CynergisTek expands service to assess IoT, medical device security risks
Awareness is growing that biomedical devices, as well as other medical devices, have inherent security vulnerabilities that can give hackers access to a hospital’s network.
In response, data security consultancy CynergisTek recently launched a biomedical device service assessment service and already has an undisclosed number of hospitals, clinics, imaging centers and reference labs taking advantage of the service.
The enterprisewide assessment covers biomedical and clinical devices to identify gaps, vulnerabilities and additional risks, while also providing recommendations for improving overall device security.
“We have heard loud and clear from our clients that this is a top concern for them, which prompted us to begin developing a portfolio of biomedical device security services to solve this problem,” says Mac McMillan, CEO at CynergisTek. The vendor also is developing new managed services to support best practices for planning, implementation and ongoing maintenance of hospital biomedical device lifecycle management programs.
This past spring, CynergisTek started seeking ways to build network-scanning tools to give insights into the protection of biomedical devices and Internet of Things devices, says David Finn, executive vice president at the company. The new tools use a passive scanning process because medical devices are constantly being moved elsewhere in a medical facility or are receiving maintenance.
“Active scanning is effective for system vulnerability when scanning personal computers or servers,” Finn explains. “But you don’t want to knock biomedical devices off the network, so we use passive scanning that follows network traffic flow.”
In July, CynergisTek conducted its first assessment, and in August, the company partnered with software vendor Asimily to use its platform to provide risk assessment services as well as offering an ongoing managed care service to providers.
Asimily services also include metrics on devices, measuring detailed asset utilization, the ability to track and discover devices not being used as expected, and capability to block or segment devices on the network.
Finn won’t disclose how many paid clients are using the biomedical device assessment services, but he says the company has a growing list of organizations asking for proposals. “People have been talking about the biomedical device risks for some time now,” he adds. “Two years ago, hackers started using devices to get on networks and get patient medical and financial information, so devices are constantly being attacked. Now, we have real technology to address it.”