Category Archives: healthcare

What Does Healthcare Cybersecurity Look Like in a Future of Connected Medical Devices?

As technology continues to transform the way healthcare is delivered, the industry is burdened by the growing cybersecurity risks inherent in the expansion of connected devices. Understanding that each connected device opens another pathway for threat actors, it’s incumbent upon device manufacturers to keep security foremost throughout the development life cycle.

The question is, how can manufacturers ensure the security of the devices they create? Furthermore, what can healthcare companies do to mitigate the risks inherent in the future of healthcare cybersecurity?

Taking the Pulse of Health Care Cybersecurity Today

Because they are so often the target of cyberattacks, healthcare organizations took a beating once again in 2018. We saw some significant data breaches last year, such as the attack on Med Associates where more than 270,000 patient records were breached.

New research from Clearwater found that the three most common vulnerabilities in healthcare cybersecurity are user authentication deficiencies, endpoint leakage and excessive user permissions — which, combined, account for nearly 37 percent of all critical risk scenarios. Credential misuse continues to threaten enterprise security across all sectors, including healthcare.

“When malicious actors gain access to accounts — whether by weak passwords or phishing attacks — they are given the literal keys to the kingdom,” said Justin Jett, director of audit and compliance for Plixer.

When it comes to medical devices, however, cybersecurity is making progress. According to Leon Lerman, CEO of Cynerio, “We are currently in the increased awareness state where healthcare providers, the Food and Drug Administration (FDA), the Department of Health and Human Services (HHS) and device manufacturers are starting to be more active in the space.”

Moving Toward a More Secure Future

The good news is that healthcare providers at hospitals are starting to include cybersecurity requirements in their procurement process. In fact, some are no longer depending on the medical device manufacturers and instead actively looking for dedicated device security solutions.

According to Lerman, the FDA and Department of Homeland Security (DHS) recently launched a joint initiative to “increase coordination in dealing with threats related to medical devices.” In addition, HHS released cybersecurity best practices to help healthcare organizations manage threats and protect patients from internet of things (IoT)-based attacks and other threats.

Manufacturers have not progressed alongside hospitals, though there are more conversations about strengthening the security of their devices, taking part in cybersecurity testing and streamlining the patching process. In reality, though, it’s only been within the last decade that these conversations have been taking place, and according to Anura Fernando, chief innovation architect at UL, medical devices can take at least that long to develop and get into the market.

“If you couple that with the fact that many devices are used by hospitals for 20–25 years, you can see that there is a major legacy systems issue, with many devices lacking security controls at the device level. Based on that timing offset, it could easily be five to 10 years before we see the complete turnover of equipment in use by hospitals that didn’t even have cybersecurity considered during design,” Fernando explained.

The Challenges of Securing Connected Devices

Legacy systems present myriad cybersecurity challenges, but there are other obstacles to securing medical devices. One that is closely related to legacy equipment is that of component obsolescence.

“When you consider the lengthy development timelines associated with most devices, it can easily be the case that security-related components such as operating systems and microcontrollers cease to be supported by the component vendor soon after a medical device reaches the market,” Fernando said.

As a result, maintenance activities such as security patches are no longer feasible for hospitals. Let’s say that security patches are released by the vendors, however. The time and cost it takes to validate these updates to devices is onerous.

“Even once this validation process is complete, it can be a daunting task to manage the deployment of a patch into the highly dynamic operational life cycle phase of a device, which may be in process of performing critical functions like life support,” said Fernando.

How Health Care Organizations Can Mitigate Security Risks

You can’t protect what you can’t see, so proper visibility into connected devices and their ecosystem is critical. Once you have visibility, understand the risk that each of these devices poses and take necessary proactive measures to minimize this risk, such as network segmentation, patching and removing devices from networks.

By monitoring device behavior and understanding what devices do in the context of medical workflows, you can detect anomalies when devices behave suspiciously. And, of course, early detection enables quicker response.

Strengthening password requirements can help you reduce risk, but when malicious actors gain a foothold, organizations need network traffic analytics to understand where the attack started and determine whether it has spread.

“By looking at how credentials are used throughout the network and creating a baseline of normal usage, network and security teams can be alerted to anomalous credential use and stop attacks as they happen,” Jett said.

Furthermore, all of the different stakeholders in the healthcare value chain need to be invested in securing the future of connected healthcare. Since this is a widespread effort across the healthcare environment, industry leaders should develop guidelines and standards to evaluate whether products and devices meet cybersecurity standards.

The post What Does Healthcare Cybersecurity Look Like in a Future of Connected Medical Devices? appeared first on Security Intelligence.

What You Need to Know About Secure Mobile Messaging in Healthcare

With the majority of people using smartphones these days, texting is all but a given when trying to communicate with your friends or family. But what about your doctor? A recent study determined that 96 percent of physicians use text messaging for coordinating patient care. This can raise eyebrows and red flags. Anyone with a […]… Read More

The post What You Need to Know About Secure Mobile Messaging in Healthcare appeared first on The State of Security.

HHS Publishes Voluntary Healthcare Cybersecurity Practices for Medical Organizations

The U.S. Department of Health and Human Services (HHS) released voluntary healthcare cybersecurity practices to help medical organizations strengthen their security posture.

On December 28, HHS released “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” in response to a mandate to develop healthcare cybersecurity standards laid out by the Cybersecurity Act of 2015. More than 150 cybersecurity and healthcare experts from the private and public sectors worked together for two years to fulfill this directive.

The publication is broken down into three sections. The first examines cybersecurity threats confronting the healthcare industry. The second portion identifies weaknesses that render healthcare organizations vulnerable to threats, and the third and final segment outlines strategies that medical entities can use to defend against digital threats.

Healthcare Data Breaches on the Rise

Healthcare data breaches are on the rise. In a study published by the JAMA Network, researchers analyzed all the data security incidents reported to the Office of Civil Rights at HHS between January 2010 and December 2017. They found a total of 2,149 breaches affecting 176.4 million patient records. The annual number of data breaches increased each year during the analyzed time period except 2015, starting with 199 in 2010 and growing to 344 in 2017.

Of the incidents that exposed patients’ personal health information (PHI), 53 percent originated inside the organization. That’s consistent with the Office of the Australian Information Commissioner’s (OAIC) quarterly statistics for Q3 2018. OAIC received 45 data breach notifications from healthcare organizations during the quarter, 56 percent of which resulted from human error.

Healthcare Cybersecurity Best Practices

Security professionals can begin enforcing healthcare cybersecurity best practices by producing creative employee awareness content that specifically appeals to the company’s workforce. Healthcare organizations should also adopt a security immune system strategy that, among other things, uses artificial intelligence (AI) and automation to mitigate risk across the network.

The post HHS Publishes Voluntary Healthcare Cybersecurity Practices for Medical Organizations appeared first on Security Intelligence.

Income, tax and immigration data stolen in Healthcare.gov breach

The Centers for Medicare and Medicaid Services (CMS) now has details about the data stolen in the breach of Healthcare.gov that occurred last month. According to the government agency, a significant amount of personal information including partial Social Security numbers, tax information and immigration status was compromised in the breach. No financial information was stolen.

Via: TechCrunch

Source: Centers for Medicare and Medicaid Services