Stuck in the Middleware: Hidden Medical Device Security Weaknesses
Published On February 20, 2019
Blog Post by Brian Selfridge, Meditology Services IT Risk Management Partner
Medical device and IoT unmanaged devices have introduced a significant hurdle for security teams to protect critical healthcare information and systems. A strategic direction for managing medical devices should be captured in a formal medical device security program and strategic plan. And while the “device” itself should be carefully evaluated for security risks, additional focus should be given to the middleware and platforms running behind the scenes.
Ask questions such as:
- What servers, databases and specialized network configurations are introduced by medical devices and vendors?
- Does my organization assess, influence, or control access management and configuration settings for medical device middleware?
- Are administrative accounts and credentials provided by the vendor for servers and databases able to be changed? Are the same credentials used by the vendor at other customer sites?
- Do we conduct risk assessments or controlled hacking assessments aligned with standard frameworks such as HITRUST CSF and NIST CsF to validate if medical device middleware is properly secured?
Ideally, a medical device security program should align with leading industry standards such as those offered by the FDA, NIST and HITRUST. For example, a Medical Device Security Questionnaire (MDS2) is a standard recommendation for evaluating new devices to be added to a healthcare organization’s networked infrastructure. However, these device-specific criteria may not go deep enough to understand the security provided for middleware infrastructure used to support medical devices.
Medical Device middleware is often the target of hackers as they rely on weak authentication procedures in the myriad of devices and systems interconnecting to the organization’s infrastructure. Medical device platforms can often expose initial entry points to an organization’s network that allow attackers to conduct attacks against other critical assets and systems.
Health organizations should be actively involved in thought leadership with both regulatory and medical device manufacturers. By engaging in the dialogue on data security needs and vulnerabilities, CISOs are in a unique position to help set the industry standards for security of PHI. In 2017, two bills were introduced to address data security on medical devices: Internet of Medical Things Resilience Partnership Act (October 2017)  and the Medical Device Cybersecurity Act (August 2017).
However, organizations should not wait for regulators like the FDA to drive enforcement of security standards.
Instead, health entities should be creating and executing medical device security strategic plans that include stakeholders from biomedical, clinical engineering, security, IT, legal, procurement, and other departments that can help address this issue. Organizations should also remain active in conversations with regulators about needed data security standards and work collaboratively with the medical device market to ensure appropriate data security measures are factored into product design and implementations including the middleware layers.
 HIPAA Journal, “Internet of Medical Things Partnership Act Bill Introduced”, Oct. 9, 2017
 Snell, E., HealthcareITSecurity.com “Medical Cybersecurity Act Draws Industry Support”, August 7, 2017