cybersecurity how to tackle

Rita, a nurse at PCN Health Care Hospital logged into her system on a Monday morning to retrieve a patient’s record and she received several bitcoins demands. Suddenly her desktop was filled with notifications from all the infected systems on her server and a threatening message indicating information swipe in 24 hours. Before Rita sprung to action all the patient records, hospital records were unavailable and none of the information could be restored. All the physicians, paramedics, nurses faced a panic situation, and patients were affected due to the delays caused in recovery.

Does this haunt you? Do you fear waking up to see you have lost your data or all sensitive information has gone viral? Fear not! This is called cyber threat and is one of most malicious type of crime of the modern times. Read further to pre-emptively plan an escape route and be vigilant unlike Rita!

The Problem:

The advancements in technologies over the past years have helped in empowering human lives, but as the saying goes ‘Every coin has two sides’ these advancements have their own share of drawbacks leading to identity theft and other cybercrimes. One of the most critical industries to be impacted by this is the healthcare industry.

The increased connectivity between medical devices and computer systems especially in hospitals have breeded cyber security challenges. The integration of new technologies with legacy devices (that are not secure and poorly managed) create new pathways for threat and vulnerability raising concerns of data safety and security.

Recent cybersecurity survey reports indicate that over 81% of the medical companies are under threat and only few organizations have been adequately equipped to face these threats.  Due to poor cyber security implementation patients’ health and safety have been inadvertently compromised.

Efforts to eradicate:

Organizations across the world are joining hands to address this problem. In UK, CareCERT has been examining danger knowledge and broadcasting warnings to wellbeing and care associations since late 2015.

It also gives national cyber security occurrence administration. The US National Health Information Sharing and Analysis Center (NH-ISAC) works as a team with the FDA, gives individuals significant data on cyber security, and offers cybersecurity tools.

FDA has issued a guidance on cybersecurity ‘Postmarket Management of Cybersecurity in Medical Devices’  acknowledging the severity of risk posed by cyber attacks. This guidance is applicable to any marketed medical device that is a standalone or an inbuilt software. The guidance clearly addresses the different elements that manufacturers need to incorporate as a part of the cyber risk management process.

Can Cybersecurity threats be reduced?

Cybersecurity threats cannot be entirely eradicated. However, a number of measures can be considered to reduce the risks associated with these. For effective reduction, it’s important to identify the vulnerabilities, monitor and deploy reduction measures.

Common vulnerabilities:

⦿ Default passwords 

⦿ Unencrypted data transmission

⦿ Unauthenticated access

⦿ Failure to verify incoming data

Reduction measures:

⦿ Cyber security routine updates and patches

⦿ Control measures implemented at premarket and postmarket lifecycle phases

⦿ Control measures implemented at premarket and postmarket lifecycle phases

⦿ Utilization of ISO/IEC 29147:2014: Information Technology – Security Techniques

An extensive cybersecurity risk assessment is not only important to ensure patient safety but also to obtain marketing authorizations like a 510(k).

While executing, Manufacturers have to be aware of several affecting factors like device’s intended use, intended environment etc. Important is to strike the balance between advancement and its repercussions.

Elexes Team

Elexes medical consulting is one of the leading regulatory & compliance consultant for several industries: Medical device, Pharmaceuticals, Cosmetics, Food, and Biologics.

Post a comment

Your email address will not be published.