Healthcare providers face rigorous challenges when it comes to delivering quality patient care. Aging patient segments, evolving insurance regulations, and increasing security requirements are just a few of the variables contributing to these challenges. Until recently, protecting medical devices was not on the list of items to address.
Things have changed. The rapid evolution of malicious software (like Ransomware) and other concerns for patient safety has caused the FDA to take a new stance on these devices, which were once considered a “hands-off” part of the security programs for healthcare providers.
On June 13, 2016 the FDA released new medical device guidelines for health care facilities. At a high level, their posting includes the following elements:
The unfortunate reality is that most medical devices are connected to the provider’s network; this “networked” capability leaves them vulnerable to cyber-attacks. As an industry, healthcare is truly unique because the well-being of individuals is directly tied to these medical devices. In other words, if a medical device is shut down or disabled at the wrong time, people can die.
During the 2015 calendar year, there were more than 144 million new variants of malware released. Protecting medical devices against these threats alone presents an overwhelming task. Think about the seemingly simple task of using Antivirus to protect medical devices. With more than 12 million new malware variants created each month (400,000 per day), antivirus has to understand each variant in order to stop it. Of course, this approach assumes that the antivirus providers can push more than 400,000 updates per day just to stay at par with the malware changes.
It’s clear that the new reality for medical devices will require a more “hands on” cyber-security approach from healthcare providers. The challenge is complicated by the fact that many of these devices run on older, unsupported operating systems. Any effective cyber-security approach requires controls that are applicable across a broad spectrum of software systems.
Our team attacked the problem with a different approach that limits what software can run on a medical device. This method switches the paradigm from focusing on what is bad to what is good. By concentrating on “allowed” software, we have eliminated the need to understand what is bad software and the need to track 400,000+ new variables (of bad software) daily. An agent installed on the medical device provides the standard for what software can run. Since no other software can run, the device cannot be disabled or affected by malicious code (even if it were loaded on the system). The result is a compensating control that secures the device as well as addresses HIPAA compliance.