Healthcare Information Technology

National Cyber Security Awareness Month: What to Expect

Posted by HIPAA Journal

October is National Cyber Security Awareness Month – A month when attention is drawn to the importance of cybersecurity and several initiatives are launched to raise awareness about how critical cybersecurity is to the lives of U.S. citizens.

National Cyber Security Awareness Month is a collaborative effort between the U.S. Department of Homeland Security (DHS), the National Cyber Security Alliance (NCSA) and public/private partners.

Throughout the month of October, the DHS, NCSA, and public and private sector organizations will be conducting events and launching initiatives to raise awareness of the importance of cybersecurity. Best practices will be shared to help U.S. citizens keep themselves safe online and protect their companies, with tips and advice published to help businesses improve their cybersecurity defenses and keep systems and data secure.

DHS and NCSA will focus on a different aspect of cybersecurity each week of National Cyber Security Awareness Month:

National Cyber Security Awareness Month Summary

  • Week 1: Simple Steps to Online Safety (Oct. 2-6)
  • Week 2: Cybersecurity at Work (Oct. 9-13)
  • Week 3: Today’s Predictions for Tomorrow’s Internet (Oct. 16-20)
  • Week 4: Careers in Cybersecurity (Oct. 23-27)
  • Week 5: Cybersecurity and Critical Infrastructure (Oct. 30-31)

Week 1 focuses on basic cybersecurity and cyber hygiene – simple steps that can be taken to greatly improve resilience to cyberattacks.

These basic cybersecurity measures are likely to have already been adopted by the majority of businesses, but these simple controls can all too easily be overlooked. The Department of Health and Human Services’ Office for Civil Rights (OCR) breach portal is littered with reports of security incidents that have resulted from the failures to get the basics of cybersecurity right. Week 1 is the perfect time to conduct a review of these basic cybersecurity measures to ensure they have all been adopted.

This year has already seen several major data breaches reported, including the massive breach at Equifax that impacted 143 million Americans. In May, WannaCry ransomware attacks spread to more than 150 countries and the NotPetya wiper attacks in June causes extensive damage. FedEx and Maersk have both announced that the attacks could end up costing $300 million.

All three of those cyberattacks occurred as a result of the failure to implement patches promptly. Then there is the recently announced Deloitte data breach. That security breach has been linked to the failure to implement two-factor authentication – Another basic cybersecurity measure.

Stop. Think. Connect

During the first week of National Cyber Security Awareness Month, the NCSA will be promoting its “STOP. THINK. CONNECT.” security awareness campaign, which was developed with assistance from the Anti-Phishing Working Group in 2010. The campaign makes available more than 140 online resources that can be used by U.S. citizens to keep themselves secure and by businesses to improve security awareness of the workforce.

Week 2 will focus on cybersecurity in the workplace, highlighting steps that can be taken by businesses to develop a culture of cybersecurity in the workplace. DHS and NCSA will also be encouraging businesses to adopt the National Institute of Standards and Technology Cybersecurity Framework.

Week 3 will focus on protecting personal information in the context of the smart device revolution, highlighting the importance of secure storage, transmission, and handling of data collected by IoT devices.

Week 4 will focus on encouraging students to consider a career in cybersecurity. By 2019, there is expected to be around 2 million unfilled cybersecurity positions in the United States. Advice will be offered about how to switch careers and embark upon a career in cybersecurity.

National Cyber Security Awareness Month finishes with two days of efforts to improve the resiliency of critical infrastructure to cyberattacks.

OCR Encourages HIPAA-Covered Entities to Go Back to Basics

Late last week in its monthly cybersecurity newsletter, OCR sent a reminder to HIPAA-covered entities about the importance of securing health data, saying, “The security of electronic health information is more critical than ever, and it is the responsibility of all in the regulated community to ensure the confidentiality, integrity, and availability of electronic protected health information.” These basic security measures are essential for HIPAA compliance.

OCR suggests HIPAA-covered entities should go back to basics during National Cyber Security Awareness Month and use the tips and advice being issued to ensure all the i’s have been dotted and the t’s crossed.

