During the past few years, hospital operations, clinical processes, and even medical devices have been disrupted by security incidents. Several ransomware attacks, such as WannaCry and NotPetya, impacted healthcare facilities in the United States and globally. Attacks have forced a return to paper records, cancelled appointments, and even the closure of some healthcare facilities and business units. These disruptions undoubtedly led to delays in patient care. In the worst case scenario, such delays can lead to patient harm.
Challenges of managing medical device security
The increase in network-connected medical devices poses a unique security challenge for healthcare facilities. While organizations aspire to employ IT policies and best practices across connected medical devices in order to manage security risks and avoid costly disruptions, they often find the clinical use requirements and the available medical device security capabilities to be prohibitive. Managing the security of medical devices is associated with several complex challenges:
1. First, medical devices are used to deliver care and often life-sustaining therapy. This makes it inherently more complicated to access the devices for remediation, like installing urgent security patches or updates. Device utilization can be high, with some devices being in use 24/7. Also, disconnecting the device from the network as a mitigation to a security concern often is not practical, as doing so could disrupt clinical workflow.
2. Second, many medical devices have a long useful life. ECRI Institute estimates that most medical devices will last 7–10 years or more. While the long useful life may be an advantage from the clinical functionality perspective, it quickly becomes very challenging from the security perspective. The relative time scale of clinical versus security changes exacerbates the problem. Underlying clinical technologies may remain stable for years or even decades, if they change at all. In contrast, the security landscape is in constant flux, with new vulnerabilities, threats, and exploits discovered daily.
3. Third, facilities and vendors are still digging out from a historical lack of focus in security design controls with medical devices. Many medical devices were not built to communicate with the hospital network when initially designed, and many still on the market lack basic enterprise security capabilities. The unfortunate reality is that in order to get the clinical functionality needed, facilities will sometimes compromise and accept outdated security capabilities.
