MDDI_Medical Device & Diagnostic Industry

MDDI, July 2016

Issue link:

Contents of this Issue


Page 28 of 39

MD + DI MEDICAL DEVICE AND DIAGNOSTIC INDUSTRY JULY 2016 | 29 of corruption event? The HIPAA and PHI regulations in and of themselves are very complex. The HIPAA security rule covering electron- ic protected health information —although familiar to systems developers—provides little specific guidance. It is possible to satisfy the security rule without addressing primary cybersecurity threats. HIPAA identifies 18 protected health information fields and gen- eral security controls, but not all fields are cre- ated equal and the controls must be applied based on the information that is being pro- tected. After a cybersecurity attack, declaring compliance to the security rule will provide very little comfort to customers. Yes, it is possible to develop solutions that significantly reduce the risk and the impact of a cyberattack. However, a fragmented approach to the application of security will not work. The overall architecture of the system must have security as a core design challenge. Healthcare enterprise systems, medical devices, and mobile applications, for example, must all be viewed as part of an integrated system. Segmentation of data, controls, and levels of access control is important to having a highly resilient ar- chitecture so in the event of a penetration the depth of the violation can be controlled. This is why a system level perspective is most effective. Where to Start Conducting a cybersecurity evaluation is a reasonable first step. However, this should be followed by an assessment by an independent third party. This relatively minor investment in an external audit is a small price to pay for a partner with the system level perspective and industry best practices this work requires. A thorough review of the security strat- egy by a qualified partner with deep domain experience can reveal where the system under development is most vulnerable: ■ Where do security threats reside? ■ Which systems provide a level of access to sensitive data (and other systems)? ■ Who has access to these systems includ- ing employees, patients, payers, and ven- dors—are they properly trained? ■ Where is the entire system—including their solution—most vulnerable to direct threats from inside and outside? ■ How is off-the-shelf software implement- ed, used, and updated within firewalls? After completion of the assessment, it is important to understand the three ele- ments essential to establishing the appro- priate investment in a security strategy: cost, risk and usability. The Cost, Risk, and Usability Framework A proper risk analysis is necessary to right- size the solution along the cost and us- ability spectrums. For example, adding too many security controls can decrease the usability of a system. But investments in se- curity must be guided by risk, and without a risk assessment, it is difficult to identify the proper security controls. It is critical to the security strategy that cost, risk, and usabil- ity are balanced. Cost The consumer fear and lasting damage that resulted from the attacks on Target, Home Depot, Anthem, and Premera might sug- gest that cost is not an issue, but clearly that is never the case. The truth is any in- cremental investment in security is worth it to avoid millions of dollars in fines and the publicized loss of customer confidence. Nevertheless, it is important to identify the point of diminishing returns in security in- vestments and to ensure that investments are focused to secure the weakest or high- est risk points in the system. Incremental investments that do not reduce risk profile are not a smart investment. Risk It is critical to evaluate the total risk that customers may face and how the new so- lution can minimize this risk level. There is no such thing as no risk. The acceptable risk level is defined by the customer. It is important to assess whether or not the new solution is meeting or exceeding that level. Variables that can influence an organiza- tion's risk level are the type of data and how much is to be stored. For example, if one develops a system that holds a list of pharmacy prescriptions that include a prescription number and pharmacy ID but not patient name or de- mographics, a breach is still a loss of data. The prescription numbers are only useful if they can be connected to a patient record in the individual pharmacy systems. The same information that includes patient names is a much higher risk. Usability It is also important to identify operations and technical safeguards that do not prohibit end users' ability to operate but still reduce risk to acceptable levels. Security cannot limit the ability of clinicians to provide care. For example, does the technology ensure that clinicians can always access the data they need, even if they forget their password? Connected devices inside and outside the hospital represent points where cybersecu- rity overlaps with patient risk. Any tampering or corruption of this information could result in patient injury or death. Risk Versus Reward in Security Investment In 2014, healthcare organizations reported 278 data breaches compared with 197 in 2010. The number of cyberattacks is grow- ing at an alarming rate, and it's time to rec- ognize that attacks are not limited to large consumer-facing organizations and house- hold brand names. Today's rapidly evolving healthcare ecosystem,—with its complex network of interconnected systems and devices collecting and sharing massive amounts of data across vast networks, de- vices, and stakeholders—is highly suscep- tible to cyberattacks. As a primary stakeholder in this ecosys- tem, healthcare enterprise solution provid- ers are faced with developing solutions that fit into their customers' larger technology infrastructure in a way that does not disrupt their security efforts but provides tighter se- curity against the threat of cyberattacks. De- veloping solutions that significantly reduce the risk and impact of a cyberattack must be informed by a holistic assessment that iden- tifies and prioritizes individual threats. A comprehensive assessment of your cur- rent security strategy can identify where secu- rity is in the overall architecture of the system. Working with a partner with both medical do- main experience and a system-level perspec- tive will quickly identify gaps and risks. The decisions on where and how much to invest in cybersecurity will be more straightforward using a framework that balances cost, risk, and usability. An iron-clad front door is not useful if the backdoor is left unlocked. Adam Hesse is technical director at Foliage, Inc. a product development company based in Burlington, MA. Contact him at ahesse@ 2

Articles in this issue

Links on this page

Archives of this issue

view archives of MDDI_Medical Device & Diagnostic Industry - MDDI, July 2016