The US Healthcare Industry Cybersecurity Task Force reported “In addition to data security and privacy impacts, patients may be physically affected (i.e. illness, injury, death) by cybersecurity threats and vulnerabilities of medical devices.”

Medical devices are difficult to secure. Device makers and HDOs have little faith clinicians and patients are protected. In many cases, budget increases to improve security only happen after an incident. Cyber Tygr assists healthcare organizations in creating and implementing Medical Device Security Programs. See our matrix and determine the level of support your organization needs.

The Connected Medical Device Problem

Like laptops, IoT devices are endpoints connected to a network, often wirelessly. Medical devices are a special category of IoT, with an astounding average of 15 per hospital bed.

  • Attached or implanted into a patient, providing quality of life
  • Designed for remote access
  • Do not permit anti-malware
  • Easily hacked and manipulated
  • More vulnerabilities than traditional IT assets
  • Traditional network security tools have limited control

Hackers use search engines that hunt and find these unsecured IoT devices, especially medical devices. Every compromised IoT device can be a point of entry into the hospital network, allowing cyber criminals to monetize Personal Health Information (PHI) or Personally Identifiable Information (PII).

Even worse, IoT actuating sensors have the ability to reach out from a digital world and make changes to our physical world. Examples include altering the dosage of an infusion pump, modifying the frequency and severity of the shocks from implantable pacemakers and impacting the accuracy of an MRI.

The Ponemon Institute compiled survey results from 277 healthcare organizations asking if they were aware of an adverse event or harm to a patient as a result of an insecure medical device and did they know the cause. The ANONYMOUS responses are displayed in the graph below.
More than one choice was permitted

Ponemon Institute Research Report: Medical Device Security

Technology to the Rescue

  • Automated detailed device inventory – devices are discovered and grouped based on information gathered from network behavior and device communication traffic patterns allowing for increased security intelligence. This saves time and increases HIPAA compliance.

  • Vulnerability scanning – probes are optimized for passive and tuned active scans finding security concerns within the current network environment. Consideration for device susceptibility eliminates patient care interruption and automatically determines the criticality of risk exposure.

  • Intrusion detection/prevention – monitor and block active threats with malicious intent, alerting the security team and displaying the traffic targeting the vulnerability for quick response.

  • Automated micro-segmentation – significantly reduce the time and expense associated with implementing operationally personalized network segmentation using traditional manual provisioning of network security policies in NAC tools. This manual process, required for each device, protracts implementation and increases costs to a point of project failure. Solutions specifically targeting medical devices can leverage inventory, behavior and risk profile information to automate security design and policy enforcement.

  • Correlation of functionality and information - the software synthesizes the entire inventory of medical devices, leverages the device details, integrates known and active vulnerabilities, detects network intrusion activity and determines anomalous device behavior, simultaneously. All of this previously unavailable and unrelated information is correlated by the most advanced solutions in real time, prioritizing device risk and escalating alerts.

  • Utilization - optimize device usage and the operational efficiency of expensive underutilized and unaccounted equipment.

  • Information sharing - coordinated management and alerts for known vulnerabilities by integrating national databases (NVD, ICS-CERT, FDA, ECRI) and manufacture disclosure statements (MDS2) to proactively manage threats.

  • Asset management - integration with existing Clinical Engineering asset management solutions (CMMSs) aggregates new data sets allowing for improved governance of device security.

  • Hyper-focused - the software is centered on medical device security deficiencies then layered within a broader existing security framework, leveraging existing perimeter security investments and reducing costs.

  • Visibility - additional visibility of devices and their communications. If you can’t see it, you can’t protect it.

Medical Device Security Plan

Cyber Tygr has established partnerships with several of the industry’s sophisticated medical device security software architects. These solutions are generally hyper-focused on medical devices and layered within a broader existing security framework, leveraging existing perimeter security investments and reducing costs. This type of medical device security software provides an unprecedented level of visibility and control.

Cyber Tygr begins by deploying a solution to automatically discover the organization’s medical devices and provides a detailed device inventory. This inventory is grouped based on information gathered from network behavior and device communication traffic patterns establishing the foundation for the development of comprehensive, tailored and measurable Medical Device Security Plan.

Our Medical Device Security Services are flexible. Cyber Tygr will support healthcare organizations of all sizes with services designed around their specific needs. Four packages conveniently group these services creating effective strategies for implementation; Bronze, Silver, Gold and Diamond. See the figure below for more detail.

Bronze Silver Gold Diamond
Stakeholder Education (regulations, laws, standards and frameworks)
Assess Ecosystems (technical, policies and procedures)
Administrative, Technical and Physical Safeguards
Medical Device & IoT Inventory (detailed device data: model, OS, IP/MAC, vulnerabilities, location, Serial #, etc)
Device Risk Analysis
Device Risk Impact Scores
Establish Governance (roles and responsibilities)
Mitigation Options & Monitoring
Procurement (new devices and RFP for solution providers)
Incident Response
Customized Playbook
Project and Process Management (implementation through iterative risk mgmt.)