[{"innerBlocks":[],"name":"core\/freeform","postId":127332,"blockType":{"name":"core\/freeform","keywords":[],"attributes":{"content":{"type":"string","source":"raw"},"lock":{"type":"object"}},"providesContext":[],"usesContext":[],"selectors":[],"supports":{"className":false,"customClassName":false,"reusable":false},"styles":[],"variations":[],"apiVersion":3,"title":"Classic","description":"Use the classic WordPress editor.","category":"text"},"originalContent":"

5 medical device security risks and how to beat them<\/h2>
The increasing use of connected medical devices that link up or integrate with other systems, devices, tools, networks or services offers much promise in improving care, but also represents significant risk to network security\u2014and most healthcare organizations are poorly protected. According to new research from Booz Allen Hamilton and eHealth Initiative, these innovations pose security risks hackers can attack connected medical devices, making it easier to disrupt their operations.<\/p>

Risk 1: Physical proximity is not necessary for compromise<\/h2>
To an attacker, connected devices are just computers on the network, and they are vulnerable to the same types of cyberattacks that threaten every digital device. A July advisory from the Department of Homeland Security warned of a set of vulnerabilities called URGENT\/11 that is present in 200 million devices worldwide. The vulnerabilities could enable anyone to remotely take control of a device and change its function or cause a denial of service, or cause leaks or logic flaws, which may prevent device function.<\/p>

Risk 2: Devices extend the roles of some organizations<\/h2>
Healthcare organizations now are significantly involved in the process of developing these devices\u2014in fact, they\u2019re information technology partners with medical device manufacturers. These manufacturers continue to be involved over time, because they typically have a direct role in the post-market phase, after regulators have approved a device for use. This unstructured relationship boosts the security risks for healthcare delivery organizations, because they must learn to mitigate risks inherent in connected health devices that rely on third-party, off-premises technology to work properly.<\/p>

Risk 3: Connected medical device vulnerabilities never expire<\/h2>
Sometimes, even \u201csecure\u201d systems have latent vulnerabilities\u2014these can go from \u201cundisclosed\u201d to \u201ceasily exploited\u201d in a manner of days. Because hackers don\u2019t have to be physically attached to the device, threat actors can get access easily by finding and working to exploit undisclosed vulnerabilities.<\/p>

Risk 4: Not enough adoption of a threat-centric mindset<\/h2>
To secure the connected health ecosystem, those tasked with protecting it need a threat-centric mindset. Defining policies and assessing compliance are not sufficient to prevent compromise of devices, the network and healthcare information databases. Even the most compliant organizations fall victim to sophisticated threats, with 77 percent of successful attacks exploitng pre-existing vulnerabilities. Threats and exploits must be continually assessed throughout the lifecycle.<\/p>

Risk 5: Connected devices face a variety of diverse risks<\/h2>
Patients and providers must be able to rely on the confidentiality, integrity and availability of connected devices and the data they create, and the devices must be always connected and available. But there are many potential risks that have the potential to erode this trust\u2014from supply chain issues to privacy concerns. No single security approach is sufficient as many complementary solutions are necessary.What follows are suggestions from Booz Allen Hamilton and eHealth Initiative to address these challenges.<\/p>

The status quo is not sufficient<\/h2>
Securing the connected health ecosystem is an ongoing and persistent challenge that has the potential to disrupt the entire industry if vulnerabilities are not identified, alerted and dealt with quickly.<\/p>

Everyone plays a role<\/h2>
Potential solutions to threats emerging to connected medical devices require coordinated and diverse activities, working in concert to adaquately address all threats and risks.<\/p>

Important work already is underway<\/h2>
The health industry has already created significant resources, such as the Joint Security Plan<\/a>, as a starting point. Much remains to be done, but many of the important issues are currently being discussed.<\/p>

Keep an eye to the future<\/h2>
The solutions required to fix today\u2019s vulnerable devices are not the same as those required to prevent future devices from being vulnerable. However, the needs for protection from future vulnerabilities must be designed into emerging connected devices while still addressing today\u2019s needs.<\/p>

