24x7 Magazine: Medical Devices Require a New Level of Security
The medical devices millions of Americans depend on daily are shockingly vulnerable. According to a new report from the U.S. Government Accountability Office, 53 percent of connected medical devices and other Internet of Things (IoT) devices in hospitals have known vulnerabilities. We need a new definition of security for medical devices.
That’s the argument made by Brion Bailey, director of the public sector business development for DSS, in a new editorial published by the publication 24x7. Brion’s co-author is Carlos R. Aguayo Gonzalez, PhD, the founder and chief technology officer of DSS partner company PFP Cybersecurity.
An astonishing one-third of health care IoT devices had an identified critical risk, potentially impacting the operation and function of the devices. The U.S. Department of Health and Human Services (HHS) has released research showing that the medical data of over 61 million Americans has been stolen or exposed in more than 400 cyberattacks over the past year. It’s estimated that the medical records of a third of all Americans – including millions of veterans – may have been exposed by the recent Change Healthcare ransomware attack earlier this year.
Addressing Hardware and Firmware Vulnerabilities
Current medical device security is software-centric, with clinical care for patients as the priority. Visibility of vulnerabilities in hardware components (such as chips, boards, and power supplies) and firmware is a growing concern. Facilities need to know in real-time when a device begins to act abnormally, whether due to a cyberattack, a supply chain counterfeit, or device degradation over time.
DSS and PFP Cybersecurity provide a new technology that can analyze device integrity without compromising device operation or connectivity. In a sense, it can provide biometric readings on medical technology itself, reporting on the health of devices protecting human health.
The ability to credential device integrity based on hardware and firmware Bill of Materials (BOMs) is critical to protecting medical devices from intrusion and unauthorized modifications, preventing patient harm and data loss. This new technology addresses a blind spot in existing IT asset management systems and provides data via APIs to these systems, ensuring comprehensive visibility of connected devices.
Achieving Effective Medical Cybersecurity
Our testing technology allows medical facilities and leaders to evaluate the risk profile of their networks. Improving medical cybersecurity doesn’t have to be a rip-and-replace initiative. Testing tools can highlight devices that have been compromised, have vulnerable components, or are showing degraded performance. For example, if 20 percent of IP cameras exhibit issues, those cameras can be segmented and replaced rather than the entire system.
Some of the specific benefits of the new service offering to medical providers include:
Secure the Connected Network of Things: Compromised devices can impact direct patient care activities (i.e., IV Pumps) and provide access to other connected solutions.
Protect Data: Compromised devices could generate corrupted clinical data that impacts clinical decisions with devices that are interoperable with the electronic medical record.
360 Degree Health: As health care innovation evolves and adopts broader remote patient monitoring/home health care capabilities, the requirement to create “hardened devices” that are less susceptible to intrusion will become foundational to standard operating procedures.
Zero Trust Model: Cybersecurity teams focused on accelerating defensive measures/postures such as medical device patching and vulnerability detection will benefit from PFP capabilities that complement efforts with Zero Trust from a single chip, device, and system.
Despite their potentially life-saving role in patient care, medical devices have not historically been designed with security in mind. The current threat environment demands that hardware security be held to a new definition that is as, or more, rigorous than software.
DSS and PFP Cybersecurity can make this new level of security a reality. We stand ready to assist medical facilities with their regulatory compliance, legal liability, and basic patient safety challenges.
For more on our partnership with PFP Security please click here. To learn more about DSS, Inc. please click here.