Healthcare leaders are concerned about medical device security, and for good reason. Security vulnerabilities in medical devices present real risks to patient safety, data privacy, and network stability. Healthcare organizations often have limited resources dedicated to addressing these security issues, yet the healthcare industry remains the largest target of cyberattacks compared to other industries. What are the key factors making medical device security such a critical issue, and how can we account for these factors in potential solutions?
One of the largest challenges medical devices present for healthcare organizations is the problem of scale. Healthcare organizations are already grappling with the need to expand their networks to accommodate the increasing number of medical devices and other internet-connected equipment. Meanwhile, the volume of potential cyber threats and vulnerabilities continues to increase, with healthcare organizations facing more varied cyberattacks and exploits than ever seen before. With healthcare organizations likely to add more internet-connected medical devices in the near future and the number of cyberattacks likely to increase, medical device security is a large-scale problem that is only growing bigger.
Another challenge medical devices present for healthcare organization is age. A review of data available from the Bureau of Labor Statistics reveals the average age of equipment owned by healthcare organizations is almost 5 years old. While most of the older medical equipment healthcare organizations own will remain fully reliable from an operational perspective, some of this equipment includes internet-connected medical devices. Many of these older medical devices have known security vulnerabilities that are impossible for healthcare organizations to patch either due to design issues or a lack of manufacturer support. For these devices, which are otherwise fully operational, healthcare organizations must consider purchase of new devices or implementation of other workarounds to address these vulnerabilities.
Healthcare organizations are also challenged to find guidance for how to best approach the evolving security challenges presented by medical devices. While government organizations such as the National Institute of Standards and Technology (NIST) and the Food and Drug Administration (FDA) are developing guidance for the industry, much of this continues to be a work in progress. For example, the FDA previously issued guidance for postmarket management of cybersecurity in medical devices. While this guidance provides healthcare organizations with insight into many security best practices, it is also limited to the primary medical device market and relies on manufacturers of older devices remaining engaged in providing security updates for device vulnerabilities.
Successfully securing medical devices will require solutions capable of supporting the scale, speed, and scope modern healthcare organizations need to operate. Concepts such as automation, segmentation, and shared threat data present foundations upon which these solutions can be built. However, for these solutions to be accessible to healthcare organizations, we must remain cognizant of the resource limitations these organizations face. The crowdsourcing approach of the Medical Device Risk Assessment Platform (MDRAP™) offers an example of how innovative approaches can help address medical device security issues by sharing the workload among different organizations. These types of innovative approaches to medical device security can help solve the challenges healthcare organizations face and enable healthcare organizations to turn their focus to unlocking all the incredible power internet-connected medical devices have to offer.