Healthcare Information Technology

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems.

The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.”

Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices.

The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely; however, the guidelines are only recommendations and are not legally enforceable. It is down to each manufacturer to ensure the recommendations are incorporated into the design of the devices.

FDA Associate Director for Digital Health, Bakul Patel, Patel explained in a recent blog post that the guidelines focus on three key areas: Ensuring interoperability is at the core of the design of their devices, that verification, validation and risk management activities are performed, and that the functional, performance, and interface characteristics of the devices are clearly specified to ensure users.

In terms of interoperability, the guidelines say, “In designing a medical device’s electronic interface, manufacturers should consider the level of interoperability needed to achieve the purpose of the interface, as well as the information necessary to describe the interface.”

Manufacturers should “address the risks associated with the anticipated users of the device, reasonably foreseeable misuse of the device, and reasonably foreseeable combinations of events that could result in a hazardous situation.”

Devices must also be clearly labelled to advise users of the functional, performance and interface characteristics, including explicit warnings against foreseeable uses that could result in harm.

Patel explained, the FDA’s main concern is safety. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system. Our guidance recommends appropriate functional, performance, and interface requirements for devices with such interactions.”

Manufacturers should be transparent about the functions and characteristics of the devices and their interfaces to ensure those using the devices with systems and devices can do so safely. If it is not clearly explained to users how the devices function and interface, this could potentially lead to devices malfunctioning, which would have an impact on patient safety. The guidelines say, “The manufacturer should determine the appropriate way to provide the information based upon the anticipated users and the risk analysis.”

Patel explained, “Our guidance is a good step towards safer devices, and we will continue to work with all stakeholders to adapt along with the technology.”

The final guidelines can be downloaded here.

The post FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange appeared first on HIPAA Journal.

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems.

The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.”

Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices.

The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely; however, the guidelines are only recommendations and are not legally enforceable. It is down to each manufacturer to ensure the recommendations are incorporated into the design of the devices.

FDA Associate Director for Digital Health, Bakul Patel, Patel explained in a recent blog post that the guidelines focus on three key areas: Ensuring interoperability is at the core of the design of their devices, that verification, validation and risk management activities are performed, and that the functional, performance, and interface characteristics of the devices are clearly specified to ensure users.

In terms of interoperability, the guidelines say, “In designing a medical device’s electronic interface, manufacturers should consider the level of interoperability needed to achieve the purpose of the interface, as well as the information necessary to describe the interface.”

Manufacturers should “address the risks associated with the anticipated users of the device, reasonably foreseeable misuse of the device, and reasonably foreseeable combinations of events that could result in a hazardous situation.”

Devices must also be clearly labelled to advise users of the functional, performance and interface characteristics, including explicit warnings against foreseeable uses that could result in harm.

Patel explained, the FDA’s main concern is safety. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system. Our guidance recommends appropriate functional, performance, and interface requirements for devices with such interactions.”

Manufacturers should be transparent about the functions and characteristics of the devices and their interfaces to ensure those using the devices with systems and devices can do so safely. If it is not clearly explained to users how the devices function and interface, this could potentially lead to devices malfunctioning, which would have an impact on patient safety. The guidelines say, “The manufacturer should determine the appropriate way to provide the information based upon the anticipated users and the risk analysis.”

Patel explained, “Our guidance is a good step towards safer devices, and we will continue to work with all stakeholders to adapt along with the technology.”

The final guidelines can be downloaded here.

The post FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange appeared first on HIPAA Journal.

Researchers Call for Updates to Guidelines for Emailing Patients

Researchers from Indiana University have conducted a study of current guidelines on emailing patients and have identified major weaknesses, a lack of up-to-date best practices, and outdated security practices that are no longer required due to changes in technology. Additionally, they confirmed there is a lack of information on new methods of communication such as secure texting and a lack of evidence showing the effectiveness of proposed practices for emailing and texting patients.

There was little to no evidence on how using email or text messages to communicate with patients could improve patient outcomes and a lack of information on how new communication tools could be used effectively by practitioners.

The researchers studied 11 sets of guidelines on electronically communicating with patients and found weaknesses across the board. The pace of change of technology is not reflected in the available guidelines, with many of the recommendations no longer required. The researchers were unsure if any of the valid recommendations in the guidelines are actually being followed.

