From the September 2021 issue of HealthCare Business News magazine
Defenders must work smarter to defend their assets. This means as attackers move up the supply chain, so must defenders.
Lesson 3: Plan. Practice. Persist.
Prior to connecting anything to a network, we have to understand the impact of that decision. In effect, as defenders, we have to look at the full picture by threat modeling to build a plan of action. By understanding the potential threats based on the attack surface, whether as a device manufacturer, healthcare delivery organization or vendor of security services, this will enable building a plan of action to mitigate potential threats.
Once a plan has been developed it is equally important that it be understood, ingrained in day-to-day operations, and regularly reviewed. As attackers change, so must the defense. And we must be honest with ourselves - things aren’t going to be perfect. Where there are setbacks and misses, take the opportunity to build, enhance, and re-educate.
Lesson 4: Design with security in mind.
First and foremost - I want to make it clear that I believe user training has a place and purpose. We cannot let our people proceed in a connected world without guidance and support. However, if I can’t train an algorithm to identify a potentially malicious email, is it really fair to expect an end-user to detect that malicious email?
The danger I see is that healthcare constantly blames the user/patient. Whether it’s patient adherence, login/password management, or phishing failures, this isn’t an industry that has historically optimized for easing the user experience. It goes to my earlier point - we optimize for patient outcomes.
Therefore we must design devices to be secure, starting at the inception of the device.Our systems must grow to prioritize reducing the extent of reliance on users against unknown threats. Note the nuance: I’m not saying the user doesn’t know how to use the device. I’m saying with tech, there will always be unknowns and there will always be weaknesses. The best systems are those which do not rely on the user as the detection, and more importantly in patient care, the efficacy of a device. We must be intentional and prioritize designing security into devices if we are to ever change the landscape of cyberthreats in healthcare.
Lesson 5: Don’t go at it alone.
Medical device security is absolutely a unique environment - with complex networks, various entities involved, and complicated asset management requirements. It is absolutely essential that security be built for the clinical use case. However, building a comprehensive security solution from scratch is time consuming, requires expertise likely not within the organization, and requires bandwidth to maintain over the lifetime of a device.