Unfortunately, many healthcare organizations aren’t properly securing their medical devices, leaving them open to cyber attacks.
Read the white paper How to Secure Your Medical Devices.
Did you know attackers could gain access to your medical devices? I’m not talking about things like computers, but devices like MRI machines, dialysis machines, and medical ventilators. This leaves the criminals only a few steps away from access to your electronic medical records system. That’s when things start to get scary.
Attackers can even hijack these critical systems and hold them ransom. Imagine having someone threatening to shut down life supports in a hospital. Scary, right? This makes medical device security critical to your organization.
Unfortunately, many healthcare organizations aren’t properly securing their medical devices, leaving them open to cyber attacks.
There are a few problems in healthcare that lead to compromised medical devices. One problem is the issues with the device manufacturers. According to the FDA, manufacturers are responsible for securing their devices through various measures (user authentication, strong password protection, physical locks, etc.).
Unfortunately, some manufacturers may not take this responsibility seriously. Some limit their cyber security efforts due to time constraints or low budgets. For example, they may set a default password that can’t be changed on their device, making the manufacturing process easier, but also making the device more vulnerable.
As a result of manufacturers limiting cyber security options, the healthcare IT teams often don’t have access to a medical device’s system. This means they can’t install further security tools on these devices because most security tools don’t run within the medical device.
Another problem is the rise in social engineering and the lack of workforce training against it. Armed with the right credentials, a data thief can walk into a healthcare facility, gain access to a device, install malware or steal any information on that device, and walk out in a short amount of time without detection.
See also: Social Engineering Training: What Your Employees Should Know
See also: SecurityMetrics HIPAA Guide
If you have networked medical devices, you may have some HIPAA violations. These devices are potentially vulnerable to leaking data. Make sure you update your devices regularly and patch any existing vulnerabilities. These updates may take time, so plan ahead.
You’ll also want to make sure each device has a secure password, which should contain a minimum of ten characters and have numeric, alphabetic, and special characters. Remember, the more difficult the password, the longer it will take for an attacker to break it.
See also: How to Do Passwords Right: Password Management Best Practices
Consider buying medical devices only from vendors that value cybersecurity. Make sure you have devices where you can modify passwords.
Monitor physical access to medical devices. Also, be sure to train your workforce against social engineering since that’s becoming a common way for hackers to compromise medical devices.
You need to know the weaknesses in your security, and it’s difficult to find them all on your own. Some additional services you may want to consider are:
Designate a HIPAA compliance officer or team member. Lay out their responsibilities, and train workforce members in HIPAA.
To protect your PHI, you need to know where it is. Here are some common places PHI data may be stored:
You’ll want to conduct an annual HIPAA risk analysis to understand your organization’s vulnerabilities, risks, and threats. Identify your top weaknesses, and begin to resolve those issues.
Set some time aside to work on HIPAA compliance and security; keep it in the forefront of employees’ minds by holding regular training meetings.
See also: Implementing HIPAA: A 12-Month HIPAA Plan to Get Compliant
Today, we can’t afford to have vulnerable medical devices. Leaving these devices open to attack can cost you your data, your patients, and even your organization.
Making sure your medical devices are secure protects your PHI, your patients, and your organization from attackers. By following these four steps, you’re on your way to better protection and security.
For more information, read our white paper How to Secure Your Medical Devices.
.svg)
