How Hospitals Can Help Improve Medical Device Data Security

We Keep you Connected

How Hospitals Can Help Improve Medical Device Data Security

To thwart cybercriminals, medical device manufacturers and hospitals must understand each other’s roles and shared responsibilities in protecting health information.
February 8, 2024
COMMENTARY
Hospitals and medical device manufacturers must team up to help create a secure environment to protect the personal health information derived from patient monitors and other medical devices.
For some time, this notion of shared responsibility for data security has been recognized as a best practice within the larger technology industry. For example, many cloud service providers follow this model to define the mutual security obligations of the cloud providers and their customers.
Within healthcare, a similar model has emerged, with medical researchers, developers, and regulatory bodies agreeing that cybersecurity is, in fact, a shared responsibility. This means medical device manufacturers, hospital software providers, and health organizations must collaborate to shield patient information and medical device systems against cybercriminal activity.
The US FDA requires medical device manufacturers and software providers to follow a process called security by design, which maintains that certain controls must be embedded in a product to make it easier for hospitals to deploy and use them securely.
Features such as configurable encryption, secure login pages, and user authentication requirements are examples of how manufacturers integrate security capabilities into their products. These security features in the product's design often require hospitals to take action to activate them and maintain their viability.
Consider the example of product access control. Typically, a device manufacturer or software provider can implement access controls in product functionalities by verifying or authenticating the identity of a clinical user. Looking at a hospital's Active Directory service and utilizing necessary passwords and protocols can determine if the user belongs to a group the product recognizes through its configuration.
Only the healthcare organization can identify which users are authorized to access the system and configure the product appropriately. Using an inappropriate group, allowing too many users, or being lax about maintaining an up-to-date directory can open a network to unnecessary risk.
Even mobile and cloud-based applications require shared responsibility. Hospitals must ensure that browsers and mobile devices are up to date with security features enabled to optimize the manufacturer's cloud-based security controls, such as multifactor authentication.
Therefore, to facilitate secure product implementation, medical equipment manufacturers must embed security controls using proven algorithms and designs guided by the security-by-design process. At the same time, hospitals have their own share of responsibilities and activities to ensure the product is used securely.
With different products available throughout their facilities, it can be difficult for IT leaders to know how to proceed. For security measures to be successful, hospitals and manufacturers must collaborate to determine what will best meet the hospital's needs. Every hospital has processes and procedures to secure its IT infrastructure, which extend to all products within a system.
Before a hospital deploys a device, its manufacturer must be transparent about the security features that the hospital can use, as well as their expectations of the hospital environment. Hospitals, in turn, should educate themselves about those security features and determine if they meet their expectations.
Manufacturers usually make it easy for hospitals to understand how to optimize medical data security. They often provide clinical users and system administrators with information and guidelines such as the Manufacturer Disclosure Statement for Medical Device Security (MDS2), software bills of materials (SBOMs), hardening guides, and other security guidance materials.
These documents provide step-by-step blueprints for healthcare providers to follow to do their part to protect medical device data from intrusion. Recommended steps may include restricting login access to specific personnel, securing connections between systems using network segmentation and restricted ports, using trusted certificates to verify the identity of medical devices and clinical data receiving systems, and other actions specific to the hospital's network.
Manufacturers' product documentation and guides tell hospitals how to leverage a medical device or software's embedded security features for optimal use. It's important to review these guides every time a new version of a product or software is deployed because enhanced security controls may require additional measures, such as updated encryption configurations or new private keys.
It's also not uncommon for some security controls, such as systems access needs or password requirements, to degrade over time as clinical users make configuration or access changes. Use these guides regularly to control the effectiveness of the current security configuration.
Cybercriminals only need one weak spot to infiltrate a network for nefarious purposes. To thwart their activity, manufacturers and hospitals need to team up and be clear about each other's roles and shared responsibilities in an end-to-end secure data environment.
Christophe Dore
Product Security Officer, Philips
Christophe Dore is a Product Security Officer at Philips, focusing on the products of the Capsule brand. Through a variety of roles including consultancy, sales, software development leadership and product management, he has been constantly answering to the needs of organizations in several industries in understanding and positioning themselves versus cybersecurity challenges since 1996, when he supported the development and deployment of the first web applications in the then nascent Internet as an expert for NeXT Software, a company lead by Steve Jobs
You May Also Like
DevSecOps: The Smart Way to Shift Left
Making Sense of Security Operations Data
Your Everywhere Security Guide: 4 Steps to Stop Cyberattacks
API Security: Protecting Your Application’s Attack Surface
Securing the Software Development Life Cycle from Start to Finish
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Passwords Are Passe: Next Gen Authentication Addresses Today’s Threats
The State of Supply Chain Threats
How to Deploy Zero Trust for Remote Workforce Security
AI-Driven Testing: Bridging the Software Automation Gap
Defending Against Critical Threats
SANS ICS/OT Cybersecurity Survey: 2023’s Challenges and Tomorrow’s Defenses
Pixelle’s OT Security Triumph with Security Inspection
The OT Zero Trust Handbook: Implementing the 4 Cornerstones of OT Security
2023 Snyk AI-Generated Code Security Report
Understanding AI Models to Future-Proof Your AppSec Program
Cybersecurity’s Hottest New Technologies – Dark Reading March 21 Event
Black Hat Asia – April 16-19 – Learn More
Black Hat Spring Trainings – March 12-15 – Learn More
Copyright © 2024 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source

TNC

LET US MANAGE YOUR SYSTEM
SO YOU CAN RUN YOUR BUSINESS

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE