Guidance on protecting connected medical devices

Medical devices are highly regulated and controlled due to the risks involved in patient safety. Modifications, including software and hardware, are not permitted, unless authorised by the medical device manufacturer, who will have conducted extensive validation and verification procedures in line with the appropriate regulations.

Therefore, using medical devices on clinical networks has the following issues:

• it may be impossible to upgrade the operating systems (such as moving from Windows 7 to Windows 10) due to hardware dependencies or software driver issues. In addition, medical devices may be more vulnerable due to greater software complexity, potentially employing multiple means of connectivity, a greater pressure to keep the device available vs devices in other areas, long device lifetimes (>10 years), and greater restrictions on device updates placed on hospital ICT departments
• as a medical device, security updates, patches and potentially virus signatures must  be properly assessed by the medical device manufacturer and confirmed as safe before they can be implemented on the medical device. This can take 3 months (or longer) from the time that a  security update is released. Some patches will only be implemented as an upgrade to the overall software and not as individual patches, further delaying the remediation process
• when security updates are released, they are retro-analysed by attackers, increasing the likelihood that exploitable vulnerabilities will become known
• the latest security mitigations not being present, increases the impact of vulnerabilities, making exploitation more likely to succeed, and making detection of any exploitation more difficult
• the medical device may no longer be supported by the manufacturer (end of support) but still being used.

In combination, these issues mean that high-impact security incidents become more likely to occur. Security incidents affecting connected medical devices can cause significant disruption to the delivery of healthcare services.

The following steps should apply to any network connected medical device regardless of operating system.