OCR suggests a good place to start is conducting a review to make sure:

  • Strong passwords have been set – Consisting of passphrases or passwords of at least 10 characters, including lower and upper-case letters, numerals, and special characters.
  • Regular training is provided – To improve phishing awareness, reporting of potential attacks, and covering other important cybersecurity issues.
  • Use multi-factor authentication – So that in the event that a password is obtained or guessed, it will not result in an account being compromised. MFA is strongly recommended for remote access, privileged accounts, and accounts containing sensitive information.
  • Review patch management policies – To ensure that software updates and patches are always applied promptly, on all systems and devices, to fix critical security vulnerabilities.
  • Devices are locked – All devices should be physically secured when they are not in use.
  • Portable device controls are developed – To prohibit the plugging in of personal portable devices into secure computers or networks without first having the devices scanned to make sure they do not contain malware.
  • Policies are developed on reporting threats – Educate the workforce on the importance of reporting potential threats immediately to ensure action can be taken to mitigate risk.

The post National Cyber Security Awareness Month: What to Expect appeared first on HIPAA Journal.

The Benefits of Using Blockchain for Medical Records

Posted by HIPAA Journal

Blockchain is perhaps best known for keeping cryptocurrency transactions secure, but what about using blockchain for medical records? Could blockchain help to improve healthcare data security?

The use of blockchain for medical records is still in its infancy, but there are clear security benefits that could help to reduce healthcare data breaches while making it far easier for health data to be shared between providers and accessed by patients.

Currently, the way health records are stored and shared leaves much to be desired. The system is not efficient, there are many roadblocks that prevent the sharing of data and patients’ health data is not always stored by a single healthcare provider – instead a patients’ full health histories are fragmented and spread across multiple providers’ systems.

Not only does this make it difficult for health data to be amalgamated, it also leaves data vulnerable to theft. When data is split between multiple providers and their business associates, there is considerable potential for a breach. The Health Insurance Portability and Accountability Act (HIPAA) requires all HIPAA covered entities and their business associates to implement technical safeguards to ensure the confidentiality, integrity, and availability of protected health information. However, each entity implements their own security controls.

The more entities have access to health data, the greater the potential for errors to be made that result in the data being exposed. As the Department of Health and Human Services’ Office for Civil Rights Breach portal clearly shows, HIPAA-covered entities and their business associates are not always as careful as they should be when storing and transmitting data, and even when they are, it is often not possible to prevent breaches. However, using blockchain for medical records could dramatically improve data security.

Blockchain, as the name suggests, is a chain of data blocks which contain details of transactions, each of which is encrypted to ensure privacy. Rather than store data in a single location, blockchain keeps data in an encrypted ledger, which is distributed across synchronized, replicated databases. Each block is linked to the previous block by a unique public key with access to data carefully controlled.

As has been shown with the massive Anthem and Equifax data breaches, single entities cannot be trusted to hold vast quantities of data and keep it secure in a centralized system. Storing data in a decentralized system could be a viable alternative.

With blockchain, each data block in the chain can be encrypted using public key cryptography which can be unlocked with the use of a private key or password, which could be held by a patient.

If blockchain is used for health data, rather than multiple healthcare providers storing their own copies of a patient’s data, the patient would grant each access to their data and provide them with a key.

Without access to the key, the data stored in blockchain would be inaccessible. It would not be possible to hack a single block of data, at least not without simultaneously hacking all the others in the chain’s chronology. It would also not possible for changes to the data blocks to be made and for those changes to be hidden.

With a cryptocurrency such as Bitcoin, blockchain is used for transactions – the buying and selling of the currency. With health records, the transactions would be consultations with physicians, X-ray images or blood test results, prescriptions, or surgical procedures. Each time data is added, it would need to be validated by a trusted entity who has been given an access key. Once validated, it would be added as a block in the chain in chronological order, with the blockchain comprising a patient’s entire medical history.

The use of blockchain for medical records could prove highly beneficial for providers and patients. Not only for keeping medical records secure, but pulling together fragmented medical records stored by multiple healthcare providers.

This would allow full medical records to be easily shared between providers. Medical records would not need to be transmitted electronically between providers, new providers would just be required to be told where to access the information and given the access key.

Blockchain has potential to make it far easier for patients to access their healthcare records. Rather than submitting a request for copies of their health data with several different healthcare providers, one request could be submitted and their full healthcare record could be accessed. Currently, that process can be complicated, time-consuming, and potentially costly for the patient, since each provider is permitted under HIPAA to charge a fee for providing copies of data.

When data is provided through patient portals, the process of piecing together health records can be even more complicated, as is sharing the information. Blockchain could also help sort out the issues that exist with multiple patient identifiers.

Blockchain clearly works for financial transactions but what about blockchain and medical records? Could it work in practice? Trials using Blockchain and medical data have shown very promising results.  One trial conducted by MIT Media Lab and Beth Israel Deaconess Medical Center has shown blockchain to work well for tracking test results, treatments, and prescriptions for inpatients and outpatients over 6 months. In that trial case, data exchange between two institutions was simulated using two different databases at Beth Israel. Plans are now underway to expand the pilot.

