Selecting a Passive Network Monitoring Solution for Medical Device Cybersecurity Management

Estimates indicate that the average annual increase in reported cybersecurity breaches between 2010 and 2020 was 20%.^1,2  Healthcare providers experienced 78% of the total breaches in 2020, with an above average surge of 20% for the year.¹  The number of annual breaches has tripled since its first full year of reporting in 2010.¹  The last decade has seen an increased need to integrate and interface medical devices to improve clinical workflow, clinical decision-making, and device utilization tracking, which has elevated the cyberthreat landscape.

Medical devices are no longer a combination of electromechanical components; instead, they are microprocessor based and capable of connecting to the network, storing and transmitting information, and performing numerous functions in a manner similar to personal computers.^3,4  Connected medical devices are capable of connecting to the Internet (or enterprise network) and to other devices, thereby forming a “system of systems.” As a result, these devices present a unique set of challenges.

Connected medical devices benefit clinical providers by easing clinical decision-making and processing large volumes of data, which in turn facilitates clinical process efficiency. However, sensitive information, including patient health information, business information, and proprietary clinical protocols, are now stored, transmitted, and displayed on medical devices. The likelihood of exposure of this sensitive information has increased because of the advancement of medical devices. Connected medical devices contribute to effective clinical care delivery, and interruption in their functionality can affect a healthcare system's ability to diagnose, monitor, and/or treat patients.

The lack of security built into traditional medical devices and the Internet of Medical Things (IoMT) has increased susceptibility to exploitable vulnerabilities. Medical devices serve as a communication channel for the spread of malware in information systems or networks via unsecured points of entry (e.g., open ports, weak passwords, outdated software, weak firewalls, outdated plug-ins, insecure application programming interfaces).⁵ 

Although certain newer models of medical devices have been designed with improved inherent security features, updating or upgrading controls to meet applicable security regulations, internal standards, and leading practices involves added costs and may be prohibited because of device regulatory status.⁶  Useful resources for healthcare systems include:

• Food and Drug Administration (FDA). Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software

• FDA. Postmarket Management of Cybersecurity in Medical Devices

• National Institute of Standards and Technology (NIST). Cybersecurity Framework (CSF)

• Healthcare and Public Health Sector Coordinating Council. Medical Device and Health IT Joint Security Plan Medical Device Cybersecurity: A Guide for HTM Professionals

• Department of Health & Human Services. Cybersecurity Practices for Medium and Large Health Care Organizations

This cost often is greater than that for which healthcare systems budget or have the technical capability and capacity to support. In addition to the added cost, these updates and upgrades may void manufacturer warranties, compromise regulatory approvals, or cause system downtime and loss of interoperability when they are not validated by the manufacturer.⁷ 

Starting a medical device cybersecurity program requires utmost detail with its basics. Medical Device Cybersecurity: A Guide for HTM Professionals provides a thorough review of the essentials of a medical device cybersecurity program.⁴  Professionals responsible for assessing the current state of the program must evaluate and align the program with applicable security regulations and standards.⁸  The Health Insurance Portability and Accountability Act (HIPAA) Security and Privacy Rules and the NIST CSF serve as guidance toward a program assessment.⁹ 

Identifying core programmatic gaps will allow the healthcare system to better understand areas of development, improvement, and monitoring. This is an important step that will allow the healthcare system to determine if and when to pursue a passive network monitoring (PNM) solution selection and implementation. Programmatic gaps and the underlying set of policies, procedures, and datasets needed to bridge the gap then become relevant to what a PNM solution will deliver. The programmatic gaps also allow healthcare system staff to assess their business requirements and select a PNM solution that meets those requirements. The ability to measure successes of the PNM solution is possible with a clear understanding of the business requirements and use cases.

This article provides an overview of the need for a robust network security solution for medical devices and the IoMT. It also describes a methodical approach for selecting a PNM solution while emphasizing the importance of evaluating programmatic gaps, developing use cases, project planning, and measuring success metrics. Guidance is provided for healthcare technology management (HTM) and cybersecurity professionals who are planning to select and implement a PNM solution for medical device cybersecurity management.

In general, network security strategies are critical for healthcare systems; they protect the healthcare/hospital networks from cyberattacks, hacking attempts, and employee negligence/insider threats.¹⁰  Network security involves three major components: hardware, software, and cloud services. Current-day medical devices are built with all three of these components, thereby enabling them to serve their intended purpose and share healthcare data for the benefit of patient care.¹¹ 

Network security tools for securing major components in the healthcare environment include:

• Access control.

• Antivirus and antimalware software.

• Host intrusion detection and prevention.

• Management agents (e.g., for configuration management database [CMDB] or data loss prevention).

• Application security.

• Behavioral analytics.

• Distributed denial-of-service prevention.

• Email security.

• Firewalls.

• Mobile device security.

• Network segmentation.

• Security information and event management (SIEM) systems.

• Web security.

These tools can be incorporated in the healthcare information technology (IT) environment. However, the majority of medical devices do not function as intended when these tools are applied at the device, model, or application layer. While applying network security tools for connected medical devices, one has to be mindful of the “CIA triad” (confidentiality, integrity, and availability) of medical devices. With the application of these tools, medical devices need to maintain confidentiality of data stored, transmitted, or displayed; the integrity of the devices must be maintained at all times; and the devices must be available to clinical providers and patients for use.

For example, although antivirus and antimalware scanners may be automatically pushed to traditional endpoints in the health IT environment, they cannot be installed on connected medical devices. Most medical devices do not support scans and will lose their ability to continuously diagnose, monitor, or treat the patient. An infusion pump's ability to continuously deliver medication at predefined doses can be interrupted when a scan is run on its backend. A physiological bedside monitor may not continuously capture and transmit a patient's vital data to the electronic health record if a scan is run on its server. A major reason for using PNM and passive security tools is their ability to not interrupt mission-critical medical devices.

Because connected medical devices present a unique set of challenges, maintaining an accurate inventory through a well-defined and well-understood asset management system is essential.⁴  Healthcare systems report up to a 75% increase in automation with real-time identification of critical network attributes and an approximate 63% decrease in spent labor hours using PNM solutions.²  These metrics are of critical importance given that capturing important network attributes can be a time-consuming and a daunting task, particularly for thinly stretched HTM departments.

Several intuitive technology solutions passively monitor the network traffic without disrupting network-enabled services and parse metadata so that they can be better understood. In general, that's what a PNM solution does—it analyzes network metadata using a proprietary algorithm that classifies devices and systems, assembles a comprehensive asset inventory, derives device security parameters, and assists in the risk management process.¹²  Because of the unique challenges of connected medical devices, PNM is preferred because critical care delivery services are not interrupted as a result of active scanning.

Network operations receive the greatest benefit from the use of a network monitor and Log Correlation Engine. Although these types of of technologies are commonly used and applied in IT management, they remain largely unfamiliar in HTM. In simple terms, deciphering network metadata is time consuming, similar to an HTM professional visiting the various hospital units and manually documenting system parameters.¹³  A technology that could listen to the network traffic, report on the various system connections, and provide details on what those connections entail would be beneficial to the healthcare system in terms of time, cost, and human resources while improving its security posture. That really is what the PNM solution is doing, without the need to install a software agent on the connected medical device.

Similar to any public health initiative, evaluating the current status to identify community-wide problems is essential to giving evidence-based solutions.¹⁴  Connected medical devices involve cybersecurity challenges at the people, process, and system levels. A multidisciplinary approach is necessary to understand the process and system-level challenges, to develop and implement efficient workflows, and to sustain results through well-monitored programs.¹⁵ 

A structured approach to evaluating programmatic gaps can be done using the NIST CSF.¹⁶  For an HTM professional new to information security (IS), the online learning portal is a good start to understand how to put the NIST CSF to use.¹⁷  The online learning portal breaks down the NIST CSF into specific framework components. It also provides a structured outline of the implementation process, which is essential to implementing a medical device cybersecurity program that aligns with the IS/cybersecurity program.

As the healthcare system begins to evaluate the current state of the program, documenting current processes is very important. Aligning these processes in the five functional areas of the NIST CSF will help analyze the gaps across the more granular categories under each function. Figure 1 shows the five functional areas and various categories in each area.

The categories under each function cover various topics across cybersecurity management necessary for the business to optimally function while maintaining compliance with applicable regulations. In addition, the categories have 108 subcategories that are more outcome driven. The NIST CSF is not prescriptive in terms of how to achieve the outcomes; the healthcare system is expected to customize its approach. Figure 2 provides a snapshot of certain subcategories and their informative references.

The subcategories shown in Figure 2 provide examples of the outcomes that are expected in the business environment category. The informative references support the core function, which in this case is “identify.” Also of note, the NIST CSF includes a supply chain risk management category that, in light of recent high-profile breaches such as SolarWinds, is a critical activity.

