We will have limited operations from 15:00 Tuesday 24 December 2024 (AEDT) until Thursday 2 January 2025. Find out how to contact us during the holiday period.
The following medical device cyber security guidance[3] is predominantly applicable to administrators and engineers responsible for supporting healthcare services that are provided to the population, typically in medium to large health and medical service environments.
This guidance builds on the guidance provided for small business operators and highlights considerations that are applicable to large-scale healthcare providers, which might also be critical infrastructure. Many aspects are also applicable to small business operators. Guidance for cyber security of medical devices is important in this context as the continuous operation of health services can be disrupted by a successful cyber-attack, with cyber security vulnerabilities in a medical device being an accessible entry point for an attack.
Risk management strategy
Users responsible for implementing medical devices in critical health services should develop a clear and well documented risk management strategy. The primary goal is to develop an environment where risk to patients is minimised. The strategy will need to be revised as new types and classes of connected medical devices are added to the healthcare environment.
Consider:
- Reducing the attack surface of the biomedical environment. This involves isolating networks from any untrusted network such as the internet, disabling any unused ports and services, only allowing real-time connectivity to external networks with a defined business requirement and using unidirectional networks with an air gap where possible.
- Physical security of medical devices - restricting physical access to controls is appropriate in some operating environments. This must be closely managed to ensure usability of systems is not adversely affected.
- Expert cyber security services (either in-house or consultants) may be helpful to develop an understanding of how defendable the biomedical environment is. Examples include:
- penetration testing to find vulnerabilities that could be exploited
- cyber security operations centres/security information
- event management services to monitor for threats
Outputs of these types of services may allow an organisation to complete higher quality risk assessment and develop more robust risk management strategies.
Good risk management strategies can also be developed by applying relevant standards, shown in the table below, and by reviewing and implementing risk management strategies from other industries.
Standard* | Scope |
---|---|
IEC 80001 (series) | Application of risk management for IT-networks incorporating medical devices |
ISO/IEC 15408 (series) | Evaluation criteria for IT security |
ISO/IEC 30111 | Resolve potential vulnerability information in a product |
ISO 27799 | Health informatics - Information security management in health using ISO/IEC 27002 |
* Use the current version of each standard as appropriate.
The USA's National Institute of Standards and Technology (NIST) cyber security framework is another globally accepted approach by the cyber security community as a way to address cyber security risks throughout the life cycle of an organisation's management of risk. The framework describes a series of concurrent and continuous cyber security functions that underpin a cyber security risk management strategy.
- Identify: Develop an organisational understanding of cyber security to effectively manage cyber security risk associated with medical devices
- Protect: Develop and implement appropriate actions to ensure that a medical device can safely deliver its intended function, balancing security and usability
- Detect: Develop and implement appropriate activities to identify the occurrence of a cyber security event that changes the risk profile of a medical device
- Respond: Take appropriate action to ensure that cyber security risk is minimised for a medical device with a new risk profile
- Recover: Implement activities to increase medical device cyber resilience and to restore any capabilities or services that were impaired due to a cyber security incident
Effective management of cyber security risks may assist to meet other regulatory compliance obligations in relation to information management, including under applicable privacy legislation.
Cross-functional collaboration
Collaboration is essential for effective cyber security control of medical devices in healthcare organisations. Healthcare service providers should aim to facilitate an environment that drives cross-functional collaboration between the biomedical, clinical support and IT teams, helping all areas to develop a better understanding of the work completed within each team.
The biomedical team should be incentivised to engage with medical professionals within the healthcare organisation to help broaden their understanding of the operating profile of their devices, the technology under their management, implementation of cyber security controls and the associated risk.
Collaborative procurement
Procurement is often a centralised task in healthcare providers. Asking the manufacturer and sponsor questions about cyber security and updating procurement practices to ensure the purchase of appropriately secure devices will create greater demand for improved cyber security within medical devices.
