Medical devices are woefully insecure. These hospitals and manufacturers want to fix that
Source: Washington Post/The Cybersecurity 202 -By Joseph Marks January 29, 2019
Medical devices — such as pacemakers, insulin pumps and MRI machines — are increasingly vulnerable to hacking. As of today, however, there’s no federal mandate for those devices to have cybersecurity protections.
A government-backed coalition of hospitals and medical device manufacturers took matters into their own hands on Monday. They released a 53-page “joint security plan” outlining a slew of low-hanging fruit protections manufacturers should implement and hospitals should demand.
The plan released by the Healthcare Sector Coordinating Council — a liaison on security issues between industry and government — won’t alone fix the cybersecurity problems plaguing the health-care industry. It effectively amounts to a voluntary do-list for manufacturers.
Still, the council’s executive director Greg Garcia tells me it marks a sea change: Companies and hospitals are finally signaling they are willing to cooperate on fixing the problem, rather than saying it’s the other’s responsibility to fix.
Editors Note: We believe that we have identified a technology that effectively “firewalls” the entire communications channel where hackers simply cannot operate and data breaches can be eliminated.
Read more …
“The big picture is this is truly a recognition that this is a shared responsibility,” Garcia told me. “The circular finger pointing should end.”
The plan is a sign the medical device industry and hospitals are unwilling to wait for Congress to catch up to the threats. Data theft and malware attacks have rocked the health-care industry in recent years, compromising patients’ data and even threatening their lives. The 2015 breach at health insurer Anthem compromised the information of nearly 80 million people, for example, while a 2017 wave of ransomware attacks locked up patient records at 16 UK hospitals, forcing them to divert patients that needed emergency care.
Cybersecurity researchers have also raised alarms about vulnerabilities in implantable medical devices that hackers could exploit to injure or even kill patients. Former vice president Dick Cheney famously had his internal pacemaker taken offline because of hacking fears.
Garcia himself acknowledges the new plan, which was drafted by about 60 medical organizations with the Mayo Clinic, the Food and Drug Administration and the medical device company BD in the lead, won’t fix these vulnerabilities right away.
Yet it does advise manufacturers to describe to hospitals precisely how they’ll scan for new cyber vulnerabilities in their devices, how they’ll patch them and when. Manufacturers should also tell hospitals how long they’ll support devices by patching newfound vulnerabilities and when hospitals should plan for those devices to reach the end of their usable lives, according to the plan.
It comes one month after the coordinating council and the Department of Health and Human Services released a separate guide, basically outlining hospitals’ cybersecurity responsibilities, including what they should expect from device manufacturers.
“This begins to resolve the tension between medical device makers and hospitals,” Garcia said, “because device makers have not been building security in over the past several years and, meanwhile, hospitals have not been doing enough to secure their broader networks.”
There are four big reasons cybersecurity is lagging in the health-care sector, Garcia told me.
First off, regulations including the Health Insurance Portability and Accountability Act, a major privacy law, put strict limits around third-party organizations accessing patient data. That makes it difficult for device manufacturers to reach into hospital systems that hold that data to patch and update their software with new protections.
But, second, hospitals are often underequipped to patch the devices themselves, because they lack ready cash and work with far tighter profit margins than banks or major telecommunications companies. That means many smaller hospitals can’t afford chief information security officers — let alone full cybersecurity teams.
Third, many medical devices such as MRI machines are built to last a decade or longer, which means that even if they’re built with cybersecurity in mind, they’ll be facing a whole new generation of hacking threats at the end of their life cycles.
|Healthcare: Related Cybersecurity Articles ...|
|Jan29,2019:||Finally, a Breakthrough in Cybersecurity Protection|
|Jan 29,2019:||Medical devices are woefully insecure. These hospitals and manufacturers want to fix that|
|Oct 25, 2018:||3 phishing hacks breach 20,000 Catawba Valley patient records|
Finally, criminal hackers started targeting health care are later than other sectors, such as financial services, where stolen information could be converted more quickly into cash. When they did arrive, though, they came in force.
“Quite frankly, it caught a lot of the health-care sector flat-footed,” when that changed about seven years ago, Garcia told me. “It was a bit of a slow-motion ambush.”