- LAS VEGAS – There is no question that medical device security is a top issue in today’s healthcare industry, especially as more providers are looking to implement connected devices.
All of the attention being given to medical device security pushed it to a key discussion at this year’s HIMSS conference, according to CynergisTek, Inc. co-founder and CEO Mac McMillan. And the reason so much attention is being given to this subject is because it is truly a huge industry issue, he explained.
For the most part, medical devices by definition right now are insecure, McMillan told HealthITSecurity.com.
“We’ve known that there are medical devices out there that are running on obsolete versions of operating systems that can’t be patched, or that have embedded passwords in the software code,” he explained. “Or maybe they don’t use a secure protocol in terms of communication, or they don’t encrypt the data, or maybe they don’t give the healthcare provider the ability to really truly control access or audit what goes on with that device.”
Not only is this potentially a risk to patients who wear a device or rely on it, but unsecured medical devices are also a potential risk to the provider’s network.
“These devices, are kind of unique in that they pose a risk not only to just general security around the network but to patient safety,” McMillan maintained.
Numerous federal organizations, including the FBI and Department of Homeland Security have been working for sometime to improve medical device security, and ensure that organizations understand the implications of not doing so. Recently, the FDA is more involved, recently releasing draft guidance that it said was to “inform industry and FDA staff of the Agency’s recommendations for managing postmarket cybersecurity vulnerabilities for marketed medical devices.”
It’s critical that everyone is recognizing the importance of strong medical device security as part of a larger cybersecurity plan, according to McMillan.
“Cybersecurity in and of itself is a big issue with everybody in healthcare right now, and everybody is recognizing that we just can’t continue to allow these devices to go on the way they have been. We need to do a better job.”
The recent FDA guidance is a small step forward, McMillan maintained, but it is a step in the right direction.
“It does give the medical device manufacturers something they need to pay attention to, with respect to how they need to develop those devices now [in relation to security]. But it’s not going to solve the problem.”
McMillan added that unfortunately, there’s probably nothing that the industry is doing right now that’s really going to completely solve the problem. This is mainly because most medical devices have anywhere from a 15-year to 20-year life span.
“That means that unless you’re going to go back and retro fit thousands and thousands of devices, even after we fix this, there’s going to be some period of time where we’re still going to have devices out there that pose a risk that aren’t going to be addressed,” he cautioned.
“It’s going to be a challenge and it’s going to be something that will take awhile for us to get where we need to be.”
The evolving CISO role and healthcare data security
Another key aspect to healthcare data security and privacy is how the CISO role has evolved, along with technology.
According to McMillan, even just a few years back the CISO was looked at as a technical individual who understood security. The individual’s focus was primarily on the technical aspects of security, such as the security architecture, firewalls, etc. It was not really thought of as a business position or as a strategic position within the organization.
“Today that’s very different. Today, because of what cybersecurity risk presents to an organization, that CISO can no longer afford to just be a technologist,” McMillan stated.
Individuals in that role now must understand the business, the risk, and they need to understand what their organization is trying to accomplish. From there, the CISO must be able to translate business things into security requirements, and then be able to push those forward in the organization in a way that supports its goals, but also provides the right amount of asset protection.
“That’s one of our problems that we have today,” he warned. “We have far too many CISOs that are still just technically focused, and we have far too many CISOs that really don’t have those ‘higher level business skills.’”
It’s a much different role than what healthcare had in the past, he added.
“[Healthcare organizations] need a CISO who understands the business and understands how to figure out what kind of security they need in order to enable the things that they’re trying to do at the hospital, trying to do with patients, with the data in their systems.”
Prepping for the next round of OCR HIPAA audits
While it remains to be seen exactly when the next round of OCR HIPAA audits will take place in 2016, McMillan said that healthcare organizations need to be prepared.
Anytime he or anyone he knows in the industry has spoken with OCR Deputy Director for Health Information Privacy Deven McGraw or her staff, the audits are still coming.
“I know she’s working on the protocol, and I think she wants to make it better, make the process better,” McMillan said, adding that he’s unsure if the focus areas will change as the OCR wording has not changed.
However, it is still going to include both business associates and covered entities, he explained, and it’s going to be desk audits and comprehensive audits.
“For the desk audits, folks need to really focus on making sure they’ve done the things that they’re supposed to do, and they have those things documented. “In the desk audit scenario, you’re going to produce documentation. You’re going to tell your story, literally in the documents that you present. So if they’re not accurate, if they’re not current, or right, you’re going to be measured by how good those documents are.”
For the comprehensive audits, McMillan maintained that organizations need to make sure that their facility is ready to go. The best way to that is to just have a good, solid program.
“If you take care of security, if you take care of privacy, a compliance audit should not be a problem for you.
What 2016 holds for healthcare cybersecurity
Third-party cyber attacks have definitely increased, according to McMillan. The cyber criminal element has figured out that healthcare is a very viable target, and the latest incidents have demonstrated that healthcare, unfortunately, is an attractive target to criminals.
Ransomware attacks, such as what happened to Hollywood Presbyterian Medical Center in California, have also increased.
“I think healthcare organizations need to understand that as these incidents are occurring more frequently, and they’re becoming publicized, that it is putting them at greater risk. The longer they take to respond and build a credible program and defenses to protect themselves against these things, the more they’re going to be at risk.”
Assuming that such an attack, or another type of data breach, will never happen to your organization is naïve, McMillan warned.
“Everyone is a potential victim today. Anybody connected to the internet. It could come at you from any direction.”
Whether it’s an employee clicking on a phishing email, or a third-party provide with an unsecure connection, healthcare organizations need to take a full-on approach to security.
“We have to get serious about security or it’s really going to hurt the industry.”
In terms of overall compliance though, McMillan was adamant that compliance was simply not enough for healthcare organizations. Covered entities must get rid of the mentality of a culture of compliance.
“Compliance doesn’t protect our environment. Compliance doesn’t protect our business, it doesn’t protect our systems. It’s not going to do what we need it to do. We need to have a culture of security, of data protection. If we have that, compliance is just going to be a sideline, it’s going to happen naturally.”