Original Post on: http://www.healthcareitnews.com/blog
By: Dan Costantino
A CISO’s advice for securing connected medical devices
Penn Medicine’s Dan Costantino recommends hospitals to get ahead of the issue, understand scope, and implement layers of cybersecurity to start.
Phishing emails aimed to compromise employee credentials. Encryption used to prevent exposure of sensitive data in the event of accidental loss or theft. Ransomware, rendering hospital computers useless and access to digital medical records unavailable. These are just a few of the things health systems are battling today in an increasingly sophisticated threat landscape. More often than not, it’s patient records and sensitive data that sits at the root of all privacy and security controls being implemented. But there’s an increasing concern over network connected medical devices that is threatening one of the core missions of every health system – patient safety.
Connected medical devices are becoming a key part of healthcare infrastructure, with the average hospital room containing nearly 15-20 of them. Some of these devices are still running on obsolete operating systems, while others were manufactured with significant vulnerabilities, such as embedded passwords in the software code. The amount of IoT devices in a hospital can be more than twice the number of traditional networked devices, such as laptops and smartphones. The challenge in securing these devices is becoming increasingly clear to health systems around the world. While there’s no bulletproof solution to solve this problem, a number of measures and controls can be implemented that significantly reduces the risk to these devices, and ultimately protects patient safety.
Be out in front of the issue
While the Food and Drug Administration (FDA) encourages medical device manufacturers to proactively secure their devices, many continue to challenge this guidance with common myths circulated throughout industry. An example of one of these common myths is that the FDA tests all medical devices for vulnerabilities. The truth is that the FDA does not conduct pre-market testing of medical devices and it’s the responsibility of the manufacturers to do so. Ensuring this testing has taken place, among other requirements, such as vulnerability and patch management of devices, is paramount when negotiating with medical device manufacturers. It’s important for information security and clinical engineering teams to understand the facts and work with their legal departments to build security measures into their contracting.
Another common challenge for these teams is the various avenues of intake medical devices tend to enter hospitals through. Setting and enforcing policies and standards for medical device procurement will go a long way in ensuring the proper checks and balances have taken place before they get into production.
Understand your scope
Asset management is another area where a common and standard procurement process will save loads of time and headache for clinical engineering and cybersecurity teams. Putting these measures in place will ensure net-new devices are accounted for and properly managed. Many hospitals have devices on their floors that have been there for decades. Aiming to solve this problem through years of attrition simply isn’t feasible due to the threats hospitals face today. Health systems need to use a combination of technology and some manual inventory management to capture a complete picture of what they have on the floors, where they are located, and what purpose each device serves. This exercise will also prove invaluable in classifying the devices and measuring their risk to the network and patients.
Implement layers of security within the network
One of the most effective ways to protect medical devices from other network-connected devices and to protect the network from medical devices that lack the proper level of security controls is to…Continue Reading