The researchers said providers would benefit from having up-to-date guidance on effective messaging practices in the context of healthcare teams and detailed information on how messaging platforms could be incorporated into workflows. Current guidelines have a focus on technical issues such as platform specifications, when providers would benefit more from guidelines focused on the relational challenges of electronic communication. Practitioners are trained on effective face-to-face communication. The researchers suggest similar training should be provided on electronic communication.

Updates to the guidelines are long overdue, with several guidelines dating back more than a decade. However, before new guidelines can be developed, further research is required to evaluate and identify best practices. The researchers also call for “A framework to evaluate quality of communication, and assess the relationship between electronic communication and quality of care.”

The study – A critical appraisal of guidelines for electronic communication between patients and clinicians: the need to modernize current recommendations – was recently published in the Journal of the American Medical Informatics Association (JAMIA).

The post Researchers Call for Updates to Guidelines for Emailing Patients appeared first on HIPAA Journal.

Researchers Call for Updates to Guidelines for Emailing Patients

Researchers from Indiana University have conducted a study of current guidelines on emailing patients and have identified major weaknesses, a lack of up-to-date best practices, and outdated security practices that are no longer required due to changes in technology. Additionally, they confirmed there is a lack of information on new methods of communication such as secure texting and a lack of evidence showing the effectiveness of proposed practices for emailing and texting patients.

There was little to no evidence on how using email or text messages to communicate with patients could improve patient outcomes and a lack of information on how new communication tools could be used effectively by practitioners.

The researchers studied 11 sets of guidelines on electronically communicating with patients and found weaknesses across the board. The pace of change of technology is not reflected in the available guidelines, with many of the recommendations no longer required. The researchers were unsure if any of the valid recommendations in the guidelines are actually being followed.

The researchers said providers would benefit from having up-to-date guidance on effective messaging practices in the context of healthcare teams and detailed information on how messaging platforms could be incorporated into workflows. Current guidelines have a focus on technical issues such as platform specifications, when providers would benefit more from guidelines focused on the relational challenges of electronic communication. Practitioners are trained on effective face-to-face communication. The researchers suggest similar training should be provided on electronic communication.

Updates to the guidelines are long overdue, with several guidelines dating back more than a decade. However, before new guidelines can be developed, further research is required to evaluate and identify best practices. The researchers also call for “A framework to evaluate quality of communication, and assess the relationship between electronic communication and quality of care.”

The study – A critical appraisal of guidelines for electronic communication between patients and clinicians: the need to modernize current recommendations – was recently published in the Journal of the American Medical Informatics Association (JAMIA).

The post Researchers Call for Updates to Guidelines for Emailing Patients appeared first on HIPAA Journal.

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords.

Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.”

The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security.

To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator.

NIST suggests physical security mechanisms should be adopted to prevent the theft of cryptographic authenticators, while system security controls should be implemented to prevent malicious actors from gaining access to systems and installing malware such as keyloggers.

Security is only as good as the users of the system, so periodic training is required to ensure users understand their obligations and the importance of reporting suspected account compromises.

Out-of-band techniques (something you have) are also recommended to verify proof of possession of registered devices such as cell phones.

Passwords are categorized as ‘memorized secrets’ by NIST, which suggests a minimum of 8 characters should be used, although longer memorized secrets of at least 64 characters should be encouraged. UNICODE characters, special characters and spaces should be allowed.

The use of spaces does not add to password complexity, although it does help end users set strong passwords such as secret phrases. The longer the memorized secret, the harder it will be for malicious actors to guess.

Brute force attacks are used to gain access to systems by repeatedly guessing passwords. These automated attacks can involve many thousands of guesses, and start with commonly used passwords, dictionary words, repetitive and consecutive sequences of characters (aaaaaaaa, 12341234, 1234abcd), context specific words (server1, MRIpassword), and other weak passwords such as the use of the username in the password and passwords previously exposed in past data breaches.

Administrators should therefore set password policies that prevent these password choices. In the case of dictionary words, all words less than the minimum character requirement can be discounted. NIST says the use of password strength monitors helps end users select strong passwords.

While the forced use of special characters, lower case letters, and upper case letters can improve password strength, in reality, this may not be the case. Forcing users to use at least one lower case letter, one uppercase letter, one number and one special character may not result in the creation of stronger passwords.

