SlideShare a Scribd company logo
1 of 9
Download to read offline
HOW TO SECURE
YOUR MEDICAL DEVICES
ARE YOUR MEDICAL
DEVICES BEING HACKED?
White Paper
© 2016 SecurityMetrics
HOW TO SECURE YOUR MEDICAL DEVICES | 1
HOW TO SECURE
YOUR MEDICAL DEVICES
ARE YOUR MEDICAL DEVICES BEING HACKED?
INTRODUCTION
Attackers are increasingly targeting medical
devices; the reason—PHI. This attack is called
medical device jacking or medjacking.
Targeted medical devices consist of four types:
1.	 Consumer health monitoring (e.g.,
FitBits, smart watch, etc.)
2.	 Wearable (e.g., portable insulin pumps,
continuous glucose monitor, etc.)
3.	 Embedded (e.g., pacemakers,
defibrillators, etc.)
4.	 Stationary (e.g., MRI machines, CT
scanners, etc.)
Vulnerabilities have existed within many
medical devices for years, but recently there
have been increased attacks and awareness
of these vulnerabilities. For example, the
U.S. Food and Drug Administration (FDA)
announced yet another medical device
vulnerability, this time with a widely used
infusion pump.
HOW TO SECURE YOUR MEDICAL DEVICES | 2
DANGERS OF MEDICAL DEVICES
The FDA said medical devices “can be vulnerable to
security breaches, potentially impacting the safety and
effectiveness of the device.”
Although internally embedded medical devices like pace-
makers can be hacked, most attackers are more interested
in stealing large amounts of patient data. Medical data
(e.g., social security numbers, insurance information, etc.)
is worth 10 times more than credit card data.
Not only do these vulnerabilities exist, but they will
increasingly grow worse as more and more devices
become interconnected. For example, stationary medical
devices are often connected via Wi-Fi or Ethernet, but in
some cases, they can connect to a business associate.
In general, stationary medical devices are the most at risk
because within a few steps, criminals can gain access to
electronic medical records (EMR) systems. The following
are common stationary medical devices:
•	 Medical x-ray scanner
•	 MRI machine
•	 CT scanners
•	 Chemotherapy dispensing stations
•	 Dialysis machines
•	 LASIK surgical machines
•	 Homecare cardio-monitoring
•	 Bedside infusion pump
•	 Anesthesia apparatuses
•	 Medical ventilators
•	 Picture archiving and communication system
•	 Blood gas analyzer
MEDICAL DATA
IS WORTH
10 TIMES
MORE THAN
CREDIT CARD DATA.
HOW TO SECURE YOUR MEDICAL DEVICES | 3
HOW DO MEDICAL DEVICES GET
COMPROMISED?
Medjacking attacks are designed to quickly infiltrate
medical devices, establish control, and then use them
as pivot points to compromise and exfiltrate data from
across the healthcare organization. Once an attacker gets
into the network and bypasses existing security, they can
infect a medical device and establish a backdoor within
the device for later access.
Why does this problem exist? It starts with manufacturing.
According to the FDA, manufacturers are responsible for
“remaining vigilant about identifying risks and hazards
associated with their medical devices, including risks
related to cybersecurity.”
Medical device manufacturers are supposed to take
responsibility for securing their devices with appropriate
security controls (e.g., user authentication, strong pass-
word protection, physical locks, card readers). They should
also develop strategies for active security protection and
“timely deployment of routine, validated security patches
and methods to restrict software or firmware updates to
authenticated code.”
Unfortunately, most manufacturers don’t take this
responsibility seriously.
Some medical device manufacturers limit their cyber-
security efforts due to low budgets or time-require-
ments, necessitating the use of open source code for
security solutions. Joshua Corman, CTO at Sonatye,
describes this process as “a shared attack surface
and a shared risk” across the manufacturing sphere.
The problem is healthcare IT teams typically don’t have
access to a medical device’s system. Users can’t install
further security tools on network connected medical
device systems because most security tools don’t run
within the actual medical device. Also, any software
applied by the entity might be considered tampering with
the device and have a negative impact on FDA approval.
HOW TO SECURE YOUR MEDICAL DEVICES | 4
HOW TO PREVENT MEDJACKING
The ongoing responsibility of managing patient data
throughout an organization requires an organized ap-
proach to risk management. As the guardian of patient
data, it’s up to each healthcare organization to learn
and understand the basic features of their IT assets and
medical devices, what security mechanisms are in place,
and how to use them.
STEP ONE: FIX CURRENT MEDICAL DEVICES
If you have networked medical devices, prepare for the
worst. You likely have HIPAA violations on your hands
because these devices are potentially vulnerable to
leaking patient data. If there are any known vulnerabili-
ties, remediate your existing devices immediately. Con-
tact medical device manufacturers to find any required
updates or available patches. Add this to your policies
and document everything.
Software and hardware updates take time. Plan ahead
for ways to integrate all necessary fixes provided by the
medical device manufacturer. Once again, make sure you
document all of your manufacturers’ changes.
Make sure all medical devices have a secure password.
Secure passwords should have a minimum of eight char-
acters, and must contain numeric, alphabetic, and special
