Medical Device Assessment and Security Services
Cyber Tygr has established partnerships with several of the industry’s sophisticated medical device security software architects. These solutions are generally hyper-focused on medical devices and layered within a broader existing security framework, leveraging existing perimeter security investments and reducing costs. This type of medical device security software provides an unprecedented level of visibility and control.
Cyber Tygr will deploy a solution to automatically discover the organization’s medical devices and provide a detailed device inventory. This inventory is the basis for our Medical Device Assessment Service in which devices are discovered and grouped based on information gathered from network behavior and device communication traffic patterns allowing for increased security intelligence.
Our Medical Device Security Services support healthcare organizations of all sizes with in the areas needing support. Four packages conveniently group these services, creating effective strategies for implementation; Bronze, Silver, Gold and Diamond. See the figure below for more detail.
|
Bronze |
Silver |
Gold |
Diamond |
| Stakeholder Education (regulations, laws, standards and frameworks) |
|
|
|
|
| Assess Ecosystems (technical, policies and procedures) |
|
|
|
|
| Administrative, Technical and Physical Safeguards |
|
|
|
|
| Medical Device & IoT Inventory (detailed device data: model, OS, IP/MAC, vulnerabilities, location, Serial #, etc) |
|
|
|
|
| Device Risk Analysis |
|
|
|
|
| Device Risk Impact Scores |
|
|
|
|
| Establish Governance (roles and responsibilities) |
|
|
|
|
| Mitigation Options & Monitoring |
|
|
|
|
| Procurement (new devices and RFP for solution providers) |
|
|
|
|
| Incident Response |
|
|
|
|
| Customized Playbook |
|
|
|
|
| Project and Process Management (implementation through iterative risk mgmt.) |
|
|
|
|
Medical Device Security Assessment – Bronze Package
Cyber Tygr has created a budget-friendly programmatic approach to gain visibility of the issues and minimize the cybersecurity risk resulting from medical and IoT devices.
- Stakeholders – establishing defined roles and responsibilities across the multi-stakeholder healthcare organization is imperative in creating any effective medical device cybersecurity program. Usage, asset management, maintenance, patient care and security are all components in managing the transmission and/or storage of Protected Health Information (PHI) on the devices connected to the enterprise network.” Cyber Tygr assists in identifying stakeholders, their roles and responsibilities and integrating their individual functions with information security functions.
- Information Security
- Healthcare Technology Mgmt./Clinical Engineering
- Information Technology
- Procurement
- Executives, Board and Steering Committees
- Clinicians
- Medical Device Manufacturers
- Privacy, Compliance, Legal
- Assess Ecosystem – the security of connected medical devices depends upon the technical infrastructure being reliable, scalable, and secure. Cyber Tygr’s assessment will consider asset discovery and management techniques, vulnerability scanning to identify risks and secure network architecture.
- Administrative, Technical & Physical Safeguards – cybersecurity has not been designed into the vast majority of connected medical devices currently deployed in healthcare organizations. These device inventories have an insufficient security posture but there has been no economical alternative to replacing them, until now. Cyber Tygr’s Medical Device Security Assessment assists in building a foundation to minimize exposure, reduce the impact of an adverse incident and maximize resiliency.
- Medical Device and IoT Inventory – Cyber Tygr utilizes specialized endpoint discovery tools combined with extensive medical device libraries. Automatically identify medical devices, and their attributes, based upon the network communications. This inventory includes a NIST CVSS severity scoring that prioritizes which devices are most critical for mitigation and protective action.
