By Mike Kijewski
Cybersecurity has emerged as a critical risk to healthcare delivery organizations (HDOs) and their patient data. In 2017, there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) or the media, which affected a total of 5.579 million patient records, according to Protenus.
Securing medical devices prevents them from becoming a conduit for an attack, while also ensuring the confidentiality, integrity, and availability of data stored on or transmitted to a device.
Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.
Engaging the security team in the procurement process will ensure best-in-class practices are brought to HDOs. Cybersecurity risks in particular cut across every major function and business line. We have identified five best practices when collaborating with IT, engineering, operations, legal, finance and others to bring new devices into an HDO:
● Understanding the flow of data. It's crucial to assess what type of data the medical device will create, store and transmit within the device as well as the broader healthcare organization. Device vendors should clarify whether the device has any removable media ports (e.g., USB). This will allow a risk assessment of the device to drive subsequent security implementation.
● Access Considerations. User authentication is the root cause in 44% of all medical device vulnerabilities, validating the importance of password complexity and a strict user provisioning process being supported by a device vendor. Clarity on whether the device supports encryption of data both at rest and in transit brings layers of redundancy to an HDO security posture.
● Ongoing Support. The importance of software patch management on devices cannot be overstated. Security evolves over time with the identification, addressing and managing of threats on an ongoing basis. The FDA recently published a preferential 60-day time frame for devices to be updated for known vulnerabilities – confirming a device vendor can accommodate this.
● Notifications. Monitoring device behavior is a requirement in the recent premarket cybersecurity guidance from the FDA. Vendor-supported analytics per serial numbered device (including information such as technical specifications, patching status and known vulnerabilities) can go a long way to supporting the HDO in fighting the asset management challenge they face. This device-specific insight can be used to meet the FDA requirement to identify an anomalous device behavior, diagnose the cause and alert the HDO when appropriate.