How to Accurately Calculate Risk for Devices in Clinical Networks
Clinical networks are different from other networks, primarily because they are made up of medical and IoMT devices found and used only by health systems. These devices are integral to ongoing operations and the delivery of care, which means any corruption or disruption can have severe consequences. This is probably why a HIMSS study found that 85% of surveyed healthcare providers consider medical device security a strategic priority.
But, to effectively protect the ongoing integrity, availability, and reliability of all the connected devices within a clinical network, health systems must first understand the risks they pose. This takes not only detecting each and every device in the network but also identifying at a granular, contextual level the likelihood and impact a specific device compromise could have on patients and the health system at large.
We, at Medigate, have come up with a healthcare-specific risk scoring framework that enables health systems to accurately understand the risks devices within their network pose. This enables staff and resources to focus on the highest priority remediation and mitigation activities that will keep patient data and operations safe. Let’s look at the Medigate Risk Scoring Framework…
Standard Risk Frameworks are a Starting Point
There are several risk assessment frameworks that apply to clinical networks. For example, guidelines from the FDA, ECRI, and ISO can be helpful, as well as the Risk Management Technical Information Report 57 (TIR57) by the Association for the Advancement of Medical Instrumentation (AAMI). TIR57 is probably the most common because it draws on the National Institute of Standards and Technology (NIST) Guide for Conducting Risk Assessments (SP 800-30) and tries to make adjustments to accommodate many of the unique aspects of clinical devices. Unfortunately, these frameworks don’t go far enough, making them insufficient for many hospitals to use to accurately and comprehensively assess risk within their health system.
Why? These frameworks are primarily targeted at manufacturers, not hospitals, which means it is difficult to translate their abstract recommendations into concrete action when dealing with clinical workflows that are critical to patient outcomes. In addition, these frameworks don’t account for the diversity of device types, models, and configurations in clinical networks, all of which correspond to a multitude of attack vectors and vulnerabilities, that require consideration. Plus, there are all the factors external to the device itself that affect its risk level and need to be considered, such as the network topology and clinical processes in which it is involved.
As a result, Medigate has expanded upon these basic standards to build a risk assessment framework that is as unique as the clinical networks themselves.
Medigate’s Risk Scoring Framework
The Medigate Risk Scoring Framework provides effective risk metrics that health systems can use to assess and understand the risks devices pose to their clinical environment. It marries extensive clinical AND cybersecurity expertise to pinpoint the concrete factors that indicate the likelihood of a breach in a device on the clinical network and the severity of its impacts, as well as create a logical, continual process for measuring, weighing and aggregating these risk scores so they can be acted upon. How does it do this? At a high level it looks at:
- Likelihood: the probability that a given threat is capable of exploiting a given vulnerability. It encompasses the probability of a threat event being initiated, and the probability it will cause adverse impacts. It is also strongly affected by the vulnerabilities of the system and any security controls that are in place to mitigate them, which is possible due to Medigate’s deep packet inspection (DPI) technology that is able to identify and analyze device OSes, protocols, embedded software, and communication flows, among other things.
- Severity of impact: the magnitude of harm to individuals, systems, operations, and the organization that can be expected to result from a compromise to the device. Medigate considers a number of parameters for all the medical, IoMT and IoT devices in the network, including whether the device stores and transmits personal health information (PHI) (medical devices) and personally identifiable information (PII) (IoT devices); its FDA medical device classification (I/II/III); the expected patient harm as a result of a device failure; and the monetary cost of replacing the device. Note, the monetary cost also considers how lucrative compromising a device could be from the perspective of a ransomware threat, since expensive devices serve as stronger leverage points in such attacks.
Since the functional, financial, and reputational damages of data leakage or downtime may vary by organization, Medigate does not fully cover these aspects by default, but rather allows the organization to customize the scoring to reflect their environment and meet their needs.
Not all risks are created equal – health systems want to know which are the most critical, so they can prioritize actions. Medigate ensures security teams are not drowning in an endless sea of alerts, with no way to discriminate between them, by weighting the risk scores.
Each medical, IoMT and IoT device in the health system starts with a risk score of 0 and accumulates points for each risky device property, such as an Ethernet or Wireless connections. Points are subtracted for properties that reduce the probability of a compromise, such as serial or gateway connections. Parameters with greater influence on a device’s vulnerability, such as published CVEs, can be weighted more heavily, resulting in adding more points than other parameters.
The relative points range of each parameter is based on cybersecurity and clinical best practices, as well as guidelines from existing standards and external metrics. Security teams can look at the risk category that Medigate has assigned each device – Very Low, Low, Medium, High, and Critical – to very quickly see what they need to attend to first.
The Value of Accurate Risk Assessments
Medigate’s Risk Scores support the prioritization of remediation and mitigation activities. Medigate offers recommendations, often based on security best-practices, to reduce device risk scores and enhance a hospital’s clinical network security stance. For example, Medigate may recommend:
- Updates: flagging the latest application, firmware or hardware versions available, as well as the purpose of these new versions (functionality versus security), so health systems can better plan if, when and how they want to make updates to their environment.
- Remediation: patching published CVEs that apply to devices within the network.
- Mitigation: enforcing network policies or segmentation for vulnerable device types to prevent possible exploitations and impacts.
Hospitals can view recommended actions for each device alongside its risk assessment to establish a clear connection between action and risk mitigation. The goal is to help health systems understand their risks, so they can take action to strengthen their security and keep their operations and patients safe.
Contact us to learn more about Medigate’s Risk Scoring Framework.