Hospital IT shops and information security pros wondering how best to protect the dizzying array of medical devices attached to their networks got a reality check on Thursday from Kevin McDonald, director of clinical information security at the Mayo Clinic.
“You can take 60 to 70 percent of the risk out just by doing some simple things,” McDonald said during an FDA hearing titled Cybersecurity of Medical Devices: A regulatory Science Gap Analysis.
McDonald listed the basic steps as: having an inventory of devices and software, regularly patching operating systems, whitelisting, installing anti-virus software, and not allowing hard-coded, default or non-expiring passwords.
That’s not to say such infosec blocking and tackling will made devices bulletproof. It won’t. McDonald noted that medical device security will continue to be problematic until hospitals can replace all the devices already in place with new ones that have security built-in.
Even today, “there are very few secure devices to buy,” McDonald said.
With approximately 25,000 medical devices connected to its network — ranging in complexity from basic cameras to its Proton Beam Therapy equipment — and 13 full-time employees focused on medical device security, McDonald stressed that the Mayo Clinic is not representative of the real world.
Rural hospitals, small networks and physician practices, instead, struggle with the same issues but have fewer resources, less money and, in many cases, their entire security team is fewer than the bakers’ dozen Mayo has working solely on devices.
“Smaller hospitals and physician offices are in big trouble,” McDonald said. “There is no killer app that will fix the problem, it has to be a combination of things and, sadly, for many legacy devices there is no solution other than local firewalls.”