Innovative Approach Establishes Blueprint for Medical Device Security Programs to Help Protect Patients from Cybersecurity Threats and Vulnerabilities
NASHVILLE, Tenn.–(BUSINESS WIRE)–Clearwater and CyberMDX have entered into a partnership to simplify and automate the identification, inventorying, assessment and risk analysis of networked medical devices, using Clearwater’s IRM|ProTM—an Enterprise Cyber Risk Management Software—and CyberMDX’s MDefend—a visibility and cybersecurity solution, powered by an AI and DPI engine, coupled with Clearwater’s professional services.
The CyberMDX-Clearwater joint delivery model—being demonstrated this week at the H-ISAC Fall Summit in San Antonio, TX, Booth 46—creates the most comprehensive and robust enterprise cyber risk management solution available on the market at a time when growing internal and external security threats have made it increasingly difficult for healthcare organizations to protect their sensitive information, including patients’ personal health information (CHIME HealthCare’s Most Wired: National Trends 2018).
“One of the weakest links within clinical networks is also their most critical asset: their connected medical devices,” said CyberMDX Co-Founder and CEO Amir Magner. “Healthcare providers rely on connected medical devices for their clinical workflows and life-saving treatments, but unlike other IT assets, connected medical devices are extremely vulnerable and often poorly managed. Organizations struggle to do a true, enterprise, OCR-quality risk analysis—one that is an information assets-based risk analysis and that evaluates all ePHI assets and the specific threats and vulnerabilities that are applicable to them.”
Clearwater CEO Steve Cagle said connected medical devices and other IoT integrated devices or equipment are not just a technology risk but a patient safety risk and a risk to business.
“The truth is, if you don’t know where your devices are, you can’t secure them, and until recently there weren’t good or efficient ways of getting that information,” Cagle said. “Until now, it’s also been difficult to categorize the different groups of like devices to make the risk analysis process more manageable. It’s a tremendous challenge for the industry, and we are pleased to partner with CyberMDX to deliver a best-in-class solution.”
With the CyberMDX-Clearwater joint delivery model, healthcare provider organizations can do in a few hours what has historically taken weeks or months to accomplish. CyberMDX’s unique technology identifies in real-time medical device profile information, which is used by Clearwater to identify like devices from a risk perspective. As a recent deployment for a large Integrated Delivery Network provider showed, the solution was able to condense about 30,000 connected medical devices into about 300 groups by putting them into appropriate classifications and groupings, allowing for a much more manageable risk analysis and ongoing identification, assessment, detection and automatic micro-segmentation of all medical and clinical assets.
Tailored to meet the demanding and unique cybersecurity and HIPAA compliance needs of clinical networks and protocols, CyberMDX’s solution provides an automatic and continuous discovery and profiling solution that is easily deployed, fully scalable and built for large distributed networks.
Clearwater’s IRM|Analysis™ software utilizes the resulting inventory and Clearwater’s proprietary algorithms to facilitate an OCR-Quality Security Risk Analysis on the medical devices, as well as to implement and document remediation actions. The result is a complete risk analysis and risk response solution that complies with HIPAA requirements and can be used to satisfy information request from the Office For Civil Rights (OCR).
“From everything we are seeing with our customers, medical devices are one of their weakest links in the security chain and their greatest concern,” Clearwater’s Cagle said. “In a recent webinar provided by Clearwater and CyberMDX fewer than 18% of attendees stated that they had a comprehensive medical device security program in place.
A compromise of medical devices can have devastating effects for a healthcare provider, including:
the shut down of hospital operations or key functions of a facility
risking patients’ lives by compromising the integrity of data
a back door into the network, resulting in significant data breach of ePHI
the control of devices in critical departments or patient care, e.g. neonatal units and infusion pumps
submitted by: Joanna Smith