By Ken Hoyme and Judy Hatchett
Co-Chairs, Oct. 26 Healthcare and Med Device Seminar

September 14, 2020

There are several fundamental characteristics of medical devices that make them a unique challenge for security practitioners. One is the long lifecycle that these systems typically have – sometimes as long as 10 or 15 years. Imagine if you were still using a laptop you purchased in 2005; it might feature a floppy drive, a CR-ROM drive, a VGA output, blazingly fast USB 1.1 ports, and of course an outdated operating system.

The second is that medical devices need to be tested by the manufacturer before patches can be distributed. That means when a company, like Microsoft, issues a security patch, the hospital can’t just directly apply it across devices on their network. Since medical devices need to maintain “safety and efficacy” the onus is on the device manufacturer to determine that their devices are properly maintained. Most patches don’t cause problems, but there have been examples where something unintended caused a system to crash or otherwise become unstable. 

Another challenge is getting patches installed once they’re approved by the vendor. Medical devices can be scattered all over a hospital, some may be in closets waiting for use, others may be in active use. So, ensuring they all get patched at a time when the device is not being used for a patient is a logistical challenge. It has been called “the last mile problem.” 

To address these challenges, the FDA and hospitals have pushed the larger players to have robust security programs in place, and we’re seeing improved security features in the newly designed devices coming from those with solid programs. The FDA is working to ensure that all software-driven medical devices are getting the appropriate scrutiny during regulatory approval, as well. 

However, one of the pressing obstacles faced by the medical device industry today is with legacy devices. While there are improvements in the processes for getting security patches out, many of these devices were designed without a security mindset and may not have all the security controls in place that a healthcare organization would want. There are several industry initiatives looking at ways to better secure these legacy systems, but for now, that challenge remains.

As the coronavirus has driven an increased need to remotely connect to medical devices, the need to improve distribution of software patches is now driving the need for remote software updates. The irony is that with more connectivity comes the need to patch more often, which exacerbates the patch distribution challenge for medical devices.

Some healthcare delivery organizations are addressing this challenge through use of new software that can detect the medical devices connected to their networks. They are gathering increasingly robust data on these assets that allows other departments such as Supply Chain, IT, Information Security, Clinical Engineering, Chief Medical Officer, to make investment, remediation and replacement decisions more efficiently.

We anticipate this challenge will drive more third-party solutions around patch management within the context of a healthcare system’s clinical workflow. 

The Cyber Security Summit is tackling these challenges and opportunities at the Healthcare and Medical Device half-day seminar, on Mon, Oct. 26. We have assembled a great set of speakers to talk about these issues with presentations that focus on providing actionable content across a range of industry perspectives. The emphasis will be on bringing lessons learned from large manufacturers and hospital systems to help small and mid-size organizations strengthen their security programs and better protect the health and well-being of individuals reliant on our industry.

Ken Hoyme is Director of Engineering Systems Security at Boston Scientific and has 33 years’ experience in the design of regulated safety-critical secure systems. Recently returning to Boston Scientific, he works with internal and external stakeholders to drive and improve processes and practices for pre- and post-market cybersecurity risk management across the company’s products and services … full bio

Judy Hatchett is VP and CISO at Surescripts and has over 20 years IT experience, specializing in Cybersecurity, Compliance, Identity and Access Management and Service Management. Hatchett has been successful in building out enterprise-wide teams and capabilities around Cybersecurity, Identity and Access Management, Compliance and Service Management … full bio