When a cybersecurity vulnerability emerges that may reach a facility's medical devices, information security staff often find it difficult to ascertain just how great a threat the vulnerability presents. Relevant knowledge about what the device is, what it is used for, and where it is normally located is needed to understand the risks and appropriately plan the remediation and response.
To help facilities prioritize incoming cybersecurity vulnerability Alerts, ECRI is providing a standardized clinical context summary for each medical device cybersecurity Alert it produces. This summary—included as part of the new Risk Assessment section being added to our cybersecurity-related Alerts—identifies typical uses for a particular medical device type and helps gauge the potential impact if the device is compromised or unavailable for use. We also provide an estimate of the typical quantities of protected health information (PHI) associated with the device to help organizations identify assets with sensitive records, which may require additional risk control measures.
This clinical context summary provides healthcare facilities with easily digestible information about the medical device in question and can help facilitate communication of the potential impact related to the vulnerability between different stakeholders (e.g., IT, clinical engineering, frontline clinicians, risk management).
The information covers seven questions, with the possible responses listed below:
1. Device use
a) Life sustaining
b) Therapeutic
c) Diagnostic
d) Drug delivery
e) Ionizing radiation
2. Clinical impact
a) Frequently used for emergency response
b) May be used for emergency response
c) Routine clinical use—not used in emergencies
3. Operational impact
a) Alternatives likely not available
b) Alternative likely available
4. Environment of use
a) ER
b) Med/surg
c) Radiology/imaging department
d) OR
e) ICU
f) Other
5. Device mobility—What type of device is it?
a) Handheld
b) Mobile
c) Fixed
d) Built into a room
6. Is the device typically networked?
a) Yes
b) No
7. Amount of PHI
a) Large (>500 records)
b) Small (500 or below)
ECRI recommends that healthcare facilities utilize this clinical context information along with specific details about the vulnerability and its severity (e.g., Common Vulnerability Scoring System [CVSS] score, which is also part of the Risk Assessment) to prioritize and plan their response to security vulnerabilities impacting medical devices.