NIST says, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought,” but “the impact on usability and memorability is severe.” Such a system means the password will be made much more difficult to remember and end users end up circumventing policies as a result. For example, with those controls in place, Password1! would be acceptable, even though the password is weak.

NIST says “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner.”

By allowing the use of spaces in passwords, users can choose more complex secrets, especially if the upper character limit is not overly restrictive. NIST recommends allowing long passwords (within reason). (See Appendix A – Strength of Memorized Secrets).

NIST also points out that there are other methods that can be adopted that provide greater protection than strong passwords. “Blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks.”

NIST also points out that while these measures – and strong passwords – can help to thwart brute force attacks, they are not effective against many forms of password-related attacks. Even if a 100-character strong password is used, it will still be obtained by a malicious actor who has installed keylogging malware or if an employee responds to a social engineering or phishing attack. Other security controls must therefore be implemented to prevent these sorts of attacks.

The post NIST Updates Digital Identity Guidelines and Tweaks Password Advice appeared first on HIPAA Journal.

Phillips Ships DoseWise Portal with Serious Vulnerabilities

The Phillips web-based radiation monitoring app – DoseWise Portal (DWP) – has been shipped with serious vulnerabilities that could be easily exploited by hackers to gain access to patients’ protected health information. ISC-CERT has warned healthcare providers the vulnerabilities could be remotely exploited by hackers with a low level of skill to gain access to medical data.

Two vulnerabilities have been identified. The first (CVE-2017-9656) is the use of hard-coded credentials in a back-end database with high privileges that could jeopardize the confidentiality, integrity and availability of stored data and the database itself. In order for an attacker to exploit the vulnerability, elevated privileges would be required to gain access to the system files of the back-office database. Even so, ICS-CERT says an attacker with a low level of skill could exploit the vulnerability and has given it a CVSS v3 rating of 9.1 out of 10.

The second vulnerability (CVE-2017-9654) involves cleartext storage of sensitive information in back-end system files. The vulnerability has been given a CVSS V3 rating of 6.5 out of 10.

ICS-CERT is unaware of any exploits that are publicly available that could be used to exploit the vulnerabilities, although healthcare organizations have been advised to implement mitigations. Until a new DWP is released – which is expected later this month – healthcare organizations have been advised to ensure network security best practices are implemented and port 1433 is blocked if a separate SQL server is not being used.

Best practices include minimizing network exposure by ensuring the devices/systems are not accessible from the Internet, locating the systems/devices behind firewalls, and isolating them from the business network. If remote access is required, systems should only be accessed via a VPN that has been updated to the latest version.

Phillips says the vulnerable versions are 1.1.7.333 and 2.1.1.3069. Phillips will be releasing a new version of DWP (2.1.2.3188) for users of DWP version 2.1.1.3069, which will update the authentication method and remove hard-coded password vulnerabilities. DWP version 1.1.7.333 will be updated to change and fully encrypt stored passwords.

Publicly Available Exploits Exist for Siemens CT/PET System Vulnerabilities

The ICS-CERT warning comes just a few days after a warning about four serious vulnerabilities in Siemens CT and PET systems that could be remotely exploited to gain access to the devices. In that case, exploits for the vulnerabilities are publicly available. The vulnerabilities have existed for at least two years and affect the Windows 7 OS on which the Siemens CT/PET systems are based.

With hackers increasingly targeting healthcare organizations to gain access to medical data and extort money, it is essential that medical device and app developers conduct more extensive security tests to ensure vulnerabilities are identified and corrected before the devices come to market. Post market vulnerability testing is also essential to make sure the devices remain secure throughout their life cycles.

The post Phillips Ships DoseWise Portal with Serious Vulnerabilities appeared first on HIPAA Journal.

Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere

A recent Deloitte survey conducted on 370 professionals with involvement in the IoT medical device ecosystem revealed more than a third (36%) of organizations have experienced a security incident related to those devices in the past year.

Respondents were medical device or component manufacturers, healthcare IT organizations, medical device users or regulators.

When asked about the biggest challenges with IoT medical devices, 30% said identifying and mitigating risks of fielded and legacy connected devices was the biggest cybersecurity challenge. Other major challenges were incorporating vulnerability management into the design process (20%), monitoring for and responding to cybersecurity incidents (20%), and the lack of collaboration on threat management throughout the medical device supply chain (18%). 8% of respondents rated meeting regulatory requirements as the biggest challenge.

