An area that also requires security measures in a healthcare organization’s work environment and for patient protection are medical devices. This particular focus is sometimes not a primary concern because the assumption is that the software companies who create the devices have security measures in place. Although this is true, unfortunately it isn’t enough.
Any instrument that is remotely controlled and connected to a wireless network is vulnerable to an attack. One reason for this is that the platforms medical devices work on go through changes, which require updates that can lead to weak spots, before or after updates have been made. Also, let’s not forget that those who are interested in penetrating a network and accessing medical devices (for whatever reason, but usually not a good one) are looking for ways to get in; and the same way a system is developed by an individual, it can be mapped out and breached by another.
There are at least two security measures healthcare organizations can take to ensure the continued proper function of their medical devices and diminish a breach scenario.
Ensuring a network is secure requires a thorough analysis, which penetration testing can accomplish. Through this process, network security vulnerabilities are identified and the status of the network verified. Penetration testing provides an examination of external and internal networks, and web applications. It also provides social engineering assessments and a review of required policies and procedures. Professionals quantify the vulnerabilities present and assist in taking the appropriate steps, as well as helping with the correct execution of the measures needed to make a network secure. Testing also supports compliance initiatives such as HIPAA.
Vulnerability assessments take a look at the entire network infrastructure; this includes routers, firewalls and wireless configurations. A healthcare organization also becomes aware of how traffic flows through the network thanks to this process. Once the assessment has been made a risk model is created that identifies possible attack vectors, which can be used to move within the network and compromise anything connected to it. Through the identification of threat paths it is easy to find out what assets are exposed and make the necessary security changes to decrease chances of a breach. A vulnerability assessment also provides pre-audit verification and preparation for compliance (to existing or new legislations).
As healthcare organizations expand the use of online systems to work more efficiently and provide better services to patients, so does the increased likelihood of possible breaches. The answer to why the latter has to take place can’t be a primary concern because it doesn’t solve the problem of breach (plus, the answer is a bit complex due to it involving human choices).
What executives can do is focus on how they can minimize an attack and continue to use the tools that are becoming available as technology improves and grows. With the two network security measures provided above, healthcare organizations can do just this, and not only for the safety of their medical devices.
All network operating devices (medical or not) have the same problem: vulnerabilities to the system they work on. These vulnerabilities are avoidable only if implementing a good information security plan and regularly vetting internal and external networks to ensure weak spots are absent or eliminated.