This is part three in a three-part series on medical device risk management, particularly as it pertains to vulnerability assessment. In part one, we discuss the processes and procedures to implement inside of a clinical environment to position the security team for success. Part two gets in the weeds and examines how to directly perform assessments on medical devices. In part three, we put it all together with an example of how an organization would implement these ideas with a based-in-reality medical device.
In our previous two posts, we have built out some theory on how to approach safely bringing medical devices into the vulnerability management life cycle. We have done this with an eye toward patient safety, up to the point where we’re proactively preparing for mistakes to be made. What would this process look like in practice?
A new initiative
Welcome to Mooseville Medical! A major metropolitan hospital system, Mooseville Medical has a primary level-one trauma center, several connected satellite clinics, and administrative personnel spread out wherever they fit. The bulk of the organization is focused on the main hospital, and taken as a unit, the environment is littered with everyday workstations, a modest data center, and—of course—medical devices.
We in the information security team have recently been told, somewhat ungracefully, that we need to examine “the cyber stuff” with regards to the organization’s medical devices. The lone piece of guidance we’ve been given is to (all together now) avoid patient harm.
There are a few things we know already as we begin to tackle this new initiative. First, the medical devices are segmented. We ..