Paul Hafen, Cybersecurity Expert at Impero Software12.05.22
From submitting insurance claims, to intricate machinery used to monitor vital signs or help with surgery, to entire hospital networks, technology is fully integrated into our healthcare landscape. Care providers rely on internet-connected tools every day, with each additional piece of technology opening up potential threat vectors for cyberattacks. In the face of these vulnerabilities, the National Institute of Standards and Technology (NIST) has developed guidelines for the healthcare sector to minimize the risk of attack.
Some of the cybersecurity issues are rooted in the fact that many healthcare devices have standardized set ups and there are often hundreds of devices connected to the same network, making them an easy target. Additionally, medical devices can be used for years without becoming obsolete in their core function of healthcare – except that without security updates or upgrades, those older devices don’t have the proper protection embedded to prevent cyberattacks.
The NIST Cybersecurity Framework has five steps which can be applied to numerous industries and verticals including healthcare. Here is a quick overview from the Federal Trade Commission FTC on what is included in the NIST Framework:
NIST recently updated its standards specifically for the healthcare industry to comply with the HIPAA Security Rule, which is why it is becoming so significant to healthcare tools and providers.
For over 20 years Paul Hafen has worked on cyber security projects with senior leaders of IT and Security. Hafen’s experience spans many industries, including Financial Services, Technology, Entertainment, Healthcare, Education and more. Hafen consults on defense-in-depth strategies so organizations can secure their important assets.
Healthcare and Cybersecurity
The FBI issued a report in September 2022 assessing active medical devices and found an average of 6.2 cybersecurity vulnerabilities per device. This major shortcoming was mainly attributed to outdated software and hardware. These outdated devices present serious gaps in security that can permit malicious hackers to easily access a healthcare facility’s systems, allowing them to make off with personally identifiable information of patients or—in extreme cases—put patients in danger by forcing a drug overdose or providing inaccurate readings.Some of the cybersecurity issues are rooted in the fact that many healthcare devices have standardized set ups and there are often hundreds of devices connected to the same network, making them an easy target. Additionally, medical devices can be used for years without becoming obsolete in their core function of healthcare – except that without security updates or upgrades, those older devices don’t have the proper protection embedded to prevent cyberattacks.
What is the NIST and Why is it Significant to the Healthcare Industry?
The NIST is a laboratory that is part of the U.S. Department of Commerce. Their main mission is to support innovation and develop standards for technology in the United States that minimize risk. This means that they monitor everything related to technology including healthcare tools.The NIST Cybersecurity Framework has five steps which can be applied to numerous industries and verticals including healthcare. Here is a quick overview from the Federal Trade Commission FTC on what is included in the NIST Framework:
- Identify - Make a list of all equipment, software and data including laptops, smartphones, tablets and point-of-sale devices. Create a company cybersecurity policy.
- Protect – Control who logs into the network, use security software, employ encryption, backup data, update security software, dispose of devices properly and train the team.
- Detect – Monitor computers for unauthorized access, investigate unusual activity and check the network often.
- Respond – Have a plan for notifying customers and employees if a breach is detected. Report the attack, investigate and contain the threat, update the cybersecurity policy with lessons learned and prepare for inadvertent events that might put data at risk.
- Recover – After a cyberattack, repair and restore equipment and the network. Keep employees and customers informed and updated about the planned response.
What is the Difference Between NIST and ISO/IEC 27001?
The International Organization for Standardization (ISO) is an international organization, separate from any government, that develops innovation standards and works to provide solutions on a global scale. ISO/IEC 27001 specifically refers to the organization’s published standards on information security management. Both ISO/IEC 27001 and NIST guidelines are security frameworks that provide certifications assuring compliance with a set of standards. While the NIST and ISO/IEC 27001 do differ in some respects, they also have a great deal of overlap.Does the FDA Require Security Scans of Medical Devices?
As of right now the U.S. Food & Drug Administration (FDA) does not require security scans of medical devices. However, the Health Insurance Portability and Accountability Act (HIPAA) which is run out of the U.S. Department of Health and Human Services has a Security Rule. The Security Rule states that healthcare entities must:- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit.
- Identify and protect against reasonably anticipated threats to the security or integrity of the information.
- Protect against reasonably anticipated, impermissible uses or disclosures.
- Ensure compliance by their workforce.
NIST recently updated its standards specifically for the healthcare industry to comply with the HIPAA Security Rule, which is why it is becoming so significant to healthcare tools and providers.
NIST Secure
Today’s medical landscape is built on technological advances and innovations. However, with this advanced care rooted in technology comes the risk of a cyberattack. The number of average vulnerabilities from each device found in the FBI’s report demonstrates the critical importance of putting forth a framework for mitigating negative outcomes. The NIST’s five step process is a good place to start to make sure that medical devices and networks are protected as much as possible and are compliant with HIPAA’s Security Rule.For over 20 years Paul Hafen has worked on cyber security projects with senior leaders of IT and Security. Hafen’s experience spans many industries, including Financial Services, Technology, Entertainment, Healthcare, Education and more. Hafen consults on defense-in-depth strategies so organizations can secure their important assets.