Without doubt, unsecured medical devices currently are putting hospitals and patients at risk, according to “Healthcare’s IoT Dilemma: Connected Medical Devices,” a new report from Forrester Research analyst Chris Sherman.
“You have less control over connected medical devices than any other aspect of your technology environment,” the report said. “Many times, vendors control patch and update cycles, and vulnerabilities persist that require segmentation from your network. Considering that many of these devices are in direct contact with patients, this is a major cause for concern.”
Additionally, medical devices are vulnerable to four attack scenarios, the report said. “Threats against medical devices include denial-of-service (DoS), patient data theft, therapy manipulation and asset destruction,” the report said. “Each represents risk to your organization, with DoS currently being the most severe.”
[...]
1. Categorize existing devices based on risk.
Once an organization places a device on a network, it becomes part of a connected system. Websites like Shodan (“The search engine for the Internet of Things”) expose thousands of searchable end-points around the world that lack security and/or use default passwords.
“There are five key factors that contribute to the risk rating of any medical device: Potential impact to patient safety; Network connectivity; Data sensitivity; Likelihood of attack; and Vendor security SLA,” the report said. “For starters, use industry risk assessment guidelines, standards and expertise. The Medical Device Innovation, Safety and Security Consortium (MDISS) provides a space for industry leaders to collaborate and exchange ideas; the National Cybersecurity Center of Excellence (NCCoE), established by the National Institute for Standards and Technology (NIST), released its first cybersecurity practice guide last year called ‘Securing Electronic Health Records on Mobile Devices’; and Forrester Research’s Medical Device-Risk Heat Map can help categorize devices based on risk.”
2. Implement a clinical risk management framework.
The International Electrotechnical Commission (IEC), for example, publishes voluntary standards across various technology industries.
[...]
3. Ensure that your organization follows basic security hygiene.
Forrester Research reported that the vast majority of healthcare breaches in the past few years were due to social engineering and spear-phishing attacks. These problems have known solutions, but these solutions often demand a major cultural change by an organization.
[...]
4. Include security requirements in new device requests for proposals and contract language.
Medical device manufacturers generally are not required to include security controls on their devices nor provide guidance to their customers on how to protect devices. But healthcare organizations, as potential customers, have the power to get manufacturers to do so.
[...]
5. Apply a zero trust networking architecture.
[...]
See more at: healthcareitnews.com
It's so important to have preventative methods in place. Solid 5 steps! Thanks for sharing.
ReplyDeleteFred H | www.amazingsupport.co.uk