Identifying and mitigating risks is only part of the problem. There will be times when cyberattacks succeed and malicious actors gain access to the devices. Healthcare organizations and device manufacturers must be prepared to deal with incidents when they occur. When asked how prepared they were to deal with breaches, subsequent litigation or regulatory matters, only 19% of respondents said they were very prepared. 56% said they were somewhat prepared while 13% said they were not prepared at all.

Devices currently being developed can have cybersecurity incorporated at an early stage, which makes securing the devices for the entire lifecycle of the products far easier. For devices already in use, cybersecurity is a major concern. Many of the devices are running on outdated operating systems or are connected to networks that lack appropriate security controls.

Unfortunately, since each device has different cybersecurity requirements and operates in a different way, securing the devices is not straightforward. Cybersecurity controls need to be applied to the device, but also to the networks that the devices connect to. Russell Jones, Deloitte risk and financial advisory partner, Deloitte & Touche LLP. Jones said when it comes to medical device cybersecurity, “There is no magic bullet solution.”

Device manufacturers can certainly do more to incorporate cybersecurity controls into their devices, but to make the devices truly secure, there needs to be collaboration between providers, manufacturers, and suppliers. As Jones explained, “This is a problem that requires the industry as a whole to come together and create a safe space where feedback and information can be shared freely.”

The number of IoT devices now being used has grown considerably and as more devices are connected to healthcare networks, managing the devices and monitoring for vulnerabilities becomes an even bigger problem.

Healthcare organization must have an IoT management and security solution in place as it is simply not possible to manage security manually. Without such a solution that offers IT teams visibility and control over the devices, it is not possible to manage and mitigate vulnerabilities.

Deloitte does offer some suggestions about improving medical device cybersecurity, suggesting healthcare organizations:

  • Implement a domain hierarchy – Formalize, organize, and structure medical device cyber security activities and governance to ensure patient safety and respond more quickly to regulators, legal matters, or internal investigations. Deloitte recommends work instructions and templates be developed for each unique device, while documentation of QMS protocols should be centralized and regularly updated.
  • Conduct product security risk assessments at least on an annual basis, although risk assessment procedures should be an ongoing process with those assessments repeated when business processes change, there are supplier changes or acquisitions and divestitures.
  • Take a forensic approach to incident response – When devices are compromised, the incident timeline must be determined, anomalous behavior should be detected and organizations must determine what data were exposed or accessed.

The post Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere appeared first on HIPAA Journal.

HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs

HIMSS has published the findings of its 2017 Cybersecurity Survey. The survey was conducted on 126 cybersecurity professionals from the healthcare industry between April and May 2017. Most of the respondents were executive and non-executive managers who were primarily responsible or had some responsibility for information security in their organization.

The report shows healthcare organizations in the United States are increasingly making cybersecurity a priority and have been enhancing their cybersecurity programs over the past 12 months. More healthcare organizations have increased their cybersecurity staff and adopted holistic cybersecurity practices and perspectives in key areas.

The survey revealed 75% of respondents are now conducting regular penetration tests to identify potential vulnerabilities and determine how resilient they are to cyberattacks. In response to the considerable threat from within, 75% of respondents have implemented insider threat management programs and 85% are now conducting risk assessments at least once every 12 months.

While these results are encouraging, there is still considerable room for improvement. 15% of organizations are not conducting annual risk assessments and 25% do not have an insider threat management program, even though insiders are the biggest cause of healthcare data breaches.

HIMSS says, “Many CISOs and other senior information security leaders know that HIPAA compliance alone is not enough and that adopting and implementing a robust security framework is a necessary prerequisite for having a robust security program.”

A majority of respondents have adopted at least one cybersecurity framework, the most popular being the NIST CSF (62%) followed by HITRUST CSF (25%) and ISO (25%). Organizations that have hired a CISO are much more likely to implement a cybersecurity framework. Only 5% of organizations with a CISO have not adopted the NIST CSF.

Healthcare organizations now appreciate the importance of conducting regular security awareness training for the workforce, such as training employees how to recognize phishing emails and social engineering attacks and the importance of reporting potential security incidents to the IT department. 87% of respondents said they run security awareness training sessions for the workforce at least once a year.

