Paper provides key stakeholders with guidelines to procuring, securing medical devices to ensure vulnerabilities are mitigated
The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, announced today the publication of Managing the Risk for Medical Devices Connected to the Cloud.
The paper, produced by CSA’s Health Information Management Working Group, identifies requirements for purchasing new medical devices to ensure the identification and mitigation of vulnerabilities prior to implementation and provides best practices for managing risk using degrees of separation from the patient (implantation, measurement, diagnostic, etc.) and those responsible for support (i.e., vendor, clinical engineering, medical staff, or IT).
“With the increased number of the Internet of Things (IoT) devices, healthcare delivery organizations (HDO) are experiencing a digital transformation bigger than anything we’ve seen before. However, while the new breed of connected medical devices brings the promise of improved patient care and myriad other benefits, they also bring increased security risks,” said Dr. Jim Angle, the paper’s lead author and co-chair of CSA’s Health Information Management Working Group.
The number of files with sensitive data that are shared in the cloud has increased 53 percent year over year. As the number of files stored in the cloud increases, the percentage of files containing sensitive data also grows. Given that today, 21 percent of files stored in the cloud contain sensitive data, and of that, nine percent contains protected health information, cloud security is paramount.
“Running commercial, off-the-shelf software makes the device susceptible to the same vulnerabilities as any other computer. Compounding the problem, device manufacturers continue to use old technologies due to the time required to gain approval for medical devices, meaning these devices are sold even after the software has passed the main support period. This presents healthcare delivery organizations with threats and vulnerabilities that include technology issues, software risks, and human factors,” said Vincent Campitelli, co-chair of CSA’s Health Information Management Working Group.
The paper recommends controls be evaluated against the CSA Internet Of Things (IoT) Control Framework, which allows an organization to evaluate and implement an IoT system within its ecosystem. This control framework is being expanded to include the Medical IoT (MIoT), specifically medical devices. The MIoT Security Control Framework is relevant for healthcare organizations that provide care that incorporates multiple types of connected devices, cloud services, and networking technologies. The paper also recommends that continuous monitoring of the devices be used to ensure the mitigating control effectiveness.