Medical Device Cybersecurity: HHS 405(d) Best Practices Update

The U.S. Department of Health and Human Services (HHS) has established the 405(d) Program and Task Group to align healthcare industry security approaches. This group is a collective effort between the healthcare industry and the federal government, which aims to “raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector”. The HHS 405(d) Program and Task Group is also responsible for the Health Information Technology for Economic and Clinical Health (HITECH) amendment. This new HITECH Act recognizes the guidelines set forth by the Healthcare Industry Cybersecurity Practices (HICP) as a Recognized Security Practice (RSP) to help healthcare organizations achieve compliance, reduce financial risk, and increase patient safety.

As an industry principal for healthcare at Claroty and with thirty years of experience in introducing disruptive technologies to improve healthcare information management, I have had the honor of becoming an ambassador to the 405(d) Task Group. As an ambassador, I have actively contributed to the creation of the new HITECH amendment. During a recent webinar sponsored by the Health Information Sharing an Analysis Center (H-ISAC), I shared valuable insights on how your organization can successfully implement the HHS 405(d) medical device security guidelines to improve patient safety, decrease financial risk, and ensure compliance with the HITECH Amendment. 

In recent years, attacks against connected medical devices have been included in the top five most impactful cybersecurity threats, and medical device security has been placed in the top ten of most impactful mitigations. These rankings attest to the growing need for improved medical devices cybersecurity — not only to protect sensitive information, but to ensure the safety of your patients. Here are a few tips on where to begin:

1. Visibility: Healthcare delivery organizations (HDOs) struggle to maintain a complete view of all devices in their environment. Without detailed visibility, it is nearly impossible to effectively protect and manage devices. Medigate by Claroty has the ability to parse protocol packets, and understand how they’re integrated and how they communicate, which allows for unmatched depth of visibility, solving HDOs asset discovery challenge. 

2. Asset Management: HDOs often struggle with asset management due to the lack of a “single source of truth”. Computerized maintenance management system (CMMS) is what HDOs use to manage connected devices. However, these systems are traditionally disconnected from the environments they are designed to manage. Medigate’s Clinical Device Efficiency (CDE) provides CMMS a live connection to the assets it is intended to manage, ensuring it can serve the HDO as a single record of truth. 

3. Endpoint Protection: HDOs lack granular data around their managed and unmanaged connected devices. Integrating with Endpoint Detection and Response solutions like CrowdStrike’s Falcon Platform increases the accuracy and confidence of Medigate’s Security Platform. Medigate also shares information with Crowdstrike to identify which medical devices are capable of an EDR agent but currently have none. This partnership gives HDOs the visibility and tools they need to perform comprehensive risk management, posture assessment, anomaly detection, and policy enforcement for their entire connected endpoint landscape.

4. Identity & Access Management: Hospitals often allow devices they “believe” to be medical devices on the network without proper identification in an effort to prevent disruption to patient care. This MAC Authentication Bypass is leveraged because network administrators lack visibility into their devices and feel pressure to relax standards in fear of adverse patient outcomes. With Medigate, HDOs can maintain a comprehensive, detailed inventory of devices (including manufacturer, device type, MAC address, serial number and policy creation), and conduct real-time monitoring to accurately detect anomalous behavior and identify threats. 

5. Network Management: The security infrastructure in place to protect an HDOs network often lacks the visibility and expertise to consider the clinical impact of policies and remediation. As a result, HDOs are forced to err on the side of caution and only implement basic levels of control or forgo them altogether — leaving them exposed and vulnerable to sophisticated attacks. Medigate’s Network Policy Management (NPM) takes offensive action with its awareness of clinical workflows and understanding of how policies or remediation activities affect clinical devices. With NPM, HDOs can protect their devices via automated, network-centric policy orchestration and enforcement to reduce their risks and strengthen their overall security posture.

6. Vulnerability Management: Active scanning is considered dangerous in healthcare environments, especially in medical and clinical device categories, as these devices are connected directly to patients. Scanning a device can cause a malfunction or render it inoperable, placing both patients and data at risk. Medigate enhances HDOs visibility by importing data on all scanned devices in the ecosystem and shares critical lists of inclusion and exclusion to identify the non-medical devices that can be scanned within VLANs but are currently not. This increases coverage for scans and decreases overall risk.  

7. Procurement & Security Evaluations: Many HDOs are conducting risk assessments as a part of procuring new medical devices. By eliminating the purchase of devices possessing unknown vulnerabilities, HDOs can stop the addition of risk to their environment. Medigate supports this onboarding of devices through a risk comparison feature detailing the risks and mitigations between new device choices.   

As the number and type of devices connecting in clinical settings increases due to the rapid adoption of the extended internet of things (XIoT), so does the number and type of threat vectors that the health system must monitor, manage, and secure. To deliver the kind of care communities now require safely and securely, health systems need to adapt and scale their security efforts to address the potential risks and improve healthcare for patients. That’s where Medigate by Claroty comes in to help your organization successfully implement the HHS 405(d) medical device security guidelines and improve patient safety, decrease financial risk, and ensure compliance.