How Vail Health ensures consistent medical device security and firmware patching

The health system scans each asset and confirms that targeted vulnerabilities have been patched and can be considered as resolved.
By Bill Siwicki
12:06 PM

Vail Health is a nonprofit community health system with locations in Eagle and Summit counties in Colorado. Vail Health offers a 56-bed hospital, 24/7 emergency care, a helipad, urgent care clinics, cancer care, breast centers, cardiovascular services, surgery, childbirth, physical therapy, internal medicine, endocrinology and more.

THE PROBLEM

The health system was facing a cybersecurity problem: inconsistent medical-device security software and firmware patching.

"Devices and systems were left up to the manufacturers and maintenance vendors to patch and update, and this provided mixed results and unknown risks," said Alex Popov, IT security analyst at Vail Health. 

"While we are constantly monitoring network health and completing mechanical preventative maintenance, there was a gap in addressing software and firmware updates or threats directly related to the network-connected or capable medical devices."

Vail Health implemented monitoring tools able to capture a lot of information relating to the devices that are connected, and these tools provide staff with security alerts to the best of their ability.

"Maintaining a secure medical device environment requires a holistic approach addressing the risks in all parts of the technology environment, from the network to the hardware, software and physical security."

Alex Popov, Vail Health

"However, it's a huge undertaking to go validate each of these alerts, then address each legitimate threat with a specific patch that may only work for a single model," Popov explained. "This is another problem: Although a single vulnerability may impact several different models, the patch could be completely different for each model."

To gather the specific, manufacturer-approved patch for hundreds of different models for just one identified vulnerability would take an enormous amount of time and resources, he added.

PROPOSAL

IT security vendor HSS offered Vail Health a systematic approach where an experienced team would be looking at the medical devices, servers, software and firmware on a wider scale, assessing the security status of each asset and creating a road map for keeping all of them updated and patched consistently, Popov said.

"The appeal of the program is their team of professionals who are going to go onsite and complete the necessary tasks required for mitigating risk on the device level," he explained. "The proposal from HSS was an offer to help. They offered to take some of the heavy workload off our plate."

MEETING THE CHALLENGE

Spotlight is an HSS medical-device-security service. The HSS team members working with Vail Health are using several different tools to compose a clearer picture of what security issues need to be addressed and pinpoint the specific devices and servers.

"Some of those tools include Medigate Security and Clinical Analytics tool as well as Rapid 7 Nexpose tool in order to asses specific vulnerabilities discovered on the devices," Popov related. "They're also using an inventory management platform called TMA, which is used by the biomed department, that primarily tracks the status and identifying information of the assets."

All of these tools are simply data sources that HSS uses to create a single view of the security posture of the applicable asset's data.

"Based on this data we can prioritize the list of issues that need to be addressed," Popov said. "The following steps would be working directly with the manufacturers and vendors in order to discover what solutions may be available and applying them to the devices and systems in question. These steps are not quick tasks."

Emailing and calling the manufacturers can take hours or even days of communication. Scheduling availability with department leaders is an additional challenge that HSS also undertakes.

"We have specific change control procedures in place ensuring that this process does not cause any undue patient care and/or service interruptions," Popov said. "As mentioned, HSS undertakes all of the challenges, including scheduling, coordinating and communicating throughout the entire patching process from start to finish."

RESULTS

While the program still is in early stages, Vail Health confirms success by scanning each asset and ensuring that the targeted vulnerabilities have been patched and can be considered as resolved, Popov explained.

"HSS will provide metrics around vulnerability instances, devices vulnerable/optimized, identified vulnerabilities, vulnerability criticality, device criticality, and so on," he said. "The overall goal is to reduce the risk of an incident, and produce metrics that show this progress."

ADVICE FOR OTHERS

"As more and more network-connected medical devices are introduced in every medical facility around the world, keeping up with the demands of the ever-changing security landscape becomes a top priority that cannot be ignored or left to chance," Popov advised. 

"This is why maintaining a secure medical device environment requires a holistic approach addressing the risks in all parts of the technology environment, from the network to the hardware, software and physical security."

This, he said, requires a concerted effort in order to produce consistent positive results.

Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.