You may recall this blog post from March 2020. It highlighted the importance of factoring in clinical, organizational, financial and regulatory impact when determining which medical Internet-of-Things (IoMT) security vulnerabilities should be fixed first. Consider this post a part two. Whereas the previous post focused on the fact that IoMT devices are here to stay and finding and prioritizing vulnerabilities based on impact cannot be overlooked, this post highlights an up and coming security challenge.

Interconnected Devices Need Interconnected Risk Measurement

The healthcare system today uses various security technologies for connected devices, many of which assign a risk score to vulnerabilities. The score is meant to help hospital security teams understand and prioritize vulnerabilities that elevate risk. Those technologies, however, use different formulas to calculate the risk score. Furthermore, they are often focused on technical risk rather than the clinical impact on the hospital in terms of patient safety or disruption of a physician’s workflow.

For example, while some scanning tools provide a score based on the Common Vulnerability Scoring System (CVSS), medical device security platforms (MDSPs) monitor what devices are doing, collect data, apply machine learning, build behavioral models and calculate a risk score. Both technologies view risk through a technical lens.

The U.S. Food and Drug Administration (FDA) also has its own health care device classification formula. It focuses on a vulnerability’s associated exploit, what an attacker can do with the exploit and the potential harm that can be done. Again, these elements are viewed through a technical lens, not including the clinical impact on the hospital.

Three challenges arise with these scoring technologies. First, they do not consider clinical impact. Second, while scanner scores, MDSPs and FDA classification are all important pieces of information for determining risk, it is difficult for hospitals to know which score to use as a blueprint for vulnerability prioritization and remediation. Lastly, each MDSP and scanning tool uses different risk-calculating methodologies, which is why there is no standard model for prioritizing vulnerabilities within the field.

With a system like this, prioritization is unnecessarily fragmented.

One Recipe for Calculating Risk

Hospitals need one view of risk that merges the technical risk scores and the clinical impact that would take place if a device is compromised. In other words, throw MDSP, scanning, FDA classification and clinical impact data into a soup pot, add seasoning (enrich the data), and voila. With that recipe, healthcare providers can see which vulnerabilities pose the highest risks to patient safety, so they know where to start with remediation.

Security teams can also apply this approach beyond IoMT devices. Other connected devices within the healthcare environment, such as workstations, network infrastructure and even coffee makers — anything that connects to the hospital’s network — should also be scored and prioritized based on a singular recipe for calculating risk. Scanning tools and MDSPs will assign risk scores in any network-connected device. Those technical scores should be merged along with a clinical impact score to determine which vulnerabilities matter most. That uniform way of scoring can help drive the remediation process by understanding the clinical workflow context of each endpoint detected across a hospital network.

Learn how X-Force Red, IBM Security’s team of hackers, in partnership with The AbedGraham Group, a physician-led global security organization, are working to help hospitals overcome the problems of siloed and incomplete risk scoring that they face today. Together, they have developed a solution to merge technical risk scoring data with clinical impact data to identify the vulnerabilities that matter most.

More from Data Protection

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates.Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?[button link="https://community.ibm.com/community/user/security/events/event-description?CalendarEventKey=8d7fdc61-97bf-43b0-b7d6-018756e436a6&CommunityKey=aa1a6549-4b51-421a-9c67-6dd41e65ef85&Home=%2fcommunity%2fuser%2fsecurity%2fcommunities%2fcommunity-home%2frecent-community-events"…

3 min read

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read