Medical Device Security Often NeglectedExpert Warns Against Overlooking Devices in Risk Management
Despite the growing attention that federal regulators have been giving to medical device cybersecurity over the last two years, many healthcare organizations still neglect those devices in their risk management and compliance programs, says security expert Andrew Hicks.
"A lot of hospitals we see don't include these devices as part of their compliance programs," he says in an interview with Information Security Media Group during the HIMSS 2015 conference in Chicago. "We are seeing a lot of uptick in awareness of medical devices, but making sure they're in the scope of security programs and compliance programs is a must at this point."
Some organizations are uncertain about who's ultimately accountable for medical device cybersecurity, says Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire. "There's a lot of confusion out there. Is it the manufacturers' responsibility, or the purchasers' responsibility? And there's a lot of variation out there. [For instance,] if I'm a hospital buying medical devices and I change the configurations, I've now re-engineered the device - so is it my responsibility to make sure it's secure? ... Getting those hardened configurations settings built into the devices - it's not as simple as buying a device and assuming it's secure. You have to take preventive measures on top of that."
The Food and Drug Administration over the last two years has issued voluntary guidance for the healthcare sector about how to ramp up medical device cybersecurity. That includes advising hospitals and other healthcare providers to include medical devices in their risk analysis and risk management programs and advising manufacturers to consider cybersecurity in the design and development of their products.
In this interview, Hicks also discusses:
- What healthcare organizations should learn from the recent hacking attacks on Anthem Inc. and Premera Blue Cross;
- The difficulties organizations often have in detecting breaches;
- Common challenges that covered entities are encountering in vendor management for business associates and subcontractors;
Hicks has more than 10 years of experience in IT governance, including security, risk management, audit, business continuity, disaster recovery and regulatory compliance. His experience also includes implementing and managing IT internal control programs relative to maintaining Sarbanes-Oxley, HITECH Act, HIPAA and PCI compliance.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.