The security of medical devices is one of the biggest cybersecurity concerns in healthcare. Hospitals continue to add more connected medical devices and by doing so they significantly increase the attack surface. One recent survey found a strong link between the number of connected medical devices at medical practices and the number of cyberattacks they experience. Connected medical devices often have vulnerabilities that can be exploited, and provide hackers with an easy way to gain access to healthcare networks.
New legislation is being considered to force healthcare organizations to make medical device security a priority and to require the manufacturers of medical devices to do more to ensure the security of their devices for their entire lifecycle. For example, the Protecting and Transforming Cyber Health Care (PATCH) Act seeks to amend the Federal Food, Drug, and Cosmetic Act by requiring cybersecurity measures to be included in premarket submissions to demonstrate the safety and effectiveness of the devices throughout the product’s entire lifecycle.
Until new legislation is introduced, healthcare organizations need to make medical device cybersecurity a priority, but many find improving security a challenge. To make that process easier, the cybersecurity company Ordr, a leader in connected device security, has published a maturity model that serves as a framework to help healthcare organizations evaluate the security of their medical devices, benchmark their connected device security efforts, and develop an effective strategy for improving the strength of their security program.
The guidance document – A Practical Guide to Implementing Connected Device Security for Healthcare Organizations – helps healthcare organizations understand their current level of security maturity and identify where they need to focus their efforts to make improvements. The guide includes five levels of maturity, states the business value that can be achieved at each of the five stages, and provides recommended actions and insights to help security teams focus their efforts on the journey to zero trust.
The first stage is asset visibility – In order to secure medical devices, a healthcare organization must know where these devices are, the firmware versions they are running, and all software associated with the devices, so a complete, accurate, and up-to-date inventory must be maintained. The second stage concerns vulnerability and risk management. Healthcare organizations at this stage have combined device vulnerability insights, established device behavior baselines, reviewed external threat intelligence, and have a comprehensive view of the attack surface to guide their security efforts.
The third stage is reactive security, which is using the insights gained and the risk-based view identified in the previous stages to prioritize risk mitigation. The fourth stage is proactive security, involving automating policies and workflows to ensure threats can be rapidly detected and mitigated and implementing zero trust segmentation. The final stage is optimized security, where all previous security efforts are expanded and optimized with automation and zero trust security policies are fully implemented.
“Organizations cannot expect to reach the Optimized Security stage instantly. Each stage establishes critical capabilities, builds upon previous stages, and creates value on the journey to Zero Trust,” Brad LaPorte, author of the guide and former Gartner cybersecurity analyst. “No matter where you are on this journey and what your ultimate goal is, this guide provides essential insights to understanding your security posture – and what is needed to improve.”
The post Guide Released for Assessing and Improving Connected Medical Device Security appeared first on HIPAA Journal.