COMMENTARY. Hospitals and medical device manufacturers must team up to help create a secure environment to protect the personal health information derived from patient monitors and other medical devices.
For some time, this notion of shared responsibility for data security has been recognized as a best practice within the larger technology industry.
Many cloud service providers follow this model to define the mutual security obligations of the cloud providers and their customers.
This means medical device manufacturers, hospital software providers, and health organizations must collaborate to shield patient information and medical device systems against cybercriminal activity.
Understanding Roles in Medical Device Data Security The US FDA requires medical device manufacturers and software providers to follow a process called security by design, which maintains that certain controls must be embedded in a product to make it easier for hospitals to deploy and use them securely.
Features such as configurable encryption, secure login pages, and user authentication requirements are examples of how manufacturers integrate security capabilities into their products.
These security features in the product's design often require hospitals to take action to activate them and maintain their viability.
Hospitals must ensure that browsers and mobile devices are up to date with security features enabled to optimize the manufacturer's cloud-based security controls, such as multifactor authentication.
To facilitate secure product implementation, medical equipment manufacturers must embed security controls using proven algorithms and designs guided by the security-by-design process.
At the same time, hospitals have their own share of responsibilities and activities to ensure the product is used securely.
For security measures to be successful, hospitals and manufacturers must collaborate to determine what will best meet the hospital's needs.
Before a hospital deploys a device, its manufacturer must be transparent about the security features that the hospital can use, as well as their expectations of the hospital environment.
Hospitals, in turn, should educate themselves about those security features and determine if they meet their expectations.
They often provide clinical users and system administrators with information and guidelines such as the Manufacturer Disclosure Statement for Medical Device Security, software bills of materials, hardening guides, and other security guidance materials.
These documents provide step-by-step blueprints for healthcare providers to follow to do their part to protect medical device data from intrusion.
Recommended steps may include restricting login access to specific personnel, securing connections between systems using network segmentation and restricted ports, using trusted certificates to verify the identity of medical devices and clinical data receiving systems, and other actions specific to the hospital's network.
Read Manufacturers' Recommended Security Guidelines Manufacturers' product documentation and guides tell hospitals how to leverage a medical device or software's embedded security features for optimal use.
It's important to review these guides every time a new version of a product or software is deployed because enhanced security controls may require additional measures, such as updated encryption configurations or new private keys.
Use these guides regularly to control the effectiveness of the current security configuration.
To thwart their activity, manufacturers and hospitals need to team up and be clear about each other's roles and shared responsibilities in an end-to-end secure data environment.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 08 Feb 2024 15:05:25 +0000