Maturity levels for management and control over IS/cybersecurity processes are based on an approach defined by the Control Objectives for Information and Related Technologies (COBIT) framework. Although the COBIT framework is more specific to IT/IS compared with HTM, it has proven effective in the HTM department because it aligns its processes with IT/IS, which is necessary to avoid working in siloes.

To streamline the assessment, the program assessment outcomes can be classified into categories based on the level of effort and its maturity level (e.g., outcomes requiring a high level of effort for initial development, outcomes requiring a medium level of effort for improvement and needing metrics to measure success).

In the HTM world, programmatic gaps in the three main functions (identify, protect, and detect) of the NIST CSF are commonly seen. For these broad functions, categories that fall under the assessment classification are outlined in Table 1.

The program gap assessment can be performed in a variety of ways, most commonly using the NIST CSF as a reference and through a combination of on-site interviews, documentation review, and on-site inspections to assess processes.

The key to the success of a gap analysis is how it captures and measures its current state with NIST CSF, the HIPAA Security and Privacy Rules, internal standards, and industry-leading practices, and how it develops a tactical plan of action that aligns with the healthcare system's cybersecurity strategic plan. At every step of the tactical plan development, it is crucial for the evaluator to consult with those who are the strategic planners and more tactical doers. This helps to build an effective plan that can be put into use and will not just remain as another assessment plan in the department files.

The core groups assigned to evaluate the technical and nontechnical evaluation will develop the set of use cases using the program assessment as a reference. The basis for developing the use case criteria will be the NIST CSF and program assessment results. Activities in each category and subcategory that would apply to the PNM solution can be identified by referring to Figure 1. Table 2 provides a high-level overview of activities in each function. Of note, this is not a comprehensive list and is only meant to serve as a reference.

For each activity, work with the technical and nontechnical evaluation members to set a weight or importance level. If it makes sense to do that for each category rather than the activities, then that is acceptable as long as it works for the healthcare system.

A quantitative analysis is preferred when evaluating each activity in a set of use cases. A simple five- or 10-point Likert-type scale will allow a collective evaluation. A five-point Likert-type scale, such as that shown in Table 3, can be used for the vendor evaluation. If opting for this type of scale, documenting the rating descriptions is important.

A questionnaire using the healthcare system's use cases should be developed and vendor responses evaluated by the multidisciplinary evaluation team. These scoring methodologies will allow the team to format responses along with a predefined range.

Project planning is an important step in building a mature medical device cybersecurity program. Project planning will facilitate a clear understanding of stakeholder expectations, deliverables, scope, timeline, and budget. The HTM and IT departments in healthcare systems are continuously taking on more responsibilities with an adequate expansion of staff (or budget). Project planning will allow the stakeholders and technical and nontechnical evaluation staff to plan the evaluation, selection, and implementation of a PNM solution effectively and efficiently.

Establishing governance over medical device cybersecurity is crucial to a successful program. Governance ensures well-defined roles and responsibilities across various teams involved in medical device cybersecurity activities.¹⁸  Some of these activities include preprocurement evaluation, testing, and secure configuration evaluation prior to deployment/installation, ongoing patch management, and data sanitization during decommissioning. An accountable resource (leader/manager) leading medical device cybersecurity is necessary to ensuring momentum across all activities. Without dedicated resources, developing and maintaining a mature medical device cybersecurity program is impractical and impossible.

After the establishment of governance, the NIST CSF can be used by technical and nontechnical evaluation staff to perform a program assessment. This will provide a thorough understanding of the gaps, data, resources, and tools needed to bridge the gaps.⁹  Commonly seen gaps include an accurate inventory, number of staff needed for vulnerability management, skillsets needed to staff teams that will manage the PNM solution, and on-site staff needed to apply patches and other system-hardening controls listed in NIST 800-53.¹⁹ 

Seeking the assistance of a third-party or project management expert(s) to pursue a proof-of-concept is recommended. This is because the HTM professional overseeing medical device cybersecurity is managing multiple projects and having a dedicated project manager or project coordinator will help build and maintain momentum across medical device cybersecurity efforts. The project management expert will be tasked with coordinating meetings across the stakeholder and evaluation groups, following up on action items, and obtaining vendor documentation.

Before starting a proof-of-concept, action should be taken on several important factors, including the following:

• Present the PNM proposal to an IT steering committee/governance committee:

  • ○ Alternatively, form a committee that consists of stakeholders who will benefit from the PNM solution.

• Plan resources:

  • ○ Core group that will evaluate the vendors.

  • ○ Core group that will evaluate the technical capabilities of the PNM solution.

  • ○ Core group that will evaluate the nontechnical capabilities of the PNM solution.

