The Food and Drug Administration's recently issued final guidance on the post-market cybersecurity of medical devices outlines important steps that hospitals, clinics and others must take to better protect patient data and keep patients safe, say Karl West, CISO at Intermountain Healthcare, and Mike Nelson of DigiCert.
"An overarching theme of the guidance is to make sure a risk assessment is done, and for healthcare organizations ... that's a very important step in understanding the vulnerabilities and risks that are present in those devices," Nelson points out in an interview with Information Security Media Group.
"Patient safety is, of course, a No. 1 risk and threat for us in cybersecurity with these devices, but at the same time, the security is critical because these devices can be leveraged and used as threat vectors to allow a [broader] breach," West adds.
Collaboration Is Key
In addition to highlighting the significance of conducting a risk analysis of connected medical devices used in healthcare environments, the guidance also calls attention to the importance of healthcare entities collaborating with each other - and with medical device vendors - to share information related to risks and threats, West points out.
That kind of information sharing "will create the state of protection that we need in the future," he says. "We need that to be proactive, versus reactive."
Ongoing collaboration between the FDA and the National Health Information Security Analysis Center, or NH-ISAC, to improve risk- and threat-related information sharing in the healthcare sector "will also have a significant impact on these risk and privacy concerns," West adds.
In an interview (see audio link below photos) ahead of the 2017 Healthcare Information and Management Systems Society Conference in Orlando, where they will be discussing medical device security, West and Nelson also discuss:
- The state of medical device cybersecurity - including an assessment of where progress is being made and areas in need of improvement;
- The importance of manufacturers issuing timely medical device software patches and updates;
- Why creating, classifying and managing medical device inventories are difficult steps for many healthcare organizations.
West is CISO and assistant vice president of information systems for Intermountain Healthcare, a 22-hospital integrated delivery network based in Salt Lake City, Utah. He is responsible for information access, authorization, privacy, business continuity and data governance. Previously, he was a vice president and managing partner in AT&T Consulting Services. He's also a member of the Utah Health Information Network privacy and security board, as well as a board member of the Weber State University computer science department.
Before joining DigiCert, an SSL certificate authority, in April 2015 as vice president of healthcare solutions, Nelson started and led a consulting practice at Leavitt Partners, a health intelligence company. He also previously served as a senior project manager for GE Healthcare. Earlier, Nelson served at the U.S. Department of Health and Human Services as the director of the National Electronic Health Record Initiative, a Medicare demonstration project that became the "meaningful use" financial incentive program. Nelson also serves as a board member for the Utah chapter of HIMSS.