There are still issues that must be resolved. Blockchain is not anonymous but pseudonymous. There is also the problem of how to make certain records private, such as psychotherapy notes, to prevent patients accessing that information.

It would also be necessary for blockchain to be extensively tested with health data and healthcare organizations would need to be convinced to adopt blockchain medical records systems. Encouragingly, earlier this year, IBM conducted a survey on 200 healthcare organizations. 16% said they expected to have a commercial blockchain solution in place this year.

The post The Benefits of Using Blockchain for Medical Records appeared first on HIPAA Journal.

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems.

The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.”

Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices.

The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely; however, the guidelines are only recommendations and are not legally enforceable. It is down to each manufacturer to ensure the recommendations are incorporated into the design of the devices.

FDA Associate Director for Digital Health, Bakul Patel, Patel explained in a recent blog post that the guidelines focus on three key areas: Ensuring interoperability is at the core of the design of their devices, that verification, validation and risk management activities are performed, and that the functional, performance, and interface characteristics of the devices are clearly specified to ensure users.

In terms of interoperability, the guidelines say, “In designing a medical device’s electronic interface, manufacturers should consider the level of interoperability needed to achieve the purpose of the interface, as well as the information necessary to describe the interface.”

Manufacturers should “address the risks associated with the anticipated users of the device, reasonably foreseeable misuse of the device, and reasonably foreseeable combinations of events that could result in a hazardous situation.”

Devices must also be clearly labelled to advise users of the functional, performance and interface characteristics, including explicit warnings against foreseeable uses that could result in harm.

Patel explained, the FDA’s main concern is safety. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system. Our guidance recommends appropriate functional, performance, and interface requirements for devices with such interactions.”

Manufacturers should be transparent about the functions and characteristics of the devices and their interfaces to ensure those using the devices with systems and devices can do so safely. If it is not clearly explained to users how the devices function and interface, this could potentially lead to devices malfunctioning, which would have an impact on patient safety. The guidelines say, “The manufacturer should determine the appropriate way to provide the information based upon the anticipated users and the risk analysis.”

Patel explained, “Our guidance is a good step towards safer devices, and we will continue to work with all stakeholders to adapt along with the technology.”

The final guidelines can be downloaded here.

The post FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange appeared first on HIPAA Journal.

FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange

Posted by HIPAA Journal

The U.S. Food and Drug Administration (FDA) has released final guidance on medical device interoperability, making several recommendations for smart, safe, and secure interactions between medical devices and health IT systems.

The FDA says, “Advancing the ability of medical devices to exchange and use information safely and effectively with other medical devices, as well as other technology, offers the potential to increase efficiency in patient care.”

Providers and patients are increasingly reliant on rapid and secure interactions between medical devices. All medical devices must therefore be able to reliably communicate information about patients to healthcare providers and work seamlessly together. For that to be the case, safe connectivity must be a central part of the design process. Manufacturers must also consider the users of the devices and clearly explain the functionality, interfaces, and correct usage of the devices.

The guidelines spell out what is required and should help manufacturers develop devices that can communicate efficiently, effectively, and securely; however, the guidelines are only recommendations and are not legally enforceable. It is down to each manufacturer to ensure the recommendations are incorporated into the design of the devices.

FDA Associate Director for Digital Health, Bakul Patel, Patel explained in a recent blog post that the guidelines focus on three key areas: Ensuring interoperability is at the core of the design of their devices, that verification, validation and risk management activities are performed, and that the functional, performance, and interface characteristics of the devices are clearly specified to ensure users.

In terms of interoperability, the guidelines say, “In designing a medical device’s electronic interface, manufacturers should consider the level of interoperability needed to achieve the purpose of the interface, as well as the information necessary to describe the interface.”

Manufacturers should “address the risks associated with the anticipated users of the device, reasonably foreseeable misuse of the device, and reasonably foreseeable combinations of events that could result in a hazardous situation.”

Devices must also be clearly labelled to advise users of the functional, performance and interface characteristics, including explicit warnings against foreseeable uses that could result in harm.

Patel explained, the FDA’s main concern is safety. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system. Our guidance recommends appropriate functional, performance, and interface requirements for devices with such interactions.”

