Recent updates from the FDA on securing network-connected medical devices show that there is a growing concern for security surrounding the medical industry. Hospital networks, medical devices, and other critical infrastructure are all at risk. An article from Threatpost.com last week covered the Kaspersky Lab Security Analyst Summit, in which a researcher from Kaspersky Lab was able to breach a Moscow hospital network. What did he find? According to the article, “…a shocking array of open doors on the network and weaknesses in medical devices and applications crucial not only to the privacy of patients but also their physical well-being.”
While this may or may not be surprising, I do find it concerning that security appears to be an afterthought for the medical device industry. Protecting patient information, ensuring wearable medical technology is secure and shoring up defenses for medical devices should be paramount. As FierceMobile Healthcare predicted in late-December 2015, the Internet of Things will play an increased role in healthcare in 2016. Security should be incorporated at the start of the process, rather than strapping it on at the end and hoping that the security features do their job. By working security into the process, medical device manufacturers are taking the time to ensure software and applications within these devices are developed using secure standards, as this one proposed by the IEEE.
In the previous example of the Moscow hospital network, backdoors, vulnerable software, and poorly secured configurations – all can be mitigated with regular vulnerability management. Instituting scans, remediation plans, mitigating vulnerabilities, and patching out of date software are all part of a robust vulnerability management program. This type of program makes your organization more proactive, rather than reactive. Planning for routine updates and fixes to your devices will keep your patient and data safe.
It is good business and best practice to secure medical devices, hospital networks, and patient healthcare information. It is also important for medical device manufacturers to understand their vulnerabilities to know where you stand. If your organization hasn’t conducted a security assessment to review your security program, that would be the place to start. With a roadmap in hand, your next step is to begin identifying and remediating the risks. Where are your gaps? Do you have a vulnerability management program? Do you know what medical devices connect to your network regularly? All of these questions will help you develop a stronger security program.
How CyberSheath Can Help You Manage Your Risk
Taking the defense-in-depth approach to securing your network is effective at managing risks. In order to manage these risks, a picture of your network must first be obtained. Whatever your security needs are, CyberSheath can assist you along the way. From conducting an information security assessment to building a security program, let us help you secure your data.