Jump To Top

groundrushairsports

How to make the case for medical device security

Medical device security is an emerging topic for healthcare IT, with a lot of gray area on who is responsible for shoring up vulnerabilities that come along with the segment.

Among the most common issues are provider organizations with very limited visibility into what medical devices are on the network, what devices they talk to, who has access to those machines and whether protected health information is stored on the device.

That’s the perspective of David Finn, executive vice president of strategic innovation at CynergisTek. Finn is scheduled to speak about the topic next month at HIMSS21.

“Without that information you cannot really assess vulnerabilities and risks,” he explained. “Once an organization has visibility into the medical devices on the network and the network’s topography, they can start to understand the technical risks to the machines and using the network itself to mitigate some of those risks–open ports, communication paths, access to the devices.”

He explained another typical issue he sees is governance: Who owns the devices? Who is responsible for security on medical devices?

“We often see clinical engineering at odds with IT or security over control and management,” he said. “We even see IT and security at odds about which group should do what to which devices and when.

Finn said healthcare organizations tend to want to solve a specific problem when they go looking for security tools.

“Unfortunately, security is a journey, not a destination, and the ‘solution’ to security is almost never a ‘tool’; security has to include not only the tool, but the processes around that tool and the data it collects,” he said. “You have to address the people involved in the use of the tool and more importantly those involved in the processes around medical devices and the tools to monitor and secure them.”

He warned acquiring tools can actually make things worse in terms of security by providing a false sense of security, or they may add complexity that is not well administered or managed.

“You must look at what you are trying to do holistically, and you may not be able to fix everything you want at one time,” he said.

That includes prioritizing the needs based on the risks and then have a plan to roll out “the solution” over time based on the criticality of the risks.

From Finn’s perspective, the four critical risk categories that need to be addressed around a medical device security program are:

“Trying to identify growing cybersecurity threats is a lot like trying to capture lightning in a bottle,” he said. “The threats we know about are growing daily – almost exponentially. Unfortunately, it is the threats we do not know about and have not even conceived of that present the most dangerous risks.”

He said the goal in security now cannot be to be risk-free – that does not exist – but it must be to become resilient.

Organizations must be prepared, they must validate controls, the people and processes the organization runs on and then practice for disaster—that includes preparing and rehearsing for the “bad event.”

“Hospitals plan and practice for chemical spills, airplane crashes, even terrorist events but the cybersecurity event is much more likely to happen,” he said. “Let us as a sector prepare ourselves for those events, too.”

David Finn will share some medical device security best practices at HIMSS21 in a session titled “Building a Case for Medical Device Security” It’s scheduled for Wednesday, August 11, from 1-2 p.m. in Caesars Forum 123.

Source: Read Full Article

  • Posted on July 23, 2021