One of the major cybersecurity issues in healthcare is the safety of medical devices. Hospitals still use a lot of connected healthcare devices and in so doing they considerably expand the attack surface. A new survey identified a connection between the volume of connected healthcare devices in medical centers and the number of cyberattacks they encounter. Connected healthcare devices usually come with vulnerabilities that hackers can exploit so they can easily acquire access to healthcare systems.
New laws are under consideration to compel healthcare companies to prioritize medical device security and to necessitate the makers of healthcare devices to ensure the safety of their products for their whole lifecycle. For instance, the Protecting and Transforming Cyber Health Care (PATCH) Act wishes to revise the Federal Food, Drug, and Cosmetic Act to include cybersecurity steps in premarket submissions to prove the security and efficiency of the devices all through the unit’s lifecycle.
Until the introduction of new legislation, healthcare companies must prioritize medical device cybersecurity, however many consider increasing security difficult. To ease that process, the cybersecurity firm Ordr, a pioneer in connected device security, has released a maturity model to give healthcare organizations a framework to assess the security of their healthcare devices, standardize their connected device security work, and create an efficient method for strengthening their security program.
The guidance document entitled A Practical Guide to Implementing Connected Device Security for Healthcare Organizations is for healthcare companies to know their present level of security maturity and determine where they must prioritize to make enhancements. The guide consists of five levels of maturity, explains the business value that may be accomplished in the five levels, and gives suggested actions and ideas to assist security teams in focusing their work on the way to zero trust.
The first level is asset visibility – To keep medical devices secure, a healthcare company should know where these units are, their installed firmware versions, and all software related to the devices, thus a complete, precise, and updated inventory should be kept. The second level deals with vulnerability and risk control. Healthcare companies at this level have merged device vulnerability information, set up device behavior standards, examined external threat intelligence, and have a detailed view of the attack surface to direct their security work.
The third level is reactive security, which is utilizing the information obtained and the risk-based view determined in the earlier levels to prioritize threat mitigation. The fourth level is proactive security, which involves automating guidelines and workflows to make sure threats are quickly discovered and mitigated and employing zero trust segmentation. The last level is improved security, where all earlier security work is broadened and improved with automation and zero-trust security guidelines are completely executed.
Brad LaPorte, the writer of the guide and a Gartner cybersecurity analyst states that companies are not likely to get to the Optimized Security level immediately. Every level creates critical capabilities, develops upon earlier levels, and generates value on the way to Zero Trust. Regardless of where a company is on this journey and what its best goal is, this guide offers important ideas for knowing your security position and what is required for improvement.