More engagement is needed<\/h2>
Attending events by the Health Sector Coordinating Council<\/a> (HSCC) and the Health Information Sharing and Analysis Center<\/a> (H-ISAC) are a good way to engage stakeholders in productive dialogues that can benefit everyone.<\/p>

Important resources for further study<\/h2>
Here are some important resources for further study.The Medical Device and Health IT Joint Security Plan<\/a>Health Industry Cybersecurity Practices<\/a>: Managing Threats and Protecting Patients, from the Health Sector Coordinating CouncilDepartment of Health and Human Services cyber security guidance materials<\/a>Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency<\/a><\/p>

","saveContent":"
5 medical device security risks and how to beat them<\/h2>
The increasing use of connected medical devices that link up or integrate with other systems, devices, tools, networks or services offers much promise in improving care, but also represents significant risk to network security\u2014and most healthcare organizations are poorly protected. According to new research from Booz Allen Hamilton and eHealth Initiative, these innovations pose security risks hackers can attack connected medical devices, making it easier to disrupt their operations.<\/p>

Risk 1: Physical proximity is not necessary for compromise<\/h2>
To an attacker, connected devices are just computers on the network, and they are vulnerable to the same types of cyberattacks that threaten every digital device. A July advisory from the Department of Homeland Security warned of a set of vulnerabilities called URGENT\/11 that is present in 200 million devices worldwide. The vulnerabilities could enable anyone to remotely take control of a device and change its function or cause a denial of service, or cause leaks or logic flaws, which may prevent device function.<\/p>

Risk 2: Devices extend the roles of some organizations<\/h2>
Healthcare organizations now are significantly involved in the process of developing these devices\u2014in fact, they\u2019re information technology partners with medical device manufacturers. These manufacturers continue to be involved over time, because they typically have a direct role in the post-market phase, after regulators have approved a device for use. This unstructured relationship boosts the security risks for healthcare delivery organizations, because they must learn to mitigate risks inherent in connected health devices that rely on third-party, off-premises technology to work properly.<\/p>

Risk 3: Connected medical device vulnerabilities never expire<\/h2>
Sometimes, even \u201csecure\u201d systems have latent vulnerabilities\u2014these can go from \u201cundisclosed\u201d to \u201ceasily exploited\u201d in a manner of days. Because hackers don\u2019t have to be physically attached to the device, threat actors can get access easily by finding and working to exploit undisclosed vulnerabilities.<\/p>

Risk 4: Not enough adoption of a threat-centric mindset<\/h2>
To secure the connected health ecosystem, those tasked with protecting it need a threat-centric mindset. Defining policies and assessing compliance are not sufficient to prevent compromise of devices, the network and healthcare information databases. Even the most compliant organizations fall victim to sophisticated threats, with 77 percent of successful attacks exploitng pre-existing vulnerabilities. Threats and exploits must be continually assessed throughout the lifecycle.<\/p>

Risk 5: Connected devices face a variety of diverse risks<\/h2>
Patients and providers must be able to rely on the confidentiality, integrity and availability of connected devices and the data they create, and the devices must be always connected and available. But there are many potential risks that have the potential to erode this trust\u2014from supply chain issues to privacy concerns. No single security approach is sufficient as many complementary solutions are necessary.What follows are suggestions from Booz Allen Hamilton and eHealth Initiative to address these challenges.<\/p>

The status quo is not sufficient<\/h2>
Securing the connected health ecosystem is an ongoing and persistent challenge that has the potential to disrupt the entire industry if vulnerabilities are not identified, alerted and dealt with quickly.<\/p>

Everyone plays a role<\/h2>
Potential solutions to threats emerging to connected medical devices require coordinated and diverse activities, working in concert to adaquately address all threats and risks.<\/p>

Important work already is underway<\/h2>
The health industry has already created significant resources, such as the Joint Security Plan<\/a>, as a starting point. Much remains to be done, but many of the important issues are currently being discussed.<\/p>