60% of respondents said they now employee a senior information security leader such as a CISO to oversee their cybersecurity programs and 80% have dedicated cybersecurity staff.

71% of respondents said they divert some of their budget to cybersecurity, with 60% allocating 3% or more of their budget to their cybersecurity program.

When asked about the biggest threats, the greatest concerns were medical device security, patient safety – especially in relation to attacks on medical devices – PHI breaches, and malware.

Rod Piechowski, senior director, health information systems, HIMSS said, “This data is encouraging because it shows that many organizations are making security programs a priority; however, there is room for continued improvement. Our hope is that the new research will be an important resource for organizations navigating the complex security landscape.”

Full details of the findings of the HIMSS 2017 Cybersecurity Survey are available on this link.

The post HIMSS Research Shows Healthcare Organizations Have Enhanced Their Cybersecurity Programs appeared first on HIPAA Journal.

HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management

The Health Information Trust Alliance (HITRUST) has announced a new partnership with Trend Micro. The aim of the partnership is to speed the delivery of cyber threat research and education and improve organizational threat management.

The partnership has seen the creation of the Cyber Threat Management and Response Center which will help to expand cyber threat information sharing and improve the service to healthcare organizations at all levels of cybersecurity maturity, helping them to deal with the increasing range of cyber threats and frequency of attacks.

HITRUST already shares cyber threat intelligence with organizations that have signed up with its Cyber Threat Xchange (CTX) – the most widely adopted threat information sharing organization for the healthcare industry.

HITRUST collects, analyses and distributes cyber threat information through CTX, including indicators of threats and compromise and has been working hard over the past 18 months to expand the collection of cyber threat information through its Enhanced IOC Collection Program. HITRUST now leads the industry in the identification of unique IOCs.

HITRUST has been trying to improve its threat information sharing program to better serve the healthcare industry. HITRUST has identified a number of key areas where improvements can be made, including speeding up the collection, analysis and delivery of threat information, advancing its threat hunting capabilities and improving reporting, integration, education and collaboration.

After assessing costs, skill sets, available resources and current capabilities, HITRUST determined the best way to improve its service was through a partnership with an established and well-qualified cyber research lab. Trend Micro was the natural choice.

One of the key areas where the Cyber Threat Management and Response Center will be able to help is ensuring threat information is shared in a format that can be easily consumed and leveraged by all healthcare organizations to mitigate risk.

HITRUST points out that through the HITRUST CTX, threat information was shared with healthcare organizations about both the WannaCry and NotPetya attacks. The outreach to organizations occurred soon after the threat was detected, with threat indicators shared 14 days before the first organization reported it had experienced an attack. The information allowed many healthcare organizations to take proactive steps to mitigate risk. However, HITRUST found that some healthcare organizations were unable to consume the information it shared.

Through the Cyber Threat Management and Response Center HITRUST “will deliver capabilities to address cyber threat management, defense, and response based on an organization’s cyber maturity level.”

“The HITRUST CTX has established itself as a leader in the collection of threat indicators. Now the focus needs to be ensuring organizations of any cyber maturity can leverage this information in a timely manner,” said Kevin Charest, DSVP and CISO, Health Care Service Corp. He explained that “Information sharing has no value if people can’t quickly act upon it, making the HITRUST CTX transition to cyber threat management a crucial step for industry.”

HITRUST has outlined the first phase of expanding its resources through the Cyber Threat Management and Response Center and says the new partnership with Trend Micro will allow it to offer:

  • Access to the world’s best threat research lab will enable HITRUST to collect and distribute a much broader range of IOCs
  • Analyses and research will be disseminated much more rapidly and geared to organizations at all levels of maturity
  • The center will have access to more healthcare industry specific vulnerabilities and threat information
  • Vulnerability information and IOC and TTP linkage with the HITRUST Threat Catalogue will be expanded
  • The center will have the resources to enable more responsive community engagement and assistance, including inquiry response and IOC submission analysis
  • HITRUST will improve tracking and monthly reporting of cyber threats targeting healthcare data and healthcare organizations

HITRUST has confirmed that it will continue to provide basic access to the HITRUST CTX and the new HITRUST Cyber Threat Management and Response Center at no cost, with the new center to be made available from October 1, 2017.

The post HITRUST and Trend Micro Join Forces to Improve Organizational Cyber Threat Management appeared first on HIPAA Journal.