  • ○ Capital and operating budget allocations.

  • ○ Realistic delivery times.

• Document review methods.

• Establish goals, outcomes, and use cases review and refinement.

• Document vendor interview methods.

• Prepare scripted demonstrations.

• Plan hands-on demonstrations.

• Pilot (or proof-of-concept).

  • ○ Locations to install the PNM appliances.

• Establish a core group that will evaluate the datasets from the PNM solution's portal or application.

• Develop scoring methodologies.

• Identify and routinely update the decision-making authority (e.g., senior leadership of IT, senior leadership of HTM).

• Prepare contractual language, including multiphase implementation plan and key success factors.

• Establish project management expectations.

It's very important for the project management expert to maintain coordination and communication among all core groups. This allows for the right set of business requirements to be translated to all of the stakeholders and workgroups. At the same time, the sponsor or management representative of this effort needs to level-set expectations with the project management expert. This allows for a thorough understanding of this initiative and expected outcomes.

Medical device cybersecurity has been a hot topic for the past several years, and several PNM solution vendors are available. Since 2015, software vendors in the IT arena have ventured into creating a solution that is a one-size-fits-all for connected medical devices. Although that is virtually impossible, considerable progress has occurred in terms of what these solutions can deliver to the healthcare system.

PNM solution vendors regularly attend HTM trade shows (e.g., AAMI Exchange, MD Expo, CMIA [California Medical Instrumentation Association] Connect), broader health IT/IS conferences (e.g., HIMSS Global Health Conference & Exhibition, H-ISAC Summit), and other security workshops. Every event sees progress on what these solutions have to offer. Before considering a PNM vendor, the healthcare system needs to maintain consistent focus on their business requirements. Key factors to consider when evaluating vendors include:

• Company growth, product growth, and roadmap, including the ability to scale up or down.

• Number of years of experience in the healthcare cybersecurity landscape.

• Working knowledge of medical devices and the Internet of Things among vendor representatives.

• Methods of data collection.

• Quality of data.

• Technical capabilities of the solution.

• Delivery time of the solution.

• Pricing of the solution.

• Proactiveness and response times of the vendor.

The healthcare system must determine the importance of each of these factors. Following a consistent scoring methodology is vital. Including a core group of stakeholders who are well versed in product evaluation is essential to successfully selecting vendors for proof-of-concept implementation.

Medical device cybersecurity is a developing space with numerous vendors offering a variety of solutions. Healthcare systems often purchase and invest in technologies/solutions that are not used to their fullest extent. It is important to select a PNM technology/solution vendor that meets all or a majority of the business requirements (as listed in the supplemental material for this article, available at www.aami.org/bit), that is evolving its solution to meet the changing landscape and requirements, that is consistent and transparent with pricing, and that includes vendor representatives who are honest, are knowledgeable, and understand the medical device cybersecurity landscape and its challenge in healthcare systems.

A pilot study has been defined as “a small-scale test of the methods and procedures to be used on a larger scale.”²⁰  Performing a pilot study on a selected set of PNM solutions will allow healthcare systems to validate the feasibility and acceptability of the solution in various ways. Healthcare systems often select one or two facilities where the PNM solution appliances are installed to capture data. This allows them to vet the solution against use cases, such as by validating:

• Regulatory considerations.

• The ease of data collection and consumption.

• The ease and scalability of deployment.

• The coordination and communication between the healthcare system and vendor teams.

• The price point for the PNM solution.

• Integration challenges with the existing computing environment.

Performing a pilot will allow the technical and nontechnical evaluation team members to assess the strengths and limitations of the PNM solution. A methodical process for deployment of the solution and subsequent data analysis, including vendor involvement, can be assessed during the pilot, which increases the credibility of the selected solutions. The pilot study also will allow healthcare system teams to interpret qualitative and quantitative metrics (as defined in the previous section). Primary evaluating factors for a PNM solution are listed in the supplemental material.

Examples of qualitative metrics include:

• Ability to facilitate preprocurement evaluation of cybersecurity risks.

• Ability to assist in the development of system-hardening controls and internal standards.

• Ability to integrate with existing security and monitoring tools, such as network access control (NAC), firewall management systems, computerized maintenance management systems (CMMSs), CMDBs, and SIEM systems.

• Healthcare worker/caregiver education and training for medical device cybersecurity.

• HTM/IT training for medical device cybersecurity and management of the PNM solution.

• Feedback from the clinical provider on cybersecurity controls.

• Cybersecurity engagement across the stakeholder group.