characters. In practice, the more character formats used,
the more difficult a password will be to guess. This also
applies to attackers trying to use a brute force applica-
tion to obtain a password: the longer and more complex
the password, the longer it will take to discover.
HOW TO SECURE YOUR MEDICAL DEVICES | 5
STEP TWO: REVISE YOUR PROCESS
Most importantly, consider only buying
from medical device vendors that value
cybersecurity. Some device manufacturers
favor passwords built into the system that
can’t be changed. When making purchase
decisions, you should be able to modify
your own passwords. Vendors should also
offer frequent updates on their systems
and be willing to conduct quarterly reviews
on their systems.
Manage physical access to medical
devices, if possible. Medical devices
with USB ports are particularly prone to
compromise and additional procedures for
these devices (such as strict rules for used
USBs) are a must. For example, employees
should never use USB sticks found on the
ground or lying around the facility.
If devices no longer receive manufacturers’
updates, get rid of them. It’s better to be
safe than risk patient data being stolen.
Remember in the disposal process to
securely erase or destroy any patient data
on these devices.
Limit access to PHI by segmenting devices
inside your network. Protect these devices
with strict firewall rules allowing access
to only specific services and IP addresses.
Train your employees at least annually.
One of your organization’s biggest weak-
nesses can be your workforce because
they don’t understand their responsibility
to protect PHI and medical devices. Train
them about social engineering and how
often individuals pose as janitors, IT, new
hires, or fake nurses to access patient data.
SEGMENT
DEVICES INSIDE
YOUR NETWORK TO
LIMIT
ACCESS
TO PHI.
In your social engineering training, teach
employees to:
•	 Challenge strangers
•	 Verify their identification
•	 Never use USB thumb drives found
around the premises
•	 Always wear an identification badge
Ensure you protect your patient’s data.
You need to adequately document where
PHI enters your environment, what hap-
pens once PHI enters, where it’s stored,
and how it exits your organization. Then
you need to implement the necessary
encryption, industry best practice is to use
AES-128, Triple DES, AES-256, or better.
HOW TO SECURE YOUR MEDICAL DEVICES | 6
STEP THREE: UNDERSTAND YOUR SECURITY STATUS
It’s difficult, if not impossible to find every weakness in your
organization on your own. To take your security to the next
level and to avoid weaknesses in your IT system, consider
implementing additional services such as:
•	 Internal and external vulnerability scans—automated
testing for weaknesses inside and outside your network
•	 Penetration tests—live, hands-on testing of your
system’s weaknesses and vulnerabilities
•	 Gap analysis—consultation on where your gaps in
security and compliance exist and what steps need
to occur next
•	 Intrusion Detection Systems/Intrusion Prevention
Systems (IDS/IPS)—a monitoring system for network
security appliances and report malicious activity
•	 File Integrity Monitoring (FIM)—a way of checking
software, systems, and applications in order to warn of
potential malicious activity
HOW TO SECURE YOUR MEDICAL DEVICES | 7
STEP FOUR: IMPLEMENT HIPAA COMPLIANCE
If you haven’t already, designate a HIPAA compliance
officer or team member. Clearly and specifically lay out
their responsibilities, as well as for anyone involved with
HIPAA compliance.
Privacy and security concerns are key when it comes to
HIPAA, but it’s also important to be sure your organization
as a whole is protected. It’s critical to ensure all systems
containing patient data is protected. Here are common
places data is stored intentionally and unintentionally:
•	 EHR/EMR systems
•	 Databases
•	 Workstations
•	 Filing cabinets
•	 Servers
•	 Laptops
•	 Security appliances
•	 Email system
•	 Data warehouse
•	 Files shares
•	 Ticketing systems
•	 Mobile devices (i.e., smart phones, tablets)
Conduct an annual HIPAA Risk Analysis. A Risk Analysis
helps you to know your vulnerabilities, threats, and risks.
The HHS states, “Conducting a Risk Analysis is the first
step in identifying and implementing safeguards that
comply with and carry out the standards and implemen-
tation specifications in the Security Rule. Therefore, a Risk
Analysis is foundational.” Start by identifying your organi-
zation’s top weaknesses, and begin to resolve these issues,
and then repeat the process for medium and low risks.
Set aside time either daily or weekly to work on HIPAA
compliance and security. Keep HIPAA in the forefront of
employees’ minds by holding regular training about PHI
security practices.
IF YOUR MEDICAL
DEVICES AREN’T SECURE
YOUR ORGANIZATION
IS NOT
HIPAA COMPLIANT.
HOW TO SECURE YOUR MEDICAL DEVICES | 8
CONCLUSION
Update all medical devices with any available security
patches. Work with manufacturers at least once a quarter
to make sure your device is secure. If you haven’t already,
start HIPAA compliance and protect your patient’s data.
Don’t let obstacles stop your progress on the security
and compliance journey. Make securing medical devices
a standard procedure after they get fixed. This process
helps protect your organization and your patient’s data
from getting hacked.
HOW VULNERABLE IS
YOUR PATIENT DATA?
Join over 800,000 organizations and let
SecurityMetrics help protect your patient data.
consulting@securitymetrics.com
801.705.5656

