One of the areas hit hardest by the Covid-19 pandemic was data security. As remote work and virtual visits rapidly went from becoming the exception to the rule, it presented myriad challenges, from being able to provide enough devices for users, to being able to protect those devices — and the networks on which they run.
For CISOs and other IT and security leaders, it meant having to pivot from being focused on “hardening the outside as effectively as possible,” to realizing that the perimeter no longer exists, said Steven Aiello, Security Practice Director with AHEAD, during a recent webinar. “It was on everybody’s mind that we needed to make data more readily available.”
All of a sudden, initiatives like multifactor authentication that had been planned for 2021 or 2022 were being fast-tracked, despite the fact that most organizations were experiencing sizeable revenue dips. “It’s been a very interesting time and I think it has forced people to think differently about their priorities moving forward,” he said.
Even for an organization like ChristianaCare, which already had a lot of the controls and infrastructure in place to support the transition to telecommuting, the pace of change would have to increase. “We’ve had a cloud-first mentality and an approach where the vision is for clinicians to be able to access information from any device at any time,” said Anahi Santiago, now in her fifth year as CISO. “For us, the call to action was to increase our capacity to scale out.”
Along with that, however, came several considerations, which Santiago, Aiello, and Sri Bharadwaj (VP of Digital Innovation with Franciscan Health) covered during the discussion, which was entitled, “Tackling the Toughest Problem in Healthcare IT Security: Medical Devices.”
First, it’s important to examine why medical devices present such a unique challenge. According to Aiello, it’s not so much about the devices themselves, but rather, “it highlights a failure in information security and cybersecurity as a whole.” He believes it comes down to implementing solid practices of proper network segmentation and design, which admittedly, isn’t exactly sexy. “But if you go back to the basics and talk about segmentation and allowing only the least privilege access from a medical device to a system that may be required to update a record or something of that nature, you can tackle those problems in a very similar manner than you would other similarly classified devices.”
Santiago agreed, noting that although medical devices come with specifications that require them to be treated differently, the same principles apply from a security standpoint. “It doesn’t vary vastly from our general regular cybersecurity plan,” she noted, which includes encryption, patches, vulnerability management, and asset management.
Bharadwaj, who recently took on the innovation role with Franciscan Health after serving as CISO at UC Irvine Health, believes the focus should be less on medical devices specifically, and more on securing the Internet of Things. “There are more and more new devices coming into the marketplace. In the innovation world, we want to try as many new products as possible — to fail fast,” he noted. “If that’s the case, we’ve got to look at security as a much broader concept.”
If the bigger objective is to achieve confidentiality, integrity and availability — which it should be, according to Aiello — leaders do indeed need to adopt a more holistic approach to data security, particularly as IoT devices are increasingly being paired with cloud technology. “If you look at how these devices are beginning to proliferate environments, Sri is absolutely right. It’s not just a medical device,” he noted.
And when those devices leave the premises for repairs, it opens up a whole new set of concerns — more so when they contain PHI. Because that data, according to Bharadwaj, can easily be downloaded, especially when it’s no longer connected to the network and, as a result, is no longer encrypted.
“We have to make sure it’s protected,” he said, adding that very few people understand that the real danger occurs when devices are off the network, not when they’re on it. Secondly, it’s important to realize that “you can’t bring a device back onto the network the minute you want to, because you may not be able to,” he said. “All devices have to go through the same process in order to be effective. We need to apply the same philosophy whether it’s in your organization or outside of it.”
Another critical component is choosing the right vendor partners, which can be a thorny process, noted Aiello. Although all vendors care about security, the primary goal is to get the product out, and so “it can be difficult for these organizations to slow down and to put the brakes on releasing something that’s coming to market.”
To that end, he provided some guidance on how CISOs and other leaders can ensure they’re making the best possible decision.
- Be diligent in your selection in process.
- Scrutinize the manufacturer’s internal security program. “Don’t take their word for it,” he said. “Have somebody who’s deeply technical on the phone when you’re doing your vendor risk assessment.”
- Ask for samples. In his experience, Aiello has seen organizations ask for samples, then have their teams “tear the devices apart and expose vulnerabilities that weren’t even considered.”
It may seem extreme, but he believes it’s completely necessary. “You need to have a diligent vendor risk management processes and evaluate those platforms in a very technical way, not just taking the vendors advice on what they tell you.”
Santiago’s team has made it a priority at ChristianaCare to perform in-depth assessments of both the technical components of the device, as well as the vendors’ security strategy. “We always ask, do they have a designated information security professional? Do they have a security team? Do they do enterprise risk management? Do they have an incident response process? These are critical questions.”
And getting answers to those questions can help leaders make a decision on whether the value of onboarding the device outweighs the security risks. As care expands beyond the walls of hospital and clinics, it’s going to be more critical than ever to ensure that devices — and, for that matter, those who use them — are kept safe.
“If care can be delivered in somebody’s home, we’re going to have to deliver it in their homes,” Santiago said. “I think we’re seeing that now and healthcare has been forced to adopt these practices much more quickly and that the future is here.”
To view the archive of this webinar — Tackling the Toughest Problem in Healthcare IT Security: Medical Devices (Sponsored by AHEAD) — please click here.