Medical device security: Three ways you can act to reduce the risk

If 2017 was about ransomware attacks, 2018 will be about cyber attacks on the Internet of Things (aka medical devices). As we begin the year, that’s the message we’re hearing from a number of sources.

This should come as no surprise to those of us in the healthcare industry, given the recent attention on devices such as pacemakers, which were the focus of an FDA recall last year (and the topic of our number one most read healthcare blog).

Device security is a complex problem, partly because there is no industry-standard operating system for products such as insulin pumps, CT scanners, pacemakers, and the like. Many devices use “off-the-shelf” software that’s vulnerable to viruses and worms, according to the U.S. FDA. What’s worse, a small percentage of older devices run on operating systems like Windows XP that no longer receive security updates. And countless devices built 20 years ago or more—when Windows 95 was considered the latest in technology—are still in service today.

So what exactly can be done to secure these important, life-critical devices?

Surprisingly, the answer doesn’t lie exclusively in the IT/security department (although technology plays a large part, to be sure). Forming a holistic, effective device security strategy means addressing three major areas of focus:

Organizational. Take a look at your structure: Are teams working together effectively with a shared goal in mind? Does Information Security tend to restrict access because they are trying to protect medical records, while Information Technology has a bias toward functionality and uptime? Do biomedical equipment technicians have exposure to security personnel who can help them understand the complexities at play? Small shifts in organizational structure can have a big impact when it comes to security.

Process. You have a plan for natural disasters, mass casualty events, and other emergencies. But have you outlined the process for what to do in the event of a device security breach? How would you know if a breach happened? Other areas to look at might include your culture (Do clinicians engage in risky behavior? Are you making security easy and hassle-free for them?) and/or your process for procuring new devices.

Technology. Yes, as mentioned, technology is key—and worthy of investment. From simply keeping up with patches to micro-segmenting your devices to replacing your entire network, there are a number of technology solutions you can employ to ensure your devices stay secure and patients (and their data) are protected.

 By Amy Young

Published with permission from blogs.cisco.com