The US Healthcare
system has been regarded as one of the best in the world. A lot of this has not only to do with the
extensive amount of training that future doctors, nurses, and other
practitioners have to undergo, but we are also blessed that we have all of the
advanced technology in the world. Not
many countries can say the same.
But there is
one area in our great healthcare system that is still lacking: Yep, you guessed it, it has to do with our
Cybersecurity. Attackers still love to
pounce on the targets here, especially when it comes to the heisting of
patients information and data. But there
is yet another area here where it is even more detrimental: Implanted medical devices.
A good
example of this is the pacemaker. It is
used to control the heartbeat, so that it maintains a proper rhythm. But unfortunately, it is now accessible via
radio control by the patient’s doctor. While
this is a good thing, it can be a bad thing also, because the Cyberattacker can
also take control of it, take control of the pacemaker, and literally kill the patient
wherever they are at.
Luckily to my
knowledge nothing like this has happened yet, but the potential for it is quite
strong. In response to this, the United
States FDA has now mandated that all manufacturers of medical devices follow a principle
called “Secure By Design”. This is where
certain kinds of controls have to be literally embedded into the device, in
order to safeguard the security of the patient.
More
information about the FDA requirements can be seen at the link below:
http://cyberresources.solutions/blogs/fda.pdf
More details
about “Secure By Design” can also be found at the link below:
An example of
such a control is Multifactor Authentication, also known as “MFA” for
short. This is where at least three or
more differing mechanisms are used to confirm the identity of an
individual.
But another
problem now is that a lot of the healthcare providers are now moving to the Cloud
(such as the AWS or Azure) in order to host the applications that support these
medical devices. As a result, this comes
under the guise of what is known as the “Share Responsibility Model”. As a user of the Cloud, you actually share your
resources with other “tenants” in order to keep your monthly costs down.
While this is
of course a good thing, it can be a bad thing because now your datasets can
theoretically become that much more accessible to malicious third parties. But, the Cloud providers do give you the
resources and the tools that you need to protect your part of the Cloud, but
you have to take responsibility to make sure that they are configured properly
to your security requirements.
But to make
implanted medical devices more secure, it is recommended that the following steps
be taken, and quickly:
1)
The
hospitals have to do their part:
Usually,
the medical device vendors will provide information to the practitioners about
the devices that they are interested in using.
An example of this is the “Manufacturer Disclosure Statement for Medical
Device Security”, also known as the “MDS2”.
It spells out all of the details of the security features that a particular
device has, and from there, the facility can make an informed decision as to
whether to use it or not. But the
bottom line is that it must be read, and just discarded away!!!
2)
Configure
those devices:
The
vendors will also have documentation on how to further fine tune your procured
devices to best meet your security requirements. Heed these documents carefully
also!!! Most medical
facilities don’t do this, and instead rely on the default settings. Don’t do this! This is where you will have more back doors open
than you realize.
My
Thoughts On This:
Another catalyst
that is leading to the explosion of implanted medical devices is the Internet
of Things, also known as the “IoT”. The
connections between devices still remain unencrypted, making it more a risk to
use. Also, the growth of AI and ML isn’t
helping matters much either on the Cybersecurity front, either.
The best
advice I can give here for the medical practitioners are to stay proactive, and
make sure that ever security control is used to the maximum extent possible.
No comments:
Post a Comment