Manufacturers should be transparent about the functions and characteristics of the devices and their interfaces to ensure those using the devices with systems and devices can do so safely. If it is not clearly explained to users how the devices function and interface, this could potentially lead to devices malfunctioning, which would have an impact on patient safety. The guidelines say, “The manufacturer should determine the appropriate way to provide the information based upon the anticipated users and the risk analysis.”

Patel explained, “Our guidance is a good step towards safer devices, and we will continue to work with all stakeholders to adapt along with the technology.”

The final guidelines can be downloaded here.

The post FDA Releases Final Premarket Guidance for Medical Device Manufacturers on Secure Data Exchange appeared first on HIPAA Journal.

Researchers Call for Updates to Guidelines for Emailing Patients

Posted by HIPAA Journal

Researchers from Indiana University have conducted a study of current guidelines on emailing patients and have identified major weaknesses, a lack of up-to-date best practices, and outdated security practices that are no longer required due to changes in technology. Additionally, they confirmed there is a lack of information on new methods of communication such as secure texting and a lack of evidence showing the effectiveness of proposed practices for emailing and texting patients.

There was little to no evidence on how using email or text messages to communicate with patients could improve patient outcomes and a lack of information on how new communication tools could be used effectively by practitioners.

The researchers studied 11 sets of guidelines on electronically communicating with patients and found weaknesses across the board. The pace of change of technology is not reflected in the available guidelines, with many of the recommendations no longer required. The researchers were unsure if any of the valid recommendations in the guidelines are actually being followed.

The researchers said providers would benefit from having up-to-date guidance on effective messaging practices in the context of healthcare teams and detailed information on how messaging platforms could be incorporated into workflows. Current guidelines have a focus on technical issues such as platform specifications, when providers would benefit more from guidelines focused on the relational challenges of electronic communication. Practitioners are trained on effective face-to-face communication. The researchers suggest similar training should be provided on electronic communication.

Updates to the guidelines are long overdue, with several guidelines dating back more than a decade. However, before new guidelines can be developed, further research is required to evaluate and identify best practices. The researchers also call for “A framework to evaluate quality of communication, and assess the relationship between electronic communication and quality of care.”

The study – A critical appraisal of guidelines for electronic communication between patients and clinicians: the need to modernize current recommendations – was recently published in the Journal of the American Medical Informatics Association (JAMIA).

The post Researchers Call for Updates to Guidelines for Emailing Patients appeared first on HIPAA Journal.

Researchers Call for Updates to Guidelines for Emailing Patients

Posted by HIPAA Journal

Researchers from Indiana University have conducted a study of current guidelines on emailing patients and have identified major weaknesses, a lack of up-to-date best practices, and outdated security practices that are no longer required due to changes in technology. Additionally, they confirmed there is a lack of information on new methods of communication such as secure texting and a lack of evidence showing the effectiveness of proposed practices for emailing and texting patients.

There was little to no evidence on how using email or text messages to communicate with patients could improve patient outcomes and a lack of information on how new communication tools could be used effectively by practitioners.

The researchers studied 11 sets of guidelines on electronically communicating with patients and found weaknesses across the board. The pace of change of technology is not reflected in the available guidelines, with many of the recommendations no longer required. The researchers were unsure if any of the valid recommendations in the guidelines are actually being followed.

The researchers said providers would benefit from having up-to-date guidance on effective messaging practices in the context of healthcare teams and detailed information on how messaging platforms could be incorporated into workflows. Current guidelines have a focus on technical issues such as platform specifications, when providers would benefit more from guidelines focused on the relational challenges of electronic communication. Practitioners are trained on effective face-to-face communication. The researchers suggest similar training should be provided on electronic communication.

Updates to the guidelines are long overdue, with several guidelines dating back more than a decade. However, before new guidelines can be developed, further research is required to evaluate and identify best practices. The researchers also call for “A framework to evaluate quality of communication, and assess the relationship between electronic communication and quality of care.”

The study – A critical appraisal of guidelines for electronic communication between patients and clinicians: the need to modernize current recommendations – was recently published in the Journal of the American Medical Informatics Association (JAMIA).

The post Researchers Call for Updates to Guidelines for Emailing Patients appeared first on HIPAA Journal.

NIST Updates Digital Identity Guidelines and Tweaks Password Advice

Posted by HIPAA Journal

The National Institute of Standards and Technology (NIST) has updated its Digital Identity Guidelines (NIST Special Publication 800-63B), which includes revisions to its advice on the creation and storage of passwords.

Digital authentication helps to ensure only authorized individuals can gain access to resources and sensitive data. NIST says, “authentication provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.”

