Buried Under an Avalanche of Medical Device “Special Snowflakes”

Medical Device Cybersecurity

Embracing diversity in people, ideas, and lifestyles adds to a person’s life and can provide new ideas and drive innovation. But, diversity in medical devices adds complexities, costs, and increases the chances of errors. What can make each device a “special snowflake” are the hundreds of variations in device software, software updates, maintenance, server-side software, communications, security posture, age, etc.

These variations can lead to a classic combinatorial explosion problem where mixing and matching variables in multiple combinations create thousands of devices that are unique and require individualized support. This would be analogous to having the IT department purchase and manage hundreds of different brands of computers with different ages, operating systems, patch levels, vulnerabilities, and support and maintenance steps. Managing this kind of diversity is expensive, time-consuming, and technically challenging (if not impossible) — and it can impact safety and the security of the devices. This is all in addition to the strain and financial pressure our healthcare system is currently facing.

The Challenges with Medical Device Cybersecurity

Healthcare facilities have a large number of legacy devices in use that are significant drivers of this diversity. Many medical devices have long life spans. Biomedical Advisory Group recommends 10 years for IV pumps and monitoring systems, so healthcare providers may have devices as old as 15 years still in use. In many cases, manufacturers developed these devices with no plans of doing upgrades, so you will see all flavors of Windows (including some of my favorites like Windows ME and Vista), as well as Unix and proprietary device software.

You will find a full spread of differences (and snowflakiness) in the following areas:

  • Operating Systems: All variations of Windows along with Linux and propriety systems.
  • Software Maintenance: There can be variations in what is upgraded (if anything at all), time frames, processes and responsibility, and methods.
  • Maintenance Tools: Tools can range from standard tools, proprietary tools, no tools, or even a need to “handcraft” each update and go from device to device plugging in a serial cable
  • Authentication Methods: You will see diverse methods that start with no authentication, using active directory / LDAP or local authentication. Varying authentication methods continues with different password requirements and limitations.
  • Encryption: Some devices are encrypted, and if they are, you will have multiple encryption methods in use.
  • Configurations: Multiple different configurations for active services, open ports, and communication.
  • Security Strategies: You will find a variation in AV vendors and configuration, whitelisting, agents, ability to scan, and use of local firewalls.

Creating a Plan to Manage Variations in Medical Devices

The outcome of mixing and matching these variables is that you end up with more special cases than “normal” devices. This amount of variation plays through the full lifecycle of a device, causing a proliferation of tools and methods, security solutions, and often, the need to “handcraft” solutions. There is no quick fix to this problem, and it will continue to grow as devices age.

There are several things healthcare providers can do to help mitigate this problem.

  1. Work with your institution to set internal standards for purchasing devices. Institutions should try to limit the number of vendors, device models, and configurations.
  2. Set minimum security standards for devices. Examples include the ability to patch third-party and proprietary software, limiting software’s ability to run on a device, restricting administrative privileges, and having no default or hardcoded passwords.
  3. Establish firm end-of-life for devices to minimize legacy devices that require special care.
  4. Require your vendors to use industry-standard methods for software maintenance.
  5. Encourage vendors to architect new products so that underlying system software is loosely coupled to the device functional software.
  6. Predefine and pre-build mitigation solutions. This can include mitigations such as adding whitelisting or by having network segments set aside for certain devices.
  7. Develop and maintain a robust inventory and configuration management system. There is a need to know how to maintain each snowflake and to track the security posture and risks of each individual device.

This is a long-term problem. Devices are purchased every day that will only add to the challenges, but we still need to start on the path to a solution to help minimize the risks.

As Tom Peter’s said, “Almost all quality improvements come via simplification of design, manufacturing … layout, processes, and procedures.”

Interested in learning more about healthcare cybersecurity? Read my blog post on the complexities of IoT medical devices to learn how your team can implement a medical device cybersecurity program.