoring systems to detect new devices connecting to your network. This will help in identifying unauthorized devices and any potential threats.
Vendor Management: Maintain strong relationships with device manufacturers. Your medical device vendors can assist in identifying their devices and security capabilities and help security and operations teams resolve or mitigate any issues as they arise.
Staff engagement: So that staff follows policies, keep them educated on the importance of medical device security and the potential costs if somewhere were to go wrong. This way, they’ll be more apt to report newly deployed devices and help maintain good device hygiene.
Security managers, CISOs, and healthcare IT managers who seek medical device discovery tools want to find tools that can scrutinize the network to identify and classify these devices — for the needed visibility and control — without disrupting the network or device.
For example, when Fisher sought a solution, he paid particular attention to how the devices capture data on the network and one containing a deep medical device library geared toward the healthcare IoT. He also sought a vendor that was established. “This is a critical technology; it’s important to know the vendor is going to be around,” he says.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.