- Incentivise procurement teams to work with IT and biomedical teams on the procurement of new medical devices to provide informed advice on appropriate security measures for the specific healthcare service provider. This will help ensure that cyber security is a measurable factor in procurement.
- Questions to ask during the procurement process may include:
- What security measures have been built into the device?
- What measures are in place to protect patient safety?
- What measures are in place to protect the confidentiality, availability and integrity of patient data?
- How has security been addressed at each level, e.g., hardware, firmware, OS, network, and user interface?
- What security protocols and frameworks have been used?
- What IT environmental requirements are needed for secure operation of the device?
- What are the known cyber security vulnerabilities for the device?
- Has the manufacturer assessed the cyber security of key components within the device (i.e. the supply chain)?
- Does the manufacturer/sponsor provide an ongoing service to manage the security of the medical device(s), and how will they respond to future cyber security incidents?
- A medical device often has a long lifecycle - does the manufacturer/sponsor have enough resources to support the security requirements throughout the lifecycle?
- How is data from the device logged and stored? Are third party cloud services used and if so, what are their privacy and security policies? Is the data stored onshore?
- How will the manufacturer respond in the future if a medical device cyber security incident occurs?
- Has the company experienced any cyber security issues previously, and how were these managed?
Medical device inventory
To effectively manage cyber security risk, the organisation should consider developing an inventory and risk profile of the current state of connected medical devices, providing insight to vulnerabilities in the operating environment. The inventory should include information about:
- the device:
- medical device name, operation and purpose
- any secondary uses beyond intended purpose
- location of device and any restrictions on physical access
- device identifiers (serial numbers, MAC addresses, default/static IP addresses)
- predecessor, successor and compatible devices
- level of device criticality
- the software
- device software versions (OS, applications and protocols)
- dependencies and interfaces
- hardware, software and network dependencies
- device interfaces (wired/wireless communications, external storage, input/output)
- network ports for clinical and remote service use
- personnel
- person(s) responsible for device security
- primary users of the device (and their cyber security training level)
- vendor and maintenance providers
- maintenance, support and end-of-life
- security and maintenance logging capabilities and configurations
- support agreements in place
- refresh cycles
- expected device life span
- end-of-life procedure / support for critical components (e.g. OS, legacy protocols)
Cyber security training
Many professionals in the health and medical sector have received little training on cyber security.
- General training should be provided that raises baseline security awareness and skills of the whole staff cohort to ensure that all staff are aware of the effects that poor medical device cyber security practices can have.
- Actively work to create a culture of cyber security awareness, vigilance and reporting, and regularly communicate potential cyber security issues within the biomedical team, and more broadly as appropriate. Encourage biomedical engineers to work with health and medical professionals and other stakeholders as applicable, to understand cyber-safe practices for use of medical devices.
- Encourage biomedical engineers/technologists, to undertake professional development in cyber security, such as completion of industry standard cyber security training.
Apply defence-in-depth approaches
Defend against attacks using several independent methods. Such methods should include:
- general considerations, such as administration protocols; application of standards; risk management strategies; infrastructure, manufacturing, and supply chain management; and provision of information for users
- technical considerations, such as cyber security penetration testing; modularised design architecture; operating platform security; emerging software; and Trusted access and content provision
- environmental considerations for the device's intended use, such as connecting to networks, and uploading or downloading data
- physical considerations, such as mechanical locks on devices and interfaces, physically securing networks, waste management (preventing capture of sensitive paper-based information)
- social considerations, such as designing out or minimising social-engineering threats (e.g., phishing, impersonation, baiting, tailgating)
Isolate networks, applications, data sources, and systems
Networks, applications, data sources, medical devices, and systems should be isolated from each other, wherever possible, through applicable administrative; physical; firewall[4]; sandboxing, such as via jails or virtual machines (e.g., Qubes OS); access control; encryption; and other methods. For example, the biomedical network should be isolated from the corporate IT network. Isolation should also occur on a temporal basis where possible (that is, via limiting access to only those times when systems are in use). This will significantly reduce the risk of malware spreading.
Regardless of the effort spent segmenting and isolating the biomedical network, compliance of the corporate network and broader health service IT system should also be assessed against relevant cyber security standards on a regular basis.
Address legacy devices
Appropriately securing legacy medical devices is important, as in many cases, they were not manufactured with security as a priority, but are increasingly becoming connected as the healthcare ecosystems take advantage of wireless technologies. If legacy devices do need to be connected to the network, if possible they should have their own dedicated and protected network, which is isolated from general IT assets and other medical devices.
Manage authentication
Access to the network is critical for most medical devices, especially with an Electronic Medical Record (EMR) system. Ensuring that only authenticated and authorised access is provided is important; however, when credentials are compromised it can be challenging to define authenticated but unauthorised access.
- Consider implementing multi-factor authentication for staff access to networks, especially in areas of high traffic and reduce privileges to only those required.
- Ongoing remote access to devices post sale by medical device manufacturers and sponsors should be an exception, not the rule. The exception is where remote access is considered necessary for the intended use of the device and where the benefits of this access outweigh the risks. Multi-factor authentication should be implemented with privileges reduced to only those required.
- Complete regular reviews of network access. These must be managed to ensure usability, safety, and security of systems is not adversely affected.
- Avoid the use of hard-coded passwords and default accounts.
- Avoid sharing credentials. Ideally each user has their own account and credentials.
- Ensure that systems and procedures are in place to remove access control from staff who leave the organisation.
Secure remote access
- Remote access to healthcare service networks increases the window of opportunity for adversaries. Remote access should only be allowed when required.
- Consider restricted access when using applications remotely and time-limited access.
- Multi-factor authentication and encryption is critical for remote access.
Restrict administrative privileges
- Adversaries primarily target user accounts with administrative privileges, as they have a high level of access to the organisation's IT systems.
- Tightly control administrative privileges and only provide to those who need them; use two-factor authentication. Consider making separate accounts with administrative privileges for these users which do not have access to the internet, as this reduces the likelihood of malware infection. Administrative accounts should not be used for regular use.
- Administrative account credentials should be changed following administrator staffing changes.
Monitor and respond
Monitoring the internal and external environment for medical device abnormalities and cyber security threats is important to building a stronger cyber security posture. One advantage of monitoring medical devices is that their range of normal operation is narrow. This means that anomalies can be easier to spot in medical devices than ICT equipment.
- Healthcare service providers should ensure they have visibility over their networks. Monitoring should occur in the following places:
- Monitor IP traffic on biomedical network boundaries for abnormal or suspicious traffic
- Monitor IP traffic within the biomedical network for malicious connections
- Use host, network, and wireless intrusion detection systems to detect malicious software and attacks
- Consider the use of intrusion prevention systems for automated response to detected intrusions
- Use login analysis to detect stolen credentials usage or improper access, verifying all anomalies with quick phone calls
- Watch account / user administration actions to detect access control manipulation such as elevating a user's privileges that would not normally require it
Monitoring the broader environment for potential threats - this includes monitoring and responding to threat intelligence sources, such as CERT alerts and any alerts issued by the TGA, sponsor or manufacturer. Depending on the technical capacity of the team, this might include developing a register of known vulnerabilities
- Service providers can apply threat information to manage risks according to standards and guidelines. The information can be applied to procurement process, hardening the security of the medical devices and their environment, or simple security audits in the form of regular penetration tests.
Cyber security and operational planning
Risk assessment and business continuity planning are key strategic operational activities undertaken by healthcare service providers and most small business operators.
- Ensure cyber security is proactively assessed as a key element in risk assessments and business continuity planning; proactively implementing appropriate cyber controls is essential to risk management.
- Develop a cyber security strategic plan, which includes a cyber specific risk assessment and response strategies. The plan should have clearly defined event response procedures that define the responsibilities of each department (in the hospital or other service provider) in the event of an incident, and emphasise the importance of each area being familiar with these procedures.
