Investigating medical device incidents is tedious, time consuming, and involves multiple stakeholders. “Medical device cybersecurity” incidents, on the other hand, can be a mind-boggling and costly affair! The Ponemon Institute stated in a 2020 report that organizations spend an average of $3.86 million recovering from cybersecurity attacks. This includes costs associated with incident detection, lost business, breach notification, legal fees, and recovery.
Incident response comprises activities that allow the healthcare delivery organization (HDO) to respond to crises and mitigate immediate threats to minimize service interruption. Forensic analysis includes detecting, investigating, documenting, and assessing the incident against violation of internal standards, processes, laws, and regulations.
Critical components of incident response are:
- HDO cybersecurity policy alignment. Review HDO cybersecurity policies and enforce them for connected medical devices. This will facilitate a thorough review of events, incidents, and any policy violations.
- Detection of suspicious activity. HDOs using a passive network monitoring solution should prioritize identifying ports, applications, services, and internal/external communications for a connected medical device. Passive monitoring can help look for behavioral patterns that indicate an active or attempted breach or risk. HDOs should also have the ability to set searches for key events in their network which might indicate that their policies are being violated. Custom policies that match the specific constraints of the network can be more difficult for an attacker to evade than generic rules to catch suspicious activity.
- Investigation of the activity. HTM and cybersecurity teams should work together to acquire and evaluate any evidence to determine the threat and its cause. Evaluating inbound/outbound data streams will be useful to review any unexpected connections or services running on the medical device.
- Ability to Response to an Incident. Once an event is detected, cybersecurity should have the ability to take appropriate actions on the network to isolate the problem and prevent it from spreading.
- Forensic and retrospective analysis. Evidence of suspicious activity may include system logs, network logs, error messages, alerts, alarms, etc. to determine the scope and impact of the activity. Packet captures of devices that behave unusually will help analyze suspicious activity. In many cases, the medical device manufacturer (MDM) is sought to retrieve system logs due to lack of access for HTM.
- Processes and procedures. Cybersecurity practices that define and standardize incident response and forensic analysis should be followed for medical device cybersecurity incidents. This will also apply for record retention following an incident or suspicious activity.
- Tabletop exercises. Adopting a people, process, technology approach will solidify incident response. Tabletop exercises will help clarify and better define roles and responsibilities for incident response.
For connected medical devices, both incident response and forensic analysis is challenging as HTMs may not be able to adopt traditional cybersecurity practices. Tracking network activity, collecting system logs, and discovering inbound-outbound data streams does not come easy! However, having the capability to track network activity, enforce network monitoring policies, and retrieve these network logs will allow HDOs to manage and mitigate threats proactively and with minimal impact.
Priyanka Upendra, MS, CHTM, AAMIF is a Senior Director of Customer Success at Asimily. She is the president of the American College of Clinical Engineering and a member of AAMI’s Technology Management Executive Council and Publications Editorial Board.