Keep an eye to the future<\/h2>
The solutions required to fix today\u2019s vulnerable devices are not the same as those required to prevent future devices from being vulnerable. However, the needs for protection from future vulnerabilities must be designed into emerging connected devices while still addressing today\u2019s needs.<\/p>

More engagement is needed<\/h2>
Attending events by the Health Sector Coordinating Council<\/a> (HSCC) and the Health Information Sharing and Analysis Center<\/a> (H-ISAC) are a good way to engage stakeholders in productive dialogues that can benefit everyone.<\/p>

Important resources for further study<\/h2>
Here are some important resources for further study.The Medical Device and Health IT Joint Security Plan<\/a>Health Industry Cybersecurity Practices<\/a>: Managing Threats and Protecting Patients, from the Health Sector Coordinating CouncilDepartment of Health and Human Services cyber security guidance materials<\/a>Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency<\/a><\/p>

","order":0,"get_parent":{},"attributes":[],"attributesType":{"content":{"type":"string","source":"raw"},"lock":{"type":"object"}},"dynamicContent":""}]

The status quo is not sufficient<\/h2>Securing the connected health ecosystem is an ongoing and persistent challenge that has the potential to disrupt the entire industry if vulnerabilities are not identified, alerted and dealt with quickly.<\/p>

Everyone plays a role<\/h2>Potential solutions to threats emerging to connected medical devices require coordinated and diverse activities, working in concert to adaquately address all threats and risks.<\/p>

Important work already is underway<\/h2>The health industry has already created significant resources, such as the Joint Security Plan<\/a>, as a starting point. Much remains to be done, but many of the important issues are currently being discussed.<\/p>

More engagement is needed<\/h2>

The status quo is not sufficient<\/h2>Securing the connected health ecosystem is an ongoing and persistent challenge that has the potential to disrupt the entire industry if vulnerabilities are not identified, alerted and dealt with quickly.<\/p>

Everyone plays a role<\/h2>Potential solutions to threats emerging to connected medical devices require coordinated and diverse activities, working in concert to adaquately address all threats and risks.<\/p>

Important work already is underway<\/h2>

More engagement is needed<\/h2>

The status quo is not sufficient<\/h2>
Securing the connected health ecosystem is an ongoing and persistent challenge that has the potential to disrupt the entire industry if vulnerabilities are not identified, alerted and dealt with quickly.<\/p>

Everyone plays a role<\/h2>
Potential solutions to threats emerging to connected medical devices require coordinated and diverse activities, working in concert to adaquately address all threats and risks.<\/p>

Important work already is underway<\/h2>
The health industry has already created significant resources, such as the Joint Security Plan<\/a>, as a starting point. Much remains to be done, but many of the important issues are currently being discussed.<\/p>

More engagement is needed<\/h2>
Attending events by the Health Sector Coordinating Council<\/a> (HSCC) and the Health Information Sharing and Analysis Center<\/a> (H-ISAC) are a good way to engage stakeholders in productive dialogues that can benefit everyone.<\/p>

The status quo is not sufficient<\/h2>
Securing the connected health ecosystem is an ongoing and persistent challenge that has the potential to disrupt the entire industry if vulnerabilities are not identified, alerted and dealt with quickly.<\/p>

Everyone plays a role<\/h2>
Potential solutions to threats emerging to connected medical devices require coordinated and diverse activities, working in concert to adaquately address all threats and risks.<\/p>

Important work already is underway<\/h2>
The health industry has already created significant resources, such as the Joint Security Plan<\/a>, as a starting point. Much remains to be done, but many of the important issues are currently being discussed.<\/p>

More engagement is needed<\/h2>
Attending events by the Health Sector Coordinating Council<\/a> (HSCC) and the Health Information Sharing and Analysis Center<\/a> (H-ISAC) are a good way to engage stakeholders in productive dialogues that can benefit everyone.<\/p>

5 risks in protecting medical devices and how to meet them

More for you