How We Reduce the Chances of a Medical Device Cybersecurity Attack

Crothall’s Healthcare Technology Solutions (HTS) team is part of a sophisticated network that enables us to gather and receive information about cybersecurity threats to medical devices. Once we receive that information, we can quickly identify each medical device that may be affected at the 200+ hospitals we serve across the US. If any device is vulnerable, we can quickly work to deploy mitigating measures, including environment- and device-specific recommendations for every device to reduce or eliminate risk, even if no patch is available.

With cyberattacks becoming more frequent and sophisticated – we see them occur almost every week – this solution is needed more than ever.

In a new study by the Ponemon Institute, a Washington, D.C., think tank, interviewed more than 600 information technology professionals across more than 100 healthcare facilities, two-thirds of respondents who had experienced ransomware attacks said they disrupted patient care. And 59% of them found they increased the length of patients’ stays, straining resources. Almost one-quarter said they led to increased mortality rates at their facilities.

Alerts Are the Key

We are able to identify the impact on any medical device once we receive a communications “alert” from one of a handful of federal government agencies that monitor cyberattacks. These agencies, which includes the Cybersecurity and Infrastructure Security Agency (CISA), the federal agency that oversees cybersecurity, ensure that timely information about medical devices is shared across government agencies and corporations.

Information from each alert is analyzed by ASIMILY, a leader in medical device inventory and cyber-security and operational management. Since mid-2020, ASIMILY has been Crothall Healthcare’s strategic cybersecurity partner, enabling us to bring new technologies to clients and stay one step ahead of emerging threats. Here is a specific example of how ASIMILY helps us:

We will receive an alert that a particular model of an infusion pump, MRI machine, or other medical device has a known threat that could lead to a cyberattack. Because ASIMILY has an inventory of every single medical device in the hospitals that use its service, we can immediately see if any hospital devices in our purview are affected.

If a medical device is impacted by an identified threat, Crothall’s CyberHUB Security Operations Center team contacts the original equipment manufacturer to determine if a patch can be installed to mitigate the problem. If the patch or upgrade is approved, we will get this from the OEM and provide instructions to our team of technicians at the hospital on applying the patch or taking mitigating steps to ensure minimal downtime.

While ASIMILY analyzes each issue on the front end, Crothall’s skilled team of biomedical technicians and imaging service engineers (ISE) support any cybersecurity issue on the ground. Each new Crothall biomedical technician and ISE hired since 2018 has received IT training that includes cybersecurity modules from CompTIA, the industry leader in IT training. They are certified in CompTIA IT Fundamentals, the training course that provides the core IT knowledge and enables our technicians to better understand IT and cybersecurity.

In addition to helping Crothall find and identify threats in medical devices that could lead to cyberattacks, ASIMILY’s technology provides a variety of other solutions that can help prevent each device in a hospital from a cyber-attack. For example, Asimily can:

• Simulate an attacker’s path to compromise a device to understand each device and how it may be exploited.
• Provide recommendations for every medical device to reduce or eliminate risk.
• Digitize and integrate the Manufacturer Disclosure Statement for Medical Device Security (MDS2) for every medical device. This provides a better understanding of the criticality of a device, what kind of data is processed or stored, and any mitigations that could reduce the risk of a vulnerability or threat.

To manage risk from attacks, we work closely with hospital administrators and IT departments to implement solutions to reduce issues where medical devices may be vulnerable. If you would like more information or a demonstration of this service, please contact edward.myers@crothall.com.

By Eddie Myers, Director of Cybersecurity, Crothall Healthcare Technology Solutions