In the world of healthcare, the protection of personal health information derived from patient monitors and other medical devices is of utmost importance. This responsibility does not rest solely on the shoulders of hospitals or medical device manufacturers, but requires a collaborative effort between the two entities to ensure a secure environment is maintained to safeguard this sensitive data. This shared responsibility has become a recognized best practice within the healthcare industry, mirroring similar models utilized in the larger technology sector such as cloud service providers and their customers.
There is a growing recognition that cybersecurity is indeed a shared responsibility within the healthcare industry. It is important for medical device manufacturers, hospital software providers, and health organizations to join forces in the battle against cybercriