Today's lax medical device security can be fixed. Here's how.
Medical devices are loosely secured, making them a ripe target for cyberattackers, but what’s not as clear is exactly what must happen in the industry to solve this problem and what healthcare information security professionals should focus on in the meantime.
Luckily, there are various ways of attending to this problem, cybersecurity experts said, and various questions that hospitals and medical groups should be asking -- and answering -- now.
“Health systems historically have taken more time to adopt new practices or processes that have the potential to impact patient care,” said Chris Clark, principal security engineer at Synopsys, a software security firm. “The predominant number of health systems will look to market leaders like the Mayo Clinic and others to develop best practices that can then be modeled to their environment. The same needs to happen for manufacturers, leaders in the industry will be those that factor security into device design and market it as so to their customers.”
[Also: Hospital survival guide for a world overflowing with unsecured medical devices]
Since traditional security means loading software on the medical devices, the question becomes whether or not that action will require FDA approval, said Jennifer Geisler, vice president of marketing at ForeScout, a cybersecurity firm that specializes in the Internet of Things and other connected devices. If so, then vendors must be willing to assume the same liability that a medical device takes on, she added.
And if the security software causes a malfunction and a system fails, the matter of liability arises, Geisler said, adding that infosec pros need to be asking a lot of questions.
“What is the latency burden by security software on the medical device?” she said. “What happens when there is a software update? They need a security option that doesn’t require the burden of buying new medical devices or third-party software.”
These issues are increasingly important as a recent Ponemon Institute study found that only 17 percent of medical device makers and 15 percent of healthcare organizations are taking significant steps to prevent attacks on medical devices.
That same Ponemon research determined that only 51 percent of medical device makers and 44 percent of healthcare organizations follow FDA guidance to mitigate or reduce medical device security risks.
The guidance is there, ripe for the picking. So what more must be done to dramatically increase these numbers?
“The FDA needs to enforce existing guidance and take steps to leverage standards from entities such as ISO, AAMI and others,” Clark said. “While most entities will attempt to follow the FDA guidance, the FDA rarely enforces review of device manufacturers unless there is some kind of event. Most manufacturers will take guidance from a wide range of standards from ISO and others that are more comprehensive than what the FDA provides in order to show an adequate level of due diligence.”
Until FDA guidance is more encompassing and able to provide a higher level of fidelity, manufacturers will look to create and aggregate multiple standards that meet the manufacturers’ needs, Clark added.
Asked what is the single best practice healthcare organizations could undertake today regarding medical device security, Clark and Geisler each shared their own lists.
“Implement a cyber-hygiene best practice framework – for example, NIST Security Framework or SANS – and a solution that provides the ability to see and know exactly what is connected to your network,” Geisler said. “If healthcare organizations don’t know what is connected to their network, they can’t secure it.”
Trust but verify, Clark said.
“Healthcare providers need to require information from manufacturers that show how security, as well as patient care, are part of the overall design and manufacturing process,” he added. “Be ready to validate the assurances of the manufacturer or have a third-party source that can validate assertions of the manufacturer.”
By leveraging consumer rights, health systems can force manufacturers to ensure devices provide a high level of patient care and factor in security as one of the core components of device design, Clark concluded.
Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com