Featured Product
This Week in Quality Digest Live
FDA Compliance Features
Michael King
Augmenting and empowering life-science professionals
Meg Sinclair
100% real, 100% anonymized, 100% scary
Alonso Diaz
Consulting the FDA’s Case for Quality program
Four data layers that matter
Kari Miller
Regulations and increased complexity are pushing the industry to adopt innovation more quickly

More Features

FDA Compliance News
Recognized among early adopters as a leading innovation for the life sciences industry
Streamlines annual regulatory review for life sciences
Facilitates quick sanitary compliance and production changeover
Creates one of the most comprehensive regulatory SaaS platforms for the industry
Company’s first funding round will be used to accelerate product development for its QMS and MES SaaS offerings
Showcasing tech, solutions, and services at Gulfood Manufacturing 2022
Easy, reliable leak testing with methylene blue
Now is not the time to skip critical factory audits and supply chain assessments
Google Docs collaboration, more efficient management of quality deviations

More News

Doug Folsom

FDA Compliance

How to Prioritize Cybersecurity Risks in Medical Devices

Unpatched vulnerabilities will become increasingly susceptible to cyberattacks

Published: Tuesday, December 6, 2022 - 12:02

Unpatched vulnerabilities remain a target of cyberattacks, and an ever-present risk for healthcare organizations. Medical devices pose an additional burden because patches are frequently unavailable for medical devices. So, dealing with the potential threat isn’t usually straightforward. The stakes are also high in healthcare, because cybersecurity risks can expose or hinder access to electronic protected health information (ePHI) or even harm patients if the equipment malfunctions or is inaccessible.

Medical device cybersecurity hinges on knowing the vulnerabilities of each device and whether patches are available, as well as how critical each piece of equipment is to the overall function—and determining any risk to patient safety, among other factors. Continuous assessment and real-time risk measurement help prioritize surveillance efforts, raise red flags, and mitigate risk efficiently.

The scale of threat from unpatched vulnerabilities

Federal regulators say that unpatched vulnerabilities will become increasingly susceptible to cyberattacks. Recent cybersecurity incidents have forced hospitals to relocate surgical patients, divert ambulances to other hospitals, and otherwise delay care. Regulators note how troublesome healthcare software vulnerabilities are to contend with because one issue, like the Log4j logging tool, can have multiple vulnerabilities, and remediating risk can be a time-consuming and tedious process.

Medical devices are even more complicated than other connected devices, requiring both clinical engineering and IT expertise to manage them effectively. It is a fine line to address vulnerabilities while also ensuring that the safety and effectiveness of the device will not significantly change, potentially affecting the quality of care. In some cases, cyber safety measures could compromise the device’s capability to provide care.  

Software patches and other changes to a medical device require a risk assessment and validation from the original equipment manufacturer (OEM). Manufacturers aren’t required to issue updates unless it’s determined that the risk presented by the vulnerability rises to the level of a recall, so it’s common that OEM-validated patches aren’t used.

Assessing real-time threats is critical and complicated

Healthcare systems must consider several factors when assessing real-time threats: known vulnerabilities, device risk profile, and patient safety. Before evaluation begins, teams must gather a detailed inventory of all medical devices for visibility into each device, including its core attributes, where it is, and how it’s deployed.

When evaluating each piece of equipment for cyber vulnerability, medical device teams should ask these questions:
• How critical is the vulnerability?
• What will it expose?
• How easily is it exploited?
• What’s the original manufacturing remediation status, if any?
• How is the device used: Is it life-supporting, diagnostic, or have another mission-critical use?

Considerations for device risk include:
• Is the issue tied to the operating system?
• Is the issue connected to an FDA alert or recall?
• How old is the device? Is it at risk of being designated as reaching “end of life” and no longer receiving support and updates from the manufacturer?
• Is the device capable of storing ePHI? 

Patient safety assessment focuses on these crucial questions: What is the potential risk to patient safety and the consequence of failure?

Medical device teams can prioritize which devices require risk mitigation based on the answers to these questions. The priorities can vary widely by health system. Designating the devices of first concern depends on the system’s risk tolerance, life cycle management criteria, and budget capacity. A comprehensive medical device cybersecurity solution with a technology-enabled assessment can be useful in understanding the scope of risk.

Continuous cybersecurity risk assessment

Risk assessment requires a combination of technology, people, and process. The clinical engineering team gathers a device inventory, the technology solution manages the inventory, and the medical device team executes a process to respond to vulnerabilities.

To begin addressing vulnerabilities, start with devices with the most critical risk. Before installing any patch, confirm that it’s validated by the manufacturer. Unverified solutions may affect the performance of the medical device, risking patient safety. If a patch is unavailable, other compensating controls, such as moving it to a care setting that doesn’t require it to be on the network, may be prudent but must be carefully vetted.

As teams continue the risk assessment and measurement process, establish a risk gauge to help prioritize mitigation efforts. The gauge reflects known cyber vulnerabilities, known patches, and risks to patient safety. This scale requires continuous updates based on device changes and evolving degrees of risk.

Risk mitigation is a team effort among healthcare providers. When equipment posing a security risk is identified, care providers can approve compensating controls or accept the risk for a given vulnerability based on their knowledge of the risks and benefits to patients.

Preventing cyberattacks on medical devices is vital, but mitigation isn’t simple. Teams should use the process above to evaluate the risks and benefits of repairing vulnerabilities, and act on the most vulnerable and crucial assets. The assessment isn’t a one-and-done process. Monitoring and evaluating risk must be continuous as new vulnerabilities are identified, new patches are issued, and the state and importance of equipment evolve.


About The Author

Doug Folsom’s picture

Doug Folsom

Doug Folsom is president of cybersecurity and chief technology officer for TRIMEDX, an industry-leading, independent clinical asset management company delivering comprehensive clinical engineering services, clinical asset informatics, and medical device cybersecurity. Doug has nearly 30 years of information technology leadership experience. He earned his master’s degree in business from Ohio University, and a bachelor’s degree in electrical engineering technology from DeVry Institute of Technology.