DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
Introduction
The HHS 405(d) Program is a collaborative effort between The Health Sector Coordinating Council (an organization representing the primary healthcare subsectors of direct patient care; public health; health plans and payers; pharma, blood and labs; medical technology; health information technology; and funeral homes and mass fatality managers) and the federal government to align healthcare industry security practices.
The 405(d) Task Group developed Health Industry Cybersecurity Practices: Managing Threat and Protecting Patients, its first official Task Group product and publication. Health Industry Cybersecurity Practices are given the acronym HICP.
The Health Industry Cybersecurity Practices: Managing Threat and Protecting Patients document has identified the top five cybersecurity threats facing the healthcare sector.
Threat # 5 is attacks against network connected medical devices. This article discusses this threat.
What are Network Connected Medical Devices?
Network connected medical devices are network-based devices that leverage networking
protocols to communicate and transmit clinical information, such as Bluetooth, TCP/IP and other
networks-based technology. According to the Food and Drug Administration (FDA), “medical devices
range from simple tongue depressors and bedpans to complex programmable pacemakers and closed loop artificial
pancreas systems. Additionally, medical devices include in vitro diagnostic (IVD) products, such as reagents, test kits, and
blood glucose meters. Certain radiation-emitting electronic products that have a medical use or make medical claims
are also considered medical devices. Examples of these include diagnostic ultrasound products, x-ray machines and
medical lasers."
What Can Cause Attacks Against Network Connected Medical Devices?
1. Default passwords are not changed on network connected medical devices.
2. Equipment is not current, or legacy equipment that is outdated and lacks current functionality is being used.
3. Patches are not implemented properly - this includes regular and routine commercial system patches to maintain network connected medical devices.
4. The heterogeneity, or "differentness," of network connected medical devices means that the vulnerability and remediation process is complex and resource intensive. This increases the likelihood that devices will not be assessed or patched, leading to missed opportunities to close vulnerabilities.
What Measures Can Help Prevent Attacks Against Network Connected Medical Devices?
1. Implement cybersecurity assurance
practices, such as security risk assessments
of new devices and validation of vendor
practices on networks or facilities
2. Establish and maintain communication
with network connected medical device
manufacturer’s product security teams
3. Patch devices after patches have been validated, distributed by the network connected medical device manufacturer, and properly tested
4. Assess current security controls on network connected medical devices
5. Implement security operations practices for devices, including hardening, patching, monitoring, and threat detection capabilities
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article