The Digital Identity Guidelines include a number of recommendations that can be adopted to improve the digital authentication of subjects to systems over a network. The guidelines are not specific to the healthcare industry, although the recommendations can be adopted by healthcare organizations to improve password security.

To improve the authentication process and make it harder for hackers to defeat the authentication process, NIST recommends the use of multi-factor authentication. For example, the use of a password along with a cryptographic authenticator.

NIST suggests physical security mechanisms should be adopted to prevent the theft of cryptographic authenticators, while system security controls should be implemented to prevent malicious actors from gaining access to systems and installing malware such as keyloggers.

Security is only as good as the users of the system, so periodic training is required to ensure users understand their obligations and the importance of reporting suspected account compromises.

Out-of-band techniques (something you have) are also recommended to verify proof of possession of registered devices such as cell phones.

Passwords are categorized as ‘memorized secrets’ by NIST, which suggests a minimum of 8 characters should be used, although longer memorized secrets of at least 64 characters should be encouraged. UNICODE characters, special characters and spaces should be allowed.

The use of spaces does not add to password complexity, although it does help end users set strong passwords such as secret phrases. The longer the memorized secret, the harder it will be for malicious actors to guess.

Brute force attacks are used to gain access to systems by repeatedly guessing passwords. These automated attacks can involve many thousands of guesses, and start with commonly used passwords, dictionary words, repetitive and consecutive sequences of characters (aaaaaaaa, 12341234, 1234abcd), context specific words (server1, MRIpassword), and other weak passwords such as the use of the username in the password and passwords previously exposed in past data breaches.

Administrators should therefore set password policies that prevent these password choices. In the case of dictionary words, all words less than the minimum character requirement can be discounted. NIST says the use of password strength monitors helps end users select strong passwords.

While the forced use of special characters, lower case letters, and upper case letters can improve password strength, in reality, this may not be the case. Forcing users to use at least one lower case letter, one uppercase letter, one number and one special character may not result in the creation of stronger passwords.

NIST says, “Analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought,” but “the impact on usability and memorability is severe.” Such a system means the password will be made much more difficult to remember and end users end up circumventing policies as a result. For example, with those controls in place, Password1! would be acceptable, even though the password is weak.

NIST says “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner.”

By allowing the use of spaces in passwords, users can choose more complex secrets, especially if the upper character limit is not overly restrictive. NIST recommends allowing long passwords (within reason). (See Appendix A – Strength of Memorized Secrets).

NIST also points out that there are other methods that can be adopted that provide greater protection than strong passwords. “Blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks.”

NIST also points out that while these measures – and strong passwords – can help to thwart brute force attacks, they are not effective against many forms of password-related attacks. Even if a 100-character strong password is used, it will still be obtained by a malicious actor who has installed keylogging malware or if an employee responds to a social engineering or phishing attack. Other security controls must therefore be implemented to prevent these sorts of attacks.

The post NIST Updates Digital Identity Guidelines and Tweaks Password Advice appeared first on HIPAA Journal.

Phillips Ships DoseWise Portal with Serious Vulnerabilities

Posted by HIPAA Journal

The Phillips web-based radiation monitoring app – DoseWise Portal (DWP) – has been shipped with serious vulnerabilities that could be easily exploited by hackers to gain access to patients’ protected health information. ISC-CERT has warned healthcare providers the vulnerabilities could be remotely exploited by hackers with a low level of skill to gain access to medical data.

Two vulnerabilities have been identified. The first (CVE-2017-9656) is the use of hard-coded credentials in a back-end database with high privileges that could jeopardize the confidentiality, integrity and availability of stored data and the database itself. In order for an attacker to exploit the vulnerability, elevated privileges would be required to gain access to the system files of the back-office database. Even so, ICS-CERT says an attacker with a low level of skill could exploit the vulnerability and has given it a CVSS v3 rating of 9.1 out of 10.

The second vulnerability (CVE-2017-9654) involves cleartext storage of sensitive information in back-end system files. The vulnerability has been given a CVSS V3 rating of 6.5 out of 10.

ICS-CERT is unaware of any exploits that are publicly available that could be used to exploit the vulnerabilities, although healthcare organizations have been advised to implement mitigations. Until a new DWP is released – which is expected later this month – healthcare organizations have been advised to ensure network security best practices are implemented and port 1433 is blocked if a separate SQL server is not being used.

Best practices include minimizing network exposure by ensuring the devices/systems are not accessible from the Internet, locating the systems/devices behind firewalls, and isolating them from the business network. If remote access is required, systems should only be accessed via a VPN that has been updated to the latest version.