- Network threat modelling using approaches such as the MITRE ATT&CK framework are also recommended to improve the cyber resilience of devices and the organisation more broadly.
Reactive actions
Following a known or suspected cyber security breach via a medical device or on the biomedical network, service providers should be able to consult their cyber security strategic plan to understand the steps that need to be taken in the given situation. Some actions to consider include the following[5]:
- Report the security breach to the device manufacturer or sponsor, and to the TGA as an adverse event if appropriate. The Australian Cyber Security Centre may also be a useful source of information to help overcome the breach.
- Work with clinicians to understand the implications of disabling network connectivity as a risk mitigation strategy on a case-by-case basis. If clinically acceptable, disconnect the medical device from the network.
- Work with clinicians to communicate any risks to patients, on a case-by-case basis. These risks may include the potential consequences of the breach, options to mitigate the risk, long term solutions to address cyber security breach and vulnerabilities, and discussion on the benefits of the device versus the cyber security risk.
- Work with cyber security team and the device manufacturer to manage the vulnerability and to restore the system.
- If any patient data was involved, inform risk management so that the potential breach can be handled in accordance with applicable obligations under the Privacy Act, including in accordance with the Notifiable Data Breach scheme and any related OAIC requirements.
- Avoid installing un-validated patches or making any changes to the device configuration without explicit instructions from the manufacturer.
Where appropriate, healthcare service providers might consider real-time immersive scenario-based education and training to help prepare and build familiarity with the reactive actions required following a suspected breach. This will help build a security culture.
Measuring cyber security resilience
When considered collectively, the guidance provided for healthcare service providers can form the basis for assessing organisational maturity concerning medical device cyber security. This may be achieved by developing a matrix system, which can be used to understand areas of strength and areas where additional effort is required (e.g. Table 2). Healthcare service providers should develop low, medium and high criteria suitable to their organisation. These criteria should be tested as follows:
- Conduct cyber security exercises at least annually to test the whole-of-organisation's response and recovery plans.
- Assess maturity annually to ensure continued attention to providing a cyber secure environment for the use of medical devices.
Alternatively, if appropriate to an organisation's cyber security risk and resources, the NIST framework can be applied as a robust cyber security maturity assessment.
Cyber security consideration | Low | Medium | High |
---|---|---|---|
Risk-management strategy | |||
Cross functional collaboration | |||
Collaborative procurement | |||
Medical device inventory | |||
Cyber security training | |||
Network segmentation | |||
Address legacy devices | |||
Manage authentication | |||
Secure remote access | |||
Restrict administrative privileges | |||
Monitor and respond | |||
Cyber security and operational planning | |||
Reactive actions |
Cyber security considerations are not exhaustive; 'Low', 'Medium' and 'High' refer to how well the protocols and practices related to the cyber security considerations are established and implemented.
An assessor should consider if there are established protocols and practices within the organisation, or how well they are established and implemented, across each of the cyber security considerations:
- Low: very little or emerging evidence of established policy and practice
- Medium: some policy and practices
- High: full implementation of cyber security policy and practice (e.g. alignment to international standards)
Footnotes
[3] | Note: The following guidance contains extracts, with the permission of the authors, from the document 'Top Ten Strategies for Biomedical Device Security', co-authored by James Fell, Department of Health and Human Services (Victoria) and Andrew Oldaker & Simon Cowley, The Royal Melbourne Hospital. |
---|---|
[4] | Administrators should consider the use of multiple firewalls (and of various types) at the network, server, client, application, and individual network-attached device levels/layers. The types of firewalls chosen might include packet-filtering, stateful inspection, circuit-level gateways, application-level/proxy gateways, or next-gen. |
[5] | ECRI Institute (2017). Ransomware Attacks: How to Protect Your Medical Device Systems, [Online] Available from: https://www.ecri.org/components/HDJournal/Pages/Ransomware-Attacks-How-to-Protect-Your-Systems.aspx. Accessed: 28/09/2018 |