More Related Content

What's hot

Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudySophiaPalmira
 
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverPatient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverThe Security of Things Forum
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentdata brackets
 
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device securityOWASP
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?Stephen Cobb
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsEMMAIntl
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ..."Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...Health IT Conference – iHT2
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessmentdata brackets
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comPrescottLunt384
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comPrescottLunt386
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
Security Lifecycle Management
Security Lifecycle ManagementSecurity Lifecycle Management
Security Lifecycle ManagementBarry Caplin
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Application security Best Practices Framework
Application security   Best Practices FrameworkApplication security   Best Practices Framework
Application security Best Practices FrameworkSujata Raskar
 

What's hot (20)

Network Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case StudyNetwork Connected Medical Devices - A Case Study
Network Connected Medical Devices - A Case Study
 
Healthcare Cyber Security Webinar
Healthcare Cyber Security WebinarHealthcare Cyber Security Webinar
Healthcare Cyber Security Webinar
 
Securing the Fog
Securing the FogSecuring the Fog
Securing the Fog
 
Patient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and EvolverPatient Centric Cyber Monitoring with DocBox and Evolver
Patient Centric Cyber Monitoring with DocBox and Evolver
 
Secure your Space: The Internet of Things
Secure your Space: The Internet of ThingsSecure your Space: The Internet of Things
Secure your Space: The Internet of Things
 
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample documentEHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
 
[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security[Wroclaw #6] Medical device security
[Wroclaw #6] Medical device security
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?
 
Understanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and ApplicationsUnderstanding Cybersecurity in Medical Devices and Applications
Understanding Cybersecurity in Medical Devices and Applications
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ..."Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
 
HIPAA HiTech Security Assessment
HIPAA HiTech Security AssessmentHIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
 
Csec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.comCsec 610 Inspiring Innovation--tutorialrank.com
Csec 610 Inspiring Innovation--tutorialrank.com
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.com
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the foll
 
Incident Response
Incident Response Incident Response
Incident Response
 
Security Lifecycle Management
Security Lifecycle ManagementSecurity Lifecycle Management
Security Lifecycle Management
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
Application security Best Practices Framework
Application security   Best Practices FrameworkApplication security   Best Practices Framework
Application security Best Practices Framework
 

Similar to How to Secure Your Medical Devices

Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesHealthegy
 
Best_practices-_Access_controls_for_medical_devices (1).pdf
Best_practices-_Access_controls_for_medical_devices (1).pdfBest_practices-_Access_controls_for_medical_devices (1).pdf
Best_practices-_Access_controls_for_medical_devices (1).pdfJacob Li
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidancePam Gilmore
 
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceThe FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceValdez Ladd MBA, CISSP, CISA,
 
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...IT Network marcus evans
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningBlack Duck by Synopsys
 
5 Ways to Be Vigilant for your Medical Devices from a Cybersecurity Perspective
5 Ways to Be Vigilant for your Medical Devices from a Cybersecurity Perspective5 Ways to Be Vigilant for your Medical Devices from a Cybersecurity Perspective
5 Ways to Be Vigilant for your Medical Devices from a Cybersecurity PerspectiveEMMAIntl
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxArti Parab Academics
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Hybrid Cloud
 
Securing Mobile Healthcare Application
Securing Mobile Healthcare ApplicationSecuring Mobile Healthcare Application
Securing Mobile Healthcare ApplicationCitiusTech
 
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best PracticesDispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best PracticesConference Panel
 
Why healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfWhy healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfSparity1
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsESET North America
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsKristie Allison
 
security and privacy for medical implantable devices
security and privacy for medical implantable devicessecurity and privacy for medical implantable devices
security and privacy for medical implantable devicesAjay Ohri
 

Similar to How to Secure Your Medical Devices (20)

Breakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical DevicesBreakout Session: Cybersecurity in Medical Devices
Breakout Session: Cybersecurity in Medical Devices
 
Cybersecurity in Medical Devices
Cybersecurity in Medical DevicesCybersecurity in Medical Devices
Cybersecurity in Medical Devices
 
Best_practices-_Access_controls_for_medical_devices (1).pdf
Best_practices-_Access_controls_for_medical_devices (1).pdfBest_practices-_Access_controls_for_medical_devices (1).pdf
Best_practices-_Access_controls_for_medical_devices (1).pdf
 
THE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity GuidanceTHE FDA and Medical Device Cybersecurity Guidance
THE FDA and Medical Device Cybersecurity Guidance
 
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity GuidanceThe FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
The FDA - Mobile, and Fixed Medical Devices Cybersecurity Guidance
 
MobileSecurity WhitePaper
MobileSecurity WhitePaperMobileSecurity WhitePaper
MobileSecurity WhitePaper
 
Cyber security
Cyber securityCyber security
Cyber security
 
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
 
Risk management in Healthcare on Cloud
Risk management in Healthcare on CloudRisk management in Healthcare on Cloud
Risk management in Healthcare on Cloud
 
Equifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability ScanningEquifax, the FTC Act, and Vulnerability Scanning
Equifax, the FTC Act, and Vulnerability Scanning
 
Securing Wearable Device Data
Securing Wearable Device DataSecuring Wearable Device Data
Securing Wearable Device Data
 
