Critical Steps for Avoiding 'Top Health IT Hazard' in 2019ECRI Institute's Chad Waters and Juuso Leinonen on Preventing Remote Access Attacks
Healthcare entities need to take a number of important steps to defend against cyberattacks involving remote access, say Chad Waters and Juuso Leinonen, security engineers at the ECRI Institute, which recently singled out hackers remotely accessing medical devices and systems as the No. 1 technology hazard for 2019.
Those steps include taking inventory of all the potential means for remote access into their environments, including remote desk protocol servers, virtual private networks and secure socket layer ports, Waters says.
"Make sure you are aware of what you have in terms of remote access," he says in an interview with Information Security Media Group. "Once you have those inventoried, you want to implement policies to govern them and approve new remote access systems ... and then protect them with the appropriate compensating controls, like firewalls and auditing logs," he adds.
'Attack Vector of Choice'
Remote access has been "the attack vector of choice for organized hacking organizations," Waters says. This has resulted in a multitude of ransomware incidents in the healthcare sector, including attacks involving the SamSam ransomware variant, he notes.
"I would encourage entities to allocate appropriate resources to address cybersecurity concerns," Leionen urges.
In the interview (see audio link below photo), Leinonen and Waters also discuss:
- Why cybersecurity issues are a top patient safety concern;
- The medical devices most at risk for hacking attacks;
- Factors ECRI considers as it assesses top health IT hazards that put patients and healthcare institutions at risk.
Waters is a senior cybersecurity engineer in the health devices group at the ECRI Institute, where he performs medical device evaluations, develops practical guidance for healthcare facilities, and consults with healthcare facilities about medical technologies. He is a subject matter expert in medical device cybersecurity and healthcare IT.
Leinonen is a senior project engineer in the health devices group at ECRI and the lead subject matter expert in medical device cybersecurity, medical device integration, infusion technology and telehealth. He came to ECRI Institute with a background in clinical engineering from St. George's Hospital in London.