Taking a collaborative approach to cybersecurity

When COVID-19 hit, many healthcare organizations (HCOs) scrambled to provide patients with mobile devices. This move toward increased connectivity simultaneously expanded the cyberattack surface and increased data vulnerability.

“Many of the devices that were cleared by FDA for Covid-19 went through an expedited Emergency Use Authorization (EUA) review process and many mobile tracking applications developed were not analyzed for vulnerabilities,” said Justin Heyl, Director, Enterprise Risk Management, Baxter.

To better protect data, HCO leaders need to check all the boxes typically associated with creating a secure environment such as assessing the IT infrastructure, monitoring access to information, assembling an IT support team and encouraging clinicians to bring data security concerns to IT and biomed staff.

Perhaps more importantly, though, leaders need to work closely with medical device manufacturers (MDMs) to ensure data security. Heyl specifically recommends that HCOs:

#1: Partner with sympathetic MDMs. “The product security risk assessment process needs to be symbiotic between the MDMs and the healthcare system,” he said.

HCOs need to partner with MDMs that understand the healthcare environments they are going into and that can build the appropriate threat models for their devices. Manufacturers can then build security into the design process from the beginning, security by design, rather than as an afterthought.

#2: Ensure MDMs have the right credentials. “The MDM should be able to prove the cybersecurity maturity level of its own IT infrastructure, development environments, software development life cycle and product development life cycle,” Heyl noted.

MDMs also should be able to verify their data security capabilities via certifications and accreditations such as:

  • ISO/IEC 27001 information security, cybersecurity and privacy protection certification from the International Organization for Standardization.
  • UL 2900-2-1 Cybersecurity standard for medical devices recognized by the FDA in 2017.
  • CVE Numbering Authority (CNA) through the Common Vulnerability and Exposures (CVE) Program. As CNAs, MDMs are responsible for the assignment of CVE identifiers to cyber vulnerabilities for commercially available products and for publicly disclosing information about the vulnerabilities in the associated CVE record.

“As a CVE Numbering Authority, we support the faster identification, remediation and resolution of potential cybersecurity vulnerabilities. This allows hospitals and clinics to continue focusing on providing the highest level of care to patients,” he said.

To achieve this certification, the Cybersecurity & Infrastructure Security Agency (CISA) requires companies to go through a vetting process, apply, get tested and get approved. “Manufacturers have to prove to CISA that they have the internal competencies to assess and calculate the CVEs. And that’s a difficult process,” Heyl noted.

#3: Expect post-market services. After selling their devices, MDMs must provide clear communication and have support plans in place.

“As soon as the product is sold and installed, it becomes a legacy device that manufacturers need to support. From that point, there are new vulnerabilities that emerge. There are new controls that need to be put in place. That’s where the biggest gap and the biggest area for improvement are – vulnerability communication and management post deployment,” he pointed out.

#4: Demand virtual support. In the past, when servicing technology, MDMs typically had to physically take each device out of service to apply updates and fixes before returning it to the HCO.

Now, however, HCO leaders should work with MDMs that have secure connections into their environments, making it possible to maintain and upgrade devices remotely without disrupting clinical workflow.

Overall, when working with the right MDMs, HCOs can address vulnerabilities and deliver care with confidence. “Mature manufacturers understand what needs to be done in cybersecurity,” Heyl concluded. “They know the controls and the types of security settings that need to be in their devices.”

Source: Read Full Article