5 Ways to Be Vigilant for your Medical Devices from a Cybersecurity Perspective
5 Ways to Be Vigilant for your Medical Devices from a Cybersecurity Perspective5 Ways to Be Vigilant for your Medical Devices from a Cybersecurity Perspective
5 Ways to Be Vigilant for your Medical Devices from a Cybersecurity Perspective
 
Health Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptxHealth Informatics- Module 5-Chapter 1.pptx
Health Informatics- Module 5-Chapter 1.pptx
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
 
Securing Mobile Healthcare Application
Securing Mobile Healthcare ApplicationSecuring Mobile Healthcare Application
Securing Mobile Healthcare Application
 
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best PracticesDispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
Dispelling HIPAA Myths: Texting, Emailing, and BYOD Best Practices
 
Why healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfWhy healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdf
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and Solutions
 
mHealth Security: Stats and Solutions
mHealth Security: Stats and SolutionsmHealth Security: Stats and Solutions
mHealth Security: Stats and Solutions
 
security and privacy for medical implantable devices
security and privacy for medical implantable devicessecurity and privacy for medical implantable devices
security and privacy for medical implantable devices
 

More from SecurityMetrics

Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementSecurityMetrics
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditSecurityMetrics
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecurityMetrics
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? SecurityMetrics
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisSecurityMetrics
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA AuditSecurityMetrics
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesSecurityMetrics
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? SecurityMetrics
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data BreachSecurityMetrics
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeSecurityMetrics
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptSecurityMetrics
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkSecurityMetrics
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationSecurityMetrics
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken MalwareSecurityMetrics
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsSecurityMetrics
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?SecurityMetrics
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessSecurityMetrics
 
Mobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseMobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseSecurityMetrics
 

More from SecurityMetrics (20)

Hipaa Reality Check
Hipaa Reality CheckHipaa Reality Check
Hipaa Reality Check
 
Understanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping SupplementUnderstanding the New PCI DSS Scoping Supplement
Understanding the New PCI DSS Scoping Supplement
 
How to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS AuditHow to Prepare for a PCI DSS Audit
How to Prepare for a PCI DSS Audit
 
Securing Your Remote Access Desktop Connection
Securing Your Remote Access Desktop ConnectionSecuring Your Remote Access Desktop Connection
Securing Your Remote Access Desktop Connection
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored? HIPAA PHI Protection: Where is Your PHI Stored?
HIPAA PHI Protection: Where is Your PHI Stored?
 
The 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk AnalysisThe 5 Step HIPAA Risk Analysis
The 5 Step HIPAA Risk Analysis
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
 
Don't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your EmpolyeesDon't Let Phishing Emails Hook Your Empolyees
Don't Let Phishing Emails Hook Your Empolyees
 
What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards? What's Causing You to Store Unencrypted Payment Cards?
What's Causing You to Store Unencrypted Payment Cards?
 
5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach5 Steps to Manage a Data Breach
5 Steps to Manage a Data Breach
 
Auditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing FranchiseeAuditing Archives: The Case of the File Sharing Franchisee
Auditing Archives: The Case of the File Sharing Franchisee
 
Auditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java ScriptAuditing Archives: The Case of the Evil Java Script
Auditing Archives: The Case of the Evil Java Script
 
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk ClerkAuditing Archives: The Case of the Overly Helpful Front Desk Clerk
Auditing Archives: The Case of the Overly Helpful Front Desk Clerk
 
The Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless InvestigationThe Case of the Suspiciously Flawless Investigation
The Case of the Suspiciously Flawless Investigation
 
The Case of the Mistaken Malware
The Case of the Mistaken MalwareThe Case of the Mistaken Malware
The Case of the Mistaken Malware
 
The Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit CardsThe Case of the Stockpiled Credit Cards
The Case of the Stockpiled Credit Cards
 
What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?What Does the End of Windows XP Mean For Businesses?
What Does the End of Windows XP Mean For Businesses?
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
 
Mobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data CompromiseMobile Processing: The Perfect Storm for Data Compromise
Mobile Processing: The Perfect Storm for Data Compromise
 

Recently uploaded

Top 20 Famous Indian Female Pornstars Name List 2024
Top 20 Famous Indian Female Pornstars Name List 2024Top 20 Famous Indian Female Pornstars Name List 2024
Top 20 Famous Indian Female Pornstars Name List 2024minkseocompany
 
Nursing Care Plan for Surgery (Risk for Infection)
Nursing Care Plan for Surgery (Risk for Infection)Nursing Care Plan for Surgery (Risk for Infection)
Nursing Care Plan for Surgery (Risk for Infection)RoieteMillena3
 
obat aborsi Trenggalek WA 081225888346 jual obat aborsi cytotec asli di Treng...
obat aborsi Trenggalek WA 081225888346 jual obat aborsi cytotec asli di Treng...obat aborsi Trenggalek WA 081225888346 jual obat aborsi cytotec asli di Treng...
obat aborsi Trenggalek WA 081225888346 jual obat aborsi cytotec asli di Treng...icha27638
 
Session-1-MBFHI-A-part-of-the-Global-Strategy.ppt
Session-1-MBFHI-A-part-of-the-Global-Strategy.pptSession-1-MBFHI-A-part-of-the-Global-Strategy.ppt
Session-1-MBFHI-A-part-of-the-Global-Strategy.pptMedidas Medical Center INC
 