Examples of quantitative metrics include:

• Number of connected medical devices, identification of its network attributes, and real-time location tracking.

• Number of connected medical devices that store, transmit, or display sensitive information.

• Web traffic generated from connected medical devices to external connections.

• Number of connected medical devices with legacy operating systems (OS) or unpatched OSs.

• Number of unpatched connected medical devices with exploitable vulnerabilities, risks with misconfigurations, and recommendations of risk mitigation.

• Number of connected medical devices that store sensitive information and do not support encryption.

• Number of connected medical devices that are communicating with other medical devices.

Before the pilot study, it is crucial for healthcare systems to develop use cases, performance indicators, and, preferably, benchmarking data that are relevant to the PNM functions. Having a comparison group, such as data from other healthcare systems of similar structure and size, will provide a realistic assessment of the capabilities of the PNM solution.²¹  In addition to feasibility and validity data, the pilot study will allow healthcare teams to develop processes for the management of the PNM solution and operational practices that consume data from the PNM solution. It also will highlight the requirement for integrating the PNM solution with the existing networking environment.

Integration with existing tools (e.g., NAC systems, firewall management systems, CMMSs, CMDBs, service management tools, SIEM systems) is vital to ensuring a holistic approach to cybersecurity management of connected and standalone medical devices. The ease of integration is one of the success factors during a pilot/proof-of-concept.

The effectiveness of a PNM solution is measured by monitoring and assessing key metrics related to medical device cybersecurity management. These metrics allow healthcare systems to monitor security controls that contribute to specific, measurable, attainable, and relevant processes that help reduce risks to acceptable and manageable levels.

PNM solutions often come with cloud-based portals that allow healthcare systems to create, customize, and measure success through metrics. Metrics that allow the healthcare system to determine and measure the security posture include the total number of connected medical devices and the number and type of:

• Medical devices with recalls.

• Medical devices with anomalies.

• Medical device cybersecurity risk scores.

• Medical devices with active vulnerabilities.

• Medical devices with external services and connectivity.

• Medical devices with open ports.

• Medical devices with electronic patient health information.

• Medical devices with legacy/obsolete OSs.

• Medical devices with MDS² (Manufacturer Disclosure Statement for Medical Device Security) documents.

• Unidentified devices on the network.

These are metrics that must be routinely monitored and evaluated for program success. Creating and collecting these metrics also aids in developing a risk register attributed to medical device cybersecurity. The risk register allows the healthcare system to assess acceptable risks and manage controls, strategies, and infrastructure requirements to maintain a secure posture.

The requirements for network security and connected medical devices vary according to the individual healthcare system. Every program's maturity level is different; therefore, a consolidation of lessons learned may not be applicable to all healthcare systems. Several lessons learned during pilots and selection of PNM solutions include:

• Development of use case criteria with multidisciplinary teams is critical.

• Conducting preplanning with the technical evaluation team members and team members from network planning, security architecture, and risk is necessary to meet all requirements, including those of various stakeholders.

• Maintaining standard intervals between deployments during the pilot is crucial, as team members often are involved in multiple projects and go-lives at the same time.

• Dedicating resources for data collection, assessment, and interpretation is essential to effective evaluation of pilot study outcomes.

• Obtaining senior management approval prior to starting the pilot study. This is crucial because it avoids multiple and unnecessary discussions with vendors that are not part of the pilot study.

Selecting a PNM solution can be daunting for healthcare systems. This is because it involves numerous stakeholder groups and technical teams to evaluate vendors, develop use cases, install the solution at test sites, and evaluate numerous outcomes. However, after it is selected for implementation, a PNM solution provides momentum that is needed to mature a medical device cybersecurity program. It allows the identification, continuous monitoring, and actionable remediation for connected medical devices and its risks without interrupting its function in the clinical environment.

Numerous researchers and healthcare leaders agree that few endeavors are more useful than conducting pilot studies. Pilot studies allow organizations to test ideas, products, methodologies, and learn lessons before implementation on a large scale.²²  These studies allow healthcare systems to identify use cases, measure data, analyze data, and identify unanticipated problems and benefits of an implementation.

This article provides a roadmap for healthcare systems that are evaluating PNM solutions for medical device cybersecurity management. By evaluating programmatic gaps, developing use cases, ensuring effective project planning, and measuring success metrics, healthcare systems can select a PNM solution and establish medical device cybersecurity programs. The current work adds value to the existing literature around medical device cybersecurity and the use of network security tools to manage risks associated with connected medical devices. The vetted practices described in this article can help in selecting a robust network security solution for medical devices and the IoMT.