Mitigating IoT Medical Device Risks (Part II): Using Device Data to Calculate Cyber-Risk
Guest WriterGuest Writer
This blog series introduces a step-by-step approach to help security teams in the medical space create a comprehensive framework for addressing risks associated with their IoT medical devices.
Part one in this series focused on establishing a foundation for understanding the connected medical device environment and for maintaining a data-rich inventory of the devices, their connectivity, and the context of their network behavior. In this next installment, we’ll explore how to leverage this data-rich device inventory to assess the cyber-risk associated with connected medical devices accurately.
One of the key components of secure networking is the ability to assess the cyber-risk of the connected assets. But surprisingly, only 34.3 percent of respondents of the 2018 HIMSS Cybersecurity Survey answered that their risk assessment included medical devices. When considering the abundance of vulnerabilities coupled with the severity of cyber-incidents that involve medical devices, one would expect a much higher percentage than this. Additionally, medical device risk assessments tend to be non-systematic and are generally performed as an afterthought proceeding a cyber-incident. We believe the main reason that risk assessments neglect to include medical devices stems from the lack of visibility into their network presence, connections and behavior.
A practical approach to risk assessment relies on a data-rich inventory that classifies the connected devices based on their type and model. This enables security teams to identify and log the specific vulnerabilities of each device.
Three Useful Guidelines
After identifying the potential risks on the device layer, the next step is to look at the network layer for determining the likelihood of an attack. Medical device vulnerabilities are only one aspect of the risk. The probability of these vulnerabilities being exploited depends on the attack vectors. Here are some examples of attack vectors that contribute to increased risk probability of a medical device:
Unlike healthcare IT systems, the impact of a cyber-attack on medical devices isn't limited to data security and privacy. Targeted and untargeted attacks on medical devices can disrupt clinical care and cause harm to patients.
After identifying the risks for each device and determining their risk probability, the next step is to look at the potential impact of a cyber-attack for each device.
The goal should be to rank the potential impact on patient safety, privacy and service disruption for each device. For instance, a PACS (picture archiving and communication system) would have a high privacy ranking, while an infusion pump would have a high patient safety ranking.
After defining the probability and potential impact ranking, you can give each device a risk severity index. The devices that have a higher risk probability, and a more severe impact if they were to be compromised by a cyber-attack, should be given a higher risk index.
Different organizations can define different criteria for risk index scoring. The advantage of ranking devices based on their risk index is that it allows the organization to define the acceptable risk index level so that security teams can focus on addressing the devices whose risk index exceeds the acceptable level.
In Part 3 of this series, we'll discuss how to use risk assessments and IoT data to build hardened and enduring defense layers into medical device networks.
Written by Robert Bell, Product Marketing Manager at Cynerio.
New Podcast Episode
Recent Articles