Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Big Data and Analytics
    • Big Data and Analytics
    • Cloud
    • Cybersecurity
    • Development
    • Innovation
    • IT Management
    • Mobile
    • Storage

    Enabling Proactive Cybersecurity in Health Care as Threats Proliferate

    By
    eWEEK EDITORS
    -
    March 7, 2020
    Share
    Facebook
    Twitter
    Linkedin
      Healthcare.IT

      During the past few decades, the health-care industry has integrated more digital systems, amassed more digital data and automated clinical workflows. This has caused the industry to become a more attractive target to cyber adversaries, while clinicians have become more dependent on these digital systems.

      On the other hand, cyber threats are evolving rapidly as attacks are becoming increasingly targeted, sophisticated and well-executed. As a result, health care finds itself exposed to more threats and sees increased risk, as a cyber incident can impact the privacy of sensitive patient data and interfere with hospital operations and care delivery–in addition to patient safety. 

      This developing tension between rapidly evolving digital systems and the information they hold while protecting them against today’s cyber attacks will require a new thinking and an improved approach to cyber defense.

      This eWEEK Data Points article is based on industry information from Vidya Murthy, Vice-President of Operations at MedCrypt.

      Data Point No. 1: Hospitals will no longer accept medical devices that aren’t proactively secured. 

      In the past, medical devices were shipped to hospitals, and device vendors would all but hope there were no cybersecurity vulnerabilities within the devices. If a vulnerability was found, vendors would react and try to mitigate via hospital-based intervention, or address the issue with a device update. This may have been acceptable years ago, but with increasing connectivity, a growing dependency on devices for care delivery, and a rapidly-evolving cyber threat landscape, this approach no longer provides sufficient security. Hospitals today are demanding that devices are proactively secured as they can’t–and don’t want to– deal with the repercussions of devices that are not secure.

      Data Point No. 2: Leading medical device manufacturers are competing on cybersecurity vulnerability disclosure trends.

      An analysis of ICS-CERT cybersecurity disclosures reveals device vendors reported 400% more vulnerabilities per quarter since the federal Food & Drug Administration (FDA) released its Postmarket Cybersecurity Guidance in December 2016, a potential sign of improving compliance. But only a subset of device vendors, representing only a subset of device types, are actively participating in this type of coordinated vulnerability disclosure, indicating that broader adoption of transparency is still lacking in the industry. Although thought leaders have established a path forward, improvement is still required. An approach to proactive security (i.e., designing security into the device) will help to reduce the number of security disclosures a manufacturer will have to manage and make it easier for hospitals to dedicate their limited resources and focus their security activities to the few critical cases.

      Data Point No. 3: FDA regulatory guidance promotes proactive security.

      With the FDA Premarket Cybersecurity Guidance (drafted October 2018), device vendors will need to implement cybersecurity best practices spanning both technical and process interventions. In considering the technical best practices recommended by the FDA, including cryptographic signatures, encryption and device monitoring, hospital procurement teams have confirmed alignment with the FDA’s expectations. The FDA established that a device vendor cannot delegate the responsibility for security to its hospital customers, but instead must demonstrate consideration of the process and technical features outlined. Therefore, to meet regulatory needs, medical device vendors will require improved processes (design, testing, release, postmarket management) as well as the use of security technology to provide the best possible foundation of security. 

      Data Point No. 4: Cybersecurity is not just data privacy, it’s a patient safety concern.

      The FDA repeatedly has shared that there has been no report of patient harm as a result of a medical device cybersecurity incident. However, research has shown a 13.3% higher mortality rate for patients experiencing a cardiac arrest whose care was delayed by just four minutes. Considering the impact of WannaCry on the UK National Health System resulting in 19,000 appointments being rescheduled, it is hard to imagine there were no direct patient impacts as a result of this cyber incident.

      Data Point No. 5: Broader trends in connectivity and non-hospital based care means the threat exposure is expanding.

      Health care has been shifting outside of the traditional hospital environment to offset increasing costs in care delivery, enable remote patient geography and to accommodate populations that are unable to access a healthcare delivery organization (HDO) on an ongoing basis. These changes have been great for patients and providers, enabling ongoing monitoring of patients even when they’re not in the HDO. But it also means that connected devices operate outside of the secured and monitored HDO network, while sending data back to providers within the HDO network. The introduction of these connection points serve as the introduction of additional threat vectors that need to be managed.

      Data Point No. 6: Process security is inadequate in isolation, such as patching for known vulnerabilities.

      The importance of patching cannot be understated in software lifecycle management. However, in health care, there is an added complication of clinical care. A review of vulnerability disclosures indicates a 50% increase in frequency of patching, since the FDA post-market guidance was released in 2016. While this shows great progress, there is no correlation between CVSS score severity and frequency of patching. Furthermore, it is commonly accepted that HDOs are challenged with timely with patch management. This is due to several reasons: regulations that can slow down the release and adoption of medical device patches, challenges of aligning patch deployment with clinical schedules and economic limitations.

      Data Point No. 7: Security tools must account for clinical use cases to be effective.

      There are a variety of engineering challenges that are unique to medical devices, such as unpredictable device connectivity, small device size, limited system resources, device management by hospitals, device operation behind a firewall, unknown “at home” security landscape, and perhaps most importantly, clinical reliance on continued functionality. Traditional IoT security solutions do not consider the unique needs of medical devices and therefore introduce additional challenges when deployed in a health-care setting.

      If you have a suggestion for an eWEEK Data Points article, email cpreimesberger@eweek.com.

      eWEEK EDITORS
      eWeek editors publish top thought leaders and leading experts in emerging technology across a wide variety of Enterprise B2B sectors. Our focus is providing actionable information for today’s technology decision makers.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×