Phillips says the vulnerable versions are 1.1.7.333 and 2.1.1.3069. Phillips will be releasing a new version of DWP (2.1.2.3188) for users of DWP version 2.1.1.3069, which will update the authentication method and remove hard-coded password vulnerabilities. DWP version 1.1.7.333 will be updated to change and fully encrypt stored passwords.

Publicly Available Exploits Exist for Siemens CT/PET System Vulnerabilities

The ICS-CERT warning comes just a few days after a warning about four serious vulnerabilities in Siemens CT and PET systems that could be remotely exploited to gain access to the devices. In that case, exploits for the vulnerabilities are publicly available. The vulnerabilities have existed for at least two years and affect the Windows 7 OS on which the Siemens CT/PET systems are based.

With hackers increasingly targeting healthcare organizations to gain access to medical data and extort money, it is essential that medical device and app developers conduct more extensive security tests to ensure vulnerabilities are identified and corrected before the devices come to market. Post market vulnerability testing is also essential to make sure the devices remain secure throughout their life cycles.

The post Phillips Ships DoseWise Portal with Serious Vulnerabilities appeared first on HIPAA Journal.

Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere

Posted by HIPAA Journal

A recent Deloitte survey conducted on 370 professionals with involvement in the IoT medical device ecosystem revealed more than a third (36%) of organizations have experienced a security incident related to those devices in the past year.

Respondents were medical device or component manufacturers, healthcare IT organizations, medical device users or regulators.

When asked about the biggest challenges with IoT medical devices, 30% said identifying and mitigating risks of fielded and legacy connected devices was the biggest cybersecurity challenge. Other major challenges were incorporating vulnerability management into the design process (20%), monitoring for and responding to cybersecurity incidents (20%), and the lack of collaboration on threat management throughout the medical device supply chain (18%). 8% of respondents rated meeting regulatory requirements as the biggest challenge.

Identifying and mitigating risks is only part of the problem. There will be times when cyberattacks succeed and malicious actors gain access to the devices. Healthcare organizations and device manufacturers must be prepared to deal with incidents when they occur. When asked how prepared they were to deal with breaches, subsequent litigation or regulatory matters, only 19% of respondents said they were very prepared. 56% said they were somewhat prepared while 13% said they were not prepared at all.

Devices currently being developed can have cybersecurity incorporated at an early stage, which makes securing the devices for the entire lifecycle of the products far easier. For devices already in use, cybersecurity is a major concern. Many of the devices are running on outdated operating systems or are connected to networks that lack appropriate security controls.

Unfortunately, since each device has different cybersecurity requirements and operates in a different way, securing the devices is not straightforward. Cybersecurity controls need to be applied to the device, but also to the networks that the devices connect to. Russell Jones, Deloitte risk and financial advisory partner, Deloitte & Touche LLP. Jones said when it comes to medical device cybersecurity, “There is no magic bullet solution.”

Device manufacturers can certainly do more to incorporate cybersecurity controls into their devices, but to make the devices truly secure, there needs to be collaboration between providers, manufacturers, and suppliers. As Jones explained, “This is a problem that requires the industry as a whole to come together and create a safe space where feedback and information can be shared freely.”

The number of IoT devices now being used has grown considerably and as more devices are connected to healthcare networks, managing the devices and monitoring for vulnerabilities becomes an even bigger problem.

Healthcare organization must have an IoT management and security solution in place as it is simply not possible to manage security manually. Without such a solution that offers IT teams visibility and control over the devices, it is not possible to manage and mitigate vulnerabilities.

Deloitte does offer some suggestions about improving medical device cybersecurity, suggesting healthcare organizations:

  • Implement a domain hierarchy – Formalize, organize, and structure medical device cyber security activities and governance to ensure patient safety and respond more quickly to regulators, legal matters, or internal investigations. Deloitte recommends work instructions and templates be developed for each unique device, while documentation of QMS protocols should be centralized and regularly updated.
  • Conduct product security risk assessments at least on an annual basis, although risk assessment procedures should be an ongoing process with those assessments repeated when business processes change, there are supplier changes or acquisitions and divestitures.
  • Take a forensic approach to incident response – When devices are compromised, the incident timeline must be determined, anomalous behavior should be detected and organizations must determine what data were exposed or accessed.

The post Security Incidents Experienced by More Than a Third of Organizations in the IoT Medical Device Sphere appeared first on HIPAA Journal.