By Mike Kijewski
Cybersecurity has emerged as a critical risk to healthcare delivery organizations (HDOs) and their patient data. In 2017, there were 477 healthcare breaches reported to the U.S. Department of Health and Human Services (HHS) or the media, which affected a total of 5.579 million patient records, according to Protenus.
Securing medical devices prevents them from becoming a conduit for an attack, while also ensuring the confidentiality, integrity, and availability of data stored on or transmitted to a device.
Engaging the security team in the procurement process will ensure best-in-class practices are brought to HDOs. Cybersecurity risks in particular cut across every major function and business line. We have identified five best practices when collaborating with IT, engineering, operations, legal, finance and others to bring new devices into an HDO:
● Understanding the flow of data. It's crucial to assess what type of data the medical device will create, store and transmit within the device as well as the broader healthcare organization. Device vendors should clarify whether the device has any removable media ports (e.g., USB). This will allow a risk assessment of the device to drive subsequent security implementation.
● Access Considerations. User authentication is the root cause in 44% of all medical device vulnerabilities, validating the importance of password complexity and a strict user provisioning process being supported by a device vendor. Clarity on whether the device supports encryption of data both at rest and in transit brings layers of redundancy to an HDO security posture.
● Ongoing Support. The importance of software patch management on devices cannot be overstated. Security evolves over time with the identification, addressing and managing of threats on an ongoing basis. The FDA recently published a preferential 60-day time frame for devices to be updated for known vulnerabilities – confirming a device vendor can accommodate this.
● Notifications. Monitoring device behavior is a requirement in the recent premarket cybersecurity guidance from the FDA. Vendor-supported analytics per serial numbered device (including information such as technical specifications, patching status and known vulnerabilities) can go a long way to supporting the HDO in fighting the asset management challenge they face. This device-specific insight can be used to meet the FDA requirement to identify an anomalous device behavior, diagnose the cause and alert the HDO when appropriate.
● Resolution. Demonstrable commitments to meeting the pre- and postmarket cybersecurity guidance are important for the FDA and for HDOs to have confidence in a device not compromising a HDO’s cybersecurity posture. Security methodologies, patch management documentation and verification/validation testing documentation can enable a healthcare system to more rapidly risk assess a device both at implementation and over the lifetime of a device.
The penalties are likely coming as regulators finalize draft cybersecurity guidance – in 2019 we will see how device vendors react to these requirements. HDOs collaborating with device vendors to meet FDA cybersecurity requirements will demonstrate a commitment to improving security throughout the entire healthcare community.
About the author: Mike Kijewski is the founder and CEO of San Diego-based MedCrypt, a company that encrypts data traveling to and from medical devices with just a few lines of code, ensuring they are Secure-by-Design to meet the FDA's newly updated cybersecurity guidelines.