RSAC 2024: Join us at the Claroty Beats Hub.
Learn More
Claroty Toggle Search

Blog / 5 min read

Medical Device Risk Management: Protecting Patient Care

The Claroty Team
/ March 14th, 2024
by beginning with the tactics illustrated in this blog, HDOs can ensure they are on the right track to achieve a sector-wide goal: reduce risk.

Connectivity in the modern healthcare network has dramatically reshaped patient care delivery, as once independant health system workflows now rely heavily on connected devices. Although these devices and applications have transformed the world of healthcare, the increasing reliance on this connectivity means healthcare delivery organizations (HDOs) face new risks when assessing their security posture. As a result, organizations require medical device risk management strategies and solutions to gain visibility into risks within their connected medical devices, and to streamline workflows for prioritization and remediation. 

What is Medical Device Risk? 

HDOs are comprised of a vast, interconnected, internet of medical things (IoMT) which encompasses a network of medical devices, hardware infrastructure, and software applications. — all created to deliver patient care quickly and efficiently. IoMT devices and systems are often not designed with security in mind, making them especially vulnerable to cyber risk. Further complicating matters is the stark reality that IoMT devices have more dire consequences than any other cyber-physical systems (CPS). This is due to the fact that IoMT devices have patient risks associated, and if compromised, can endanger patient safety. Over the past decade,risk management in healthcare has become more complex with the fast-paced evolution of medical devices, the increase in cyber-security incidents due to the global pandemic, the resulting adoption of borderless work, and the ever-changing state of regulatory and legal policies. As a result, HDOs require comprehensive medical device risk management strategies and solutions to reduce risk within their environment. 

Challenges to Achieving Medical Device Risk Management

As we know, it is paramount for HDOs to prioritize medical device risk management; however, there are several challenges to achieving a comprehensive approach. Here are a few your organization may encounter:   

  • Lack of Medical Device Visibility: Oftentimes, medical device and operational technology (OT) risks are invisible to IT security teams. That’s because new devices are continuously being connected to the HDO network, many times without proper authorization. With this vast array of connected devices, deployed across a number of facilities, HDOs can find it difficult to identify and keep track of all these devices.  

  • Poor Cyber Clinical Hygiene: When organizations have poor cyber clinical hygiene, gaps are created between security, biomedical, clinical engineering, and business stakeholders within an HDO, making good governance and effective risk mitigation almost impossible to achieve.

  • Application of Standard IT Controls: IT security tools are fundamentally incompatible with the protocols and workflows used by cyber-physical systems. In many cases, IT solutions lack the capabilities to identify assets and devices, let alone help secure them. 

  • Compliance with Industry Standards and Regulations: Cybersecurity standards and regulations have become essential for the protection of medical devices; however, compliance with these requirements can be complex and are subject to frequent updates. Making matters worse is the fact that compliance failure may result in both legal and regulatory consequences, as well as increased risk to cyber threats.   

Strategies to Reduce Medical Device Risk 

Although it is impossible to truly eliminate many — if not most — types of risk, implementing medical device risk management strategies and applying risk controls can help organizations reduce the likelihood of risk in their critical environments. Here are some of the top strategies to get you started on your journey: 

  1. Device Discovery: No organization can manage what they cannot see, which is why so many HDOs struggle to manage their device risks. This lack of visibility makes it difficult for healthcare organizations to understand the attack surface area of their connected devices and the likelihood of a breach. To resolve this issue, it is important to fingerprint all medical devices in the network. This entails gaining full device attribution and knowledge of operating requirements — manufacturer, model, OS, hardware, app versions, and location are essentials. Every detail is important, and organizations should be looking for ways to continuously enrich their understanding as the threat landscape evolves. This includes not only the data that defines the device, but maintenance intervals, utilization patterns, and the experience of staff who interact with the device throughout its lifecycle — from acquisition through disposal.

  2. Risk Identification: Once complete visibility into devices and network blindspots is established, organizations can then begin to identify risks. Medical device risks need to be considered within the context in which they exist, including the likelihood that a given threat is capable of exploiting a given vulnerability, and the severity of the impact. By identifying which risks are the most critical, teams can prioritize efforts and actions. A healthcare-specific risk framework can make these nuanced determinations by identifying and scoring risks based on granular visibility and context, so they can be appropriately evaluated, prioritized, and addressed to keep patients safe.

  3. Risk Prioritization: Once risks are identified, it is essential to prioritize the most important vulnerabilities in the environment based on which are currently, or are most likely to be, exploited. The Known Exploited Vulnerabilities (KEV) catalog and Exploit Prediction Scoring System (EPSS) are the most efficient way to prioritize vulnerabilities based on their exploitation likelihood. The KEV catalog is a compilation of documented security vulnerabilities which have already been successfully exploited. EPSS, on the other hand, uses a data science model to estimate which vulnerabilities are likely to be exploited within the next 30 days. Automatically combining these two indicators of risk provides healthcare organizations with the ability to efficiently prioritize the vulnerabilities that threat actors are most likely to exploit. 

Every healthcare environment is unique, and requires robust strategies to achieve successful medical device risk management. However, by beginning with the above tactics, HDOs can ensure they are on the right track to achieve a sector-wide goal: reduce risk. 

Having built and optimized cyber risk management capabilities for hundreds of global organizations over the past decade, Claroty knows firsthand what it takes to achieve medical device risk management as part of a healthcare cybersecurity maturity journey. To learn more about our award-winning healthcare IoT security platform, Medigate by Claroty, and it’s robust capabilities visit,

Stay in the know

Get the Claroty Newsletter

Featured Articles

Interested in learning about Claroty's Cybersecurity Solutions?

LinkedIn Twitter YouTube Facebook