ITM HOSPITAL The hospital has also been recognised as the best emerging hosp...
ITM  HOSPITAL The hospital has also been recognised as the best emerging hosp...ITM  HOSPITAL The hospital has also been recognised as the best emerging hosp...
ITM HOSPITAL The hospital has also been recognised as the best emerging hosp...jvomprakash
 
Bobath Technique (Samrth Pareta) .ppt.pptx
Bobath Technique (Samrth Pareta) .ppt.pptxBobath Technique (Samrth Pareta) .ppt.pptx
Bobath Technique (Samrth Pareta) .ppt.pptxSamrth Pareta
 
Cytotec 200mcg tab in Riyadh (+919101817206// Get Abortion Pills in Saudi Arabia
Cytotec 200mcg tab in Riyadh (+919101817206// Get Abortion Pills in Saudi ArabiaCytotec 200mcg tab in Riyadh (+919101817206// Get Abortion Pills in Saudi Arabia
Cytotec 200mcg tab in Riyadh (+919101817206// Get Abortion Pills in Saudi Arabiajaanualu31
 
Spauldings classification ppt by Dr C P PRINCE
Spauldings classification ppt by Dr C P PRINCESpauldings classification ppt by Dr C P PRINCE
Spauldings classification ppt by Dr C P PRINCEDR.PRINCE C P
 
Navigating Conflict in PE Using Strengths-Based Approaches
Navigating Conflict in PE Using Strengths-Based ApproachesNavigating Conflict in PE Using Strengths-Based Approaches
Navigating Conflict in PE Using Strengths-Based ApproachesCHICommunications
 
Catheterization Procedure by Anushri Srivastav.pptx
Catheterization Procedure by Anushri Srivastav.pptxCatheterization Procedure by Anushri Srivastav.pptx
Catheterization Procedure by Anushri Srivastav.pptxAnushriSrivastav
 
Obat aborsi Jakarta Timur Wa 081225888346 Jual Obat aborsi Cytotec asli Di Ja...
Obat aborsi Jakarta Timur Wa 081225888346 Jual Obat aborsi Cytotec asli Di Ja...Obat aborsi Jakarta Timur Wa 081225888346 Jual Obat aborsi Cytotec asli Di Ja...
Obat aborsi Jakarta Timur Wa 081225888346 Jual Obat aborsi Cytotec asli Di Ja...icha27638
 
Leading large scale change: a life at the interface between theory and practice
Leading large scale change: a life at the interface between theory and practiceLeading large scale change: a life at the interface between theory and practice
Leading large scale change: a life at the interface between theory and practiceHelenBevan4
 
TEST BANK For Success in Practical Vocational Nursing 10th Edition by Carrol ...
TEST BANK For Success in Practical Vocational Nursing 10th Edition by Carrol ...TEST BANK For Success in Practical Vocational Nursing 10th Edition by Carrol ...
TEST BANK For Success in Practical Vocational Nursing 10th Edition by Carrol ...rightmanforbloodline
 
TIME FOR ACTION: MAY 2024 Securing A Strong Nursing Workforce for North Carolina
TIME FOR ACTION: MAY 2024 Securing A Strong Nursing Workforce for North CarolinaTIME FOR ACTION: MAY 2024 Securing A Strong Nursing Workforce for North Carolina
TIME FOR ACTION: MAY 2024 Securing A Strong Nursing Workforce for North CarolinaMebane Rash
 
Pulse Check Decisions - RRT and Code Blue Workshop
Pulse Check Decisions - RRT and Code Blue WorkshopPulse Check Decisions - RRT and Code Blue Workshop
Pulse Check Decisions - RRT and Code Blue WorkshopBrian Locke
 
Communicable Disease.pptxgfgfggfffdfxfsdddf
Communicable Disease.pptxgfgfggfffdfxfsdddfCommunicable Disease.pptxgfgfggfffdfxfsdddf
Communicable Disease.pptxgfgfggfffdfxfsdddfnuradinman89
 
TEST BANK For Little and Falace's Dental Management of the Medically Compromi...
TEST BANK For Little and Falace's Dental Management of the Medically Compromi...TEST BANK For Little and Falace's Dental Management of the Medically Compromi...
TEST BANK For Little and Falace's Dental Management of the Medically Compromi...rightmanforbloodline
 
Unlock the Secrets to Optimizing Ambulatory Operations Efficiency and Change ...
Unlock the Secrets to Optimizing Ambulatory Operations Efficiency and Change ...Unlock the Secrets to Optimizing Ambulatory Operations Efficiency and Change ...
Unlock the Secrets to Optimizing Ambulatory Operations Efficiency and Change ...Health Catalyst
 
Communication disorder and it's management
Communication disorder and it's managementCommunication disorder and it's management
Communication disorder and it's managementkeerti Gour (PT) Shakya
 
TEST BANK For Robbins & Kumar Basic Pathology, 11th Edition by Vinay Kumar, A...
TEST BANK For Robbins & Kumar Basic Pathology, 11th Edition by Vinay Kumar, A...TEST BANK For Robbins & Kumar Basic Pathology, 11th Edition by Vinay Kumar, A...
TEST BANK For Robbins & Kumar Basic Pathology, 11th Edition by Vinay Kumar, A...rightmanforbloodline
 

Recently uploaded (20)

Top 20 Famous Indian Female Pornstars Name List 2024
Top 20 Famous Indian Female Pornstars Name List 2024Top 20 Famous Indian Female Pornstars Name List 2024
Top 20 Famous Indian Female Pornstars Name List 2024
 
Nursing Care Plan for Surgery (Risk for Infection)
Nursing Care Plan for Surgery (Risk for Infection)Nursing Care Plan for Surgery (Risk for Infection)
Nursing Care Plan for Surgery (Risk for Infection)
 
obat aborsi Trenggalek WA 081225888346 jual obat aborsi cytotec asli di Treng...
obat aborsi Trenggalek WA 081225888346 jual obat aborsi cytotec asli di Treng...obat aborsi Trenggalek WA 081225888346 jual obat aborsi cytotec asli di Treng...
obat aborsi Trenggalek WA 081225888346 jual obat aborsi cytotec asli di Treng...
 
Session-1-MBFHI-A-part-of-the-Global-Strategy.ppt
Session-1-MBFHI-A-part-of-the-Global-Strategy.pptSession-1-MBFHI-A-part-of-the-Global-Strategy.ppt
Session-1-MBFHI-A-part-of-the-Global-Strategy.ppt
 
ITM HOSPITAL The hospital has also been recognised as the best emerging hosp...
ITM  HOSPITAL The hospital has also been recognised as the best emerging hosp...ITM  HOSPITAL The hospital has also been recognised as the best emerging hosp...
ITM HOSPITAL The hospital has also been recognised as the best emerging hosp...
 
Bobath Technique (Samrth Pareta) .ppt.pptx
Bobath Technique (Samrth Pareta) .ppt.pptxBobath Technique (Samrth Pareta) .ppt.pptx
Bobath Technique (Samrth Pareta) .ppt.pptx
 
Cytotec 200mcg tab in Riyadh (+919101817206// Get Abortion Pills in Saudi Arabia
Cytotec 200mcg tab in Riyadh (+919101817206// Get Abortion Pills in Saudi ArabiaCytotec 200mcg tab in Riyadh (+919101817206// Get Abortion Pills in Saudi Arabia
Cytotec 200mcg tab in Riyadh (+919101817206// Get Abortion Pills in Saudi Arabia
 
Spauldings classification ppt by Dr C P PRINCE
Spauldings classification ppt by Dr C P PRINCESpauldings classification ppt by Dr C P PRINCE
Spauldings classification ppt by Dr C P PRINCE
 
Navigating Conflict in PE Using Strengths-Based Approaches
Navigating Conflict in PE Using Strengths-Based ApproachesNavigating Conflict in PE Using Strengths-Based Approaches
Navigating Conflict in PE Using Strengths-Based Approaches
 
Catheterization Procedure by Anushri Srivastav.pptx
Catheterization Procedure by Anushri Srivastav.pptxCatheterization Procedure by Anushri Srivastav.pptx
Catheterization Procedure by Anushri Srivastav.pptx
 
Obat aborsi Jakarta Timur Wa 081225888346 Jual Obat aborsi Cytotec asli Di Ja...
Obat aborsi Jakarta Timur Wa 081225888346 Jual Obat aborsi Cytotec asli Di Ja...Obat aborsi Jakarta Timur Wa 081225888346 Jual Obat aborsi Cytotec asli Di Ja...
Obat aborsi Jakarta Timur Wa 081225888346 Jual Obat aborsi Cytotec asli Di Ja...
 
Leading large scale change: a life at the interface between theory and practice
Leading large scale change: a life at the interface between theory and practiceLeading large scale change: a life at the interface between theory and practice
Leading large scale change: a life at the interface between theory and practice
 
TEST BANK For Success in Practical Vocational Nursing 10th Edition by Carrol ...
TEST BANK For Success in Practical Vocational Nursing 10th Edition by Carrol ...TEST BANK For Success in Practical Vocational Nursing 10th Edition by Carrol ...
TEST BANK For Success in Practical Vocational Nursing 10th Edition by Carrol ...
 
TIME FOR ACTION: MAY 2024 Securing A Strong Nursing Workforce for North Carolina
TIME FOR ACTION: MAY 2024 Securing A Strong Nursing Workforce for North CarolinaTIME FOR ACTION: MAY 2024 Securing A Strong Nursing Workforce for North Carolina
TIME FOR ACTION: MAY 2024 Securing A Strong Nursing Workforce for North Carolina
 
Pulse Check Decisions - RRT and Code Blue Workshop
Pulse Check Decisions - RRT and Code Blue WorkshopPulse Check Decisions - RRT and Code Blue Workshop
Pulse Check Decisions - RRT and Code Blue Workshop
 
Communicable Disease.pptxgfgfggfffdfxfsdddf
Communicable Disease.pptxgfgfggfffdfxfsdddfCommunicable Disease.pptxgfgfggfffdfxfsdddf
Communicable Disease.pptxgfgfggfffdfxfsdddf
 
TEST BANK For Little and Falace's Dental Management of the Medically Compromi...
TEST BANK For Little and Falace's Dental Management of the Medically Compromi...TEST BANK For Little and Falace's Dental Management of the Medically Compromi...
TEST BANK For Little and Falace's Dental Management of the Medically Compromi...
 
Unlock the Secrets to Optimizing Ambulatory Operations Efficiency and Change ...
Unlock the Secrets to Optimizing Ambulatory Operations Efficiency and Change ...Unlock the Secrets to Optimizing Ambulatory Operations Efficiency and Change ...
Unlock the Secrets to Optimizing Ambulatory Operations Efficiency and Change ...
 
Communication disorder and it's management
Communication disorder and it's managementCommunication disorder and it's management
Communication disorder and it's management
 
TEST BANK For Robbins & Kumar Basic Pathology, 11th Edition by Vinay Kumar, A...
TEST BANK For Robbins & Kumar Basic Pathology, 11th Edition by Vinay Kumar, A...TEST BANK For Robbins & Kumar Basic Pathology, 11th Edition by Vinay Kumar, A...
TEST BANK For Robbins & Kumar Basic Pathology, 11th Edition by Vinay Kumar, A...
 

How to Secure Your Medical Devices

  • 1. HOW TO SECURE YOUR MEDICAL DEVICES ARE YOUR MEDICAL DEVICES BEING HACKED? White Paper © 2016 SecurityMetrics
  • 2. HOW TO SECURE YOUR MEDICAL DEVICES | 1 HOW TO SECURE YOUR MEDICAL DEVICES ARE YOUR MEDICAL DEVICES BEING HACKED? INTRODUCTION Attackers are increasingly targeting medical devices; the reason—PHI. This attack is called medical device jacking or medjacking. Targeted medical devices consist of four types: 1. Consumer health monitoring (e.g., FitBits, smart watch, etc.) 2. Wearable (e.g., portable insulin pumps, continuous glucose monitor, etc.) 3. Embedded (e.g., pacemakers, defibrillators, etc.) 4. Stationary (e.g., MRI machines, CT scanners, etc.) Vulnerabilities have existed within many medical devices for years, but recently there have been increased attacks and awareness of these vulnerabilities. For example, the U.S. Food and Drug Administration (FDA) announced yet another medical device vulnerability, this time with a widely used infusion pump.
  • 3. HOW TO SECURE YOUR MEDICAL DEVICES | 2 DANGERS OF MEDICAL DEVICES The FDA said medical devices “can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.” Although internally embedded medical devices like pace- makers can be hacked, most attackers are more interested in stealing large amounts of patient data. Medical data (e.g., social security numbers, insurance information, etc.) is worth 10 times more than credit card data. Not only do these vulnerabilities exist, but they will increasingly grow worse as more and more devices become interconnected. For example, stationary medical devices are often connected via Wi-Fi or Ethernet, but in some cases, they can connect to a business associate. In general, stationary medical devices are the most at risk because within a few steps, criminals can gain access to electronic medical records (EMR) systems. The following are common stationary medical devices: • Medical x-ray scanner • MRI machine • CT scanners • Chemotherapy dispensing stations • Dialysis machines • LASIK surgical machines • Homecare cardio-monitoring • Bedside infusion pump • Anesthesia apparatuses • Medical ventilators • Picture archiving and communication system • Blood gas analyzer MEDICAL DATA IS WORTH 10 TIMES MORE THAN CREDIT CARD DATA.
  • 4. HOW TO SECURE YOUR MEDICAL DEVICES | 3 HOW DO MEDICAL DEVICES GET COMPROMISED? Medjacking attacks are designed to quickly infiltrate medical devices, establish control, and then use them as pivot points to compromise and exfiltrate data from across the healthcare organization. Once an attacker gets into the network and bypasses existing security, they can infect a medical device and establish a backdoor within the device for later access. Why does this problem exist? It starts with manufacturing. According to the FDA, manufacturers are responsible for “remaining vigilant about identifying risks and hazards associated with their medical devices, including risks related to cybersecurity.” Medical device manufacturers are supposed to take responsibility for securing their devices with appropriate security controls (e.g., user authentication, strong pass- word protection, physical locks, card readers). They should also develop strategies for active security protection and “timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code.” Unfortunately, most manufacturers don’t take this responsibility seriously. Some medical device manufacturers limit their cyber- security efforts due to low budgets or time-require- ments, necessitating the use of open source code for security solutions. Joshua Corman, CTO at Sonatye, describes this process as “a shared attack surface and a shared risk” across the manufacturing sphere. The problem is healthcare IT teams typically don’t have access to a medical device’s system. Users can’t install further security tools on network connected medical device systems because most security tools don’t run within the actual medical device. Also, any software applied by the entity might be considered tampering with the device and have a negative impact on FDA approval.
  • 5. HOW TO SECURE YOUR MEDICAL DEVICES | 4 HOW TO PREVENT MEDJACKING The ongoing responsibility of managing patient data throughout an organization requires an organized ap- proach to risk management. As the guardian of patient data, it’s up to each healthcare organization to learn and understand the basic features of their IT assets and medical devices, what security mechanisms are in place, and how to use them. STEP ONE: FIX CURRENT MEDICAL DEVICES If you have networked medical devices, prepare for the worst. You likely have HIPAA violations on your hands because these devices are potentially vulnerable to leaking patient data. If there are any known vulnerabili- ties, remediate your existing devices immediately. Con- tact medical device manufacturers to find any required updates or available patches. Add this to your policies and document everything. Software and hardware updates take time. Plan ahead for ways to integrate all necessary fixes provided by the medical device manufacturer. Once again, make sure you document all of your manufacturers’ changes. Make sure all medical devices have a secure password. Secure passwords should have a minimum of eight char- acters, and must contain numeric, alphabetic, and special characters. In practice, the more character formats used, the more difficult a password will be to guess. This also applies to attackers trying to use a brute force applica- tion to obtain a password: the longer and more complex the password, the longer it will take to discover.
  • 6. HOW TO SECURE YOUR MEDICAL DEVICES | 5 STEP TWO: REVISE YOUR PROCESS Most importantly, consider only buying from medical device vendors that value cybersecurity. Some device manufacturers favor passwords built into the system that can’t be changed. When making purchase decisions, you should be able to modify your own passwords. Vendors should also offer frequent updates on their systems and be willing to conduct quarterly reviews on their systems. Manage physical access to medical devices, if possible. Medical devices with USB ports are particularly prone to compromise and additional procedures for these devices (such as strict rules for used USBs) are a must. For example, employees should never use USB sticks found on the ground or lying around the facility. If devices no longer receive manufacturers’ updates, get rid of them. It’s better to be safe than risk patient data being stolen. Remember in the disposal process to securely erase or destroy any patient data on these devices. Limit access to PHI by segmenting devices inside your network. Protect these devices with strict firewall rules allowing access to only specific services and IP addresses. Train your employees at least annually. One of your organization’s biggest weak- nesses can be your workforce because they don’t understand their responsibility to protect PHI and medical devices. Train them about social engineering and how often individuals pose as janitors, IT, new hires, or fake nurses to access patient data. SEGMENT DEVICES INSIDE YOUR NETWORK TO LIMIT ACCESS TO PHI. In your social engineering training, teach employees to: • Challenge strangers • Verify their identification • Never use USB thumb drives found around the premises • Always wear an identification badge Ensure you protect your patient’s data. You need to adequately document where PHI enters your environment, what hap- pens once PHI enters, where it’s stored, and how it exits your organization. Then you need to implement the necessary encryption, industry best practice is to use AES-128, Triple DES, AES-256, or better.
  • 7. HOW TO SECURE YOUR MEDICAL DEVICES | 6 STEP THREE: UNDERSTAND YOUR SECURITY STATUS It’s difficult, if not impossible to find every weakness in your organization on your own. To take your security to the next level and to avoid weaknesses in your IT system, consider implementing additional services such as: • Internal and external vulnerability scans—automated testing for weaknesses inside and outside your network • Penetration tests—live, hands-on testing of your system’s weaknesses and vulnerabilities • Gap analysis—consultation on where your gaps in security and compliance exist and what steps need to occur next • Intrusion Detection Systems/Intrusion Prevention Systems (IDS/IPS)—a monitoring system for network security appliances and report malicious activity • File Integrity Monitoring (FIM)—a way of checking software, systems, and applications in order to warn of potential malicious activity
  • 8. HOW TO SECURE YOUR MEDICAL DEVICES | 7 STEP FOUR: IMPLEMENT HIPAA COMPLIANCE If you haven’t already, designate a HIPAA compliance officer or team member. Clearly and specifically lay out their responsibilities, as well as for anyone involved with HIPAA compliance. Privacy and security concerns are key when it comes to HIPAA, but it’s also important to be sure your organization as a whole is protected. It’s critical to ensure all systems containing patient data is protected. Here are common places data is stored intentionally and unintentionally: • EHR/EMR systems • Databases • Workstations • Filing cabinets • Servers • Laptops • Security appliances • Email system • Data warehouse • Files shares • Ticketing systems • Mobile devices (i.e., smart phones, tablets) Conduct an annual HIPAA Risk Analysis. A Risk Analysis helps you to know your vulnerabilities, threats, and risks. The HHS states, “Conducting a Risk Analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implemen- tation specifications in the Security Rule. Therefore, a Risk Analysis is foundational.” Start by identifying your organi- zation’s top weaknesses, and begin to resolve these issues, and then repeat the process for medium and low risks. Set aside time either daily or weekly to work on HIPAA compliance and security. Keep HIPAA in the forefront of employees’ minds by holding regular training about PHI security practices. IF YOUR MEDICAL DEVICES AREN’T SECURE YOUR ORGANIZATION IS NOT HIPAA COMPLIANT.
  • 9. HOW TO SECURE YOUR MEDICAL DEVICES | 8 CONCLUSION Update all medical devices with any available security patches. Work with manufacturers at least once a quarter to make sure your device is secure. If you haven’t already, start HIPAA compliance and protect your patient’s data. Don’t let obstacles stop your progress on the security and compliance journey. Make securing medical devices a standard procedure after they get fixed. This process helps protect your organization and your patient’s data from getting hacked. HOW VULNERABLE IS YOUR PATIENT DATA? Join over 800,000 organizations and let SecurityMetrics help protect your patient data. consulting@securitymetrics.com 801.705.5656