COMMENT
Hospitals and medical device manufacturers must work together to help create a secure environment to protect personal health information derived from patient monitors and other medical devices.
For some time, this notion of shared responsibility for data security has been recognized as a best practice in the broader technology industry. For example, many cloud providers follow this model to define the mutual security obligations of cloud providers and their customers.
A similar pattern has emerged in the healthcare industry, where medical researchers, developers and regulatory bodies agree that cybersecurity is, in fact, a shared responsibility. This means that medical device manufacturers, hospital software vendors, and healthcare organizations must work together to protect patient information and medical device systems from the activities of cybercriminals.
Understanding roles in medical device data security
The United States The FDA requires medical device manufacturers and software vendors must follow a process called safety by designwhich advocates that certain controls need to be built into a product to make it easier for hospitals to implement and use them safely.
Features such as configurable encryption, secure login pages, and user authentication requirements are examples of how manufacturers integrate security features into their products. These safety features in product design often require hospitals to take action to activate them and maintain their viability.
Let’s consider the example of product access control. Typically, a device manufacturer or software vendor can implement access controls to product functionality by verifying or authenticating the identity of a clinical user. By looking at a hospital’s Active Directory service and using the necessary passwords and protocols, you can determine whether the user belongs to a group recognized by the product through its configuration.
Only the healthcare organization can identify which users are authorized to access the system and configure the product appropriately. Using an inappropriate group, allowing access to too many users, or being negligent in maintaining an up-to-date directory can expose your network to unnecessary risk.
Mobile and cloud-based applications also require shared responsibility. Hospitals must ensure browsers and mobile devices are updated with security features enabled to enhance manufacturer cloud-based security controls, such as multi-factor authentication.
Therefore, to facilitate secure product deployment, medical equipment manufacturers must incorporate security controls using proven algorithms and designs driven by the security-by-design process. At the same time, hospitals have their own share of responsibility and activity to ensure that the product is used safely.
With multiple products available across their facilities, it can be difficult for IT leaders to know how to proceed. For safety measures to be successful, hospitals and manufacturers must work together to determine what will best meet the hospital’s needs. Every hospital has processes and procedures to protect their IT infrastructure, which extend to all products within a system.
Before a hospital deploys a device, its manufacturer must be transparent about the security features the hospital can use, as well as expectations about the hospital environment. Hospitals, in turn, should inquire about these safety features and determine whether they meet their expectations.
How do hospitals know their role?
Manufacturers usually help hospitals understand how to optimize the security of medical data. They often provide clinical users and system administrators with information and guidance such as the Medical Device Safety Manufacturer Disclosure Statement (MDS2), software bills of material (SBOM), hardening guides, and other safety guidance materials.
These documents provide step-by-step templates for healthcare providers to follow to do their part to protect medical device data from intrusion. Recommended steps may include limiting access to specific personnel, securing connections between systems using network segmentation and restricted ports, using trusted certificates to verify the identity of medical devices and receiving systems clinical data and other actions specific to the hospital network.
Read the manufacturers’ recommended safety guidelines
Manufacturers’ product documentation and guides tell hospitals how to leverage the built-in security features of a medical device or software for optimal use. It is important to review these guides whenever a new version of a product or software is released because advanced security controls may require additional measures, such as updated encryption configurations or new private keys.
Additionally, it is not uncommon for some security controls, such as system access needs or password requirements, to worsen over time as clinical users make configuration or access changes. Use these guides regularly to check the effectiveness of your current security configuration.
Cybercriminals only need one weak point to infiltrate a network for nefarious purposes. To combat their activity, manufacturers and hospitals must collaborate and be clear about each other’s roles and shared responsibilities in a secure end-to-end data environment.