- Health Network Security Challenges of Wireless Deployment
- Health Data Security Needs to Generate IAM Market Growth
The report also addressed each imperative individually, including recommendations for public and private healthcare entities. It’s important that the public and private healthcare sectors work together and coordinate to protect PHI that is shared within and among organizations.
“Although one could implement only a few of the recommendations and gain a minimal benefit, implementing all or a majority of the recommendations will compound the benefits to the overall security posture of the health care industry, as well as allow organizations to maximize their financial investments and personnel resources,” the report stated.
Educating staff and patients about cybersecurity is the first line of defense against cyberattacks. Understanding how data is accessed and the consequences of unsecured PHI access make users more aware of cyberattacks and how to avoid and prevent them.
User education plays a significant role in network defense, but IT still lacks control over what data is being accessed and how it is being accessed. This calls for robust cybersecurity implementations that will protect the network from outside threats.
Several of the imperatives suggested that organizations increase IT security to protect patients as well as their data.
The second imperative touched on the potential vulnerabilities found in medical devices. The number of medical devices included in modern health IT infrastructure continues to grow and organizations are faced with managing and monitoring them for possible threats.
The report suggested that entities pay close attention to legacy medical devices and systems, including EHR applications. Legacy systems present risks to the network if they do not have continued support from both the hardware and software vendors providing the technology.
“Many of these legacy systems have security weaknesses, which may contribute to the compromise of provider networks and systems,” the report said. “Every vendor and health care organization should be able to identify and classify legacy systems and develop an approach (e.g., compensating controls, device update, device retirement, network segmentation, or innovative architectures) to mitigate the associated risks.”
The action item for medical device security suggested that organizations inventory their critical systems and document unsupported OSes, devices and EHR systems. Entities must replace or upgrade systems with alternatives that are supported by vendors and invest in superior security capabilities whenever possible.
Organizations should produce retirement timelines so they can be replaced at a convenient time if devices are critical and can’t be replaced right away. The report also maintained that entities make an effort to isolate devices that are being prepared for retirement.
Other recommendations included improving manufacturing and development transparency among developers and users, as well as increasing adoption of the secure development lifecycle in the development of medical devices and EHRs.
“The industry needs to take a long-range approach to considering viability, effectiveness, security, and maintainability of medical devices, EHRs, and the interfaces when setting up the IT network and at the outset of product deployment,” the report advised. “The desired end-state is that every product (whether new or when it is being upgraded) have a defined strategy, architectural approach, and design that supports the deployment and overall lifecycle management of that product.”
Cyberattacks on healthcare data continue to threaten patient safety and organizations need to be sure all health IT security systems are supported. Entities must know that security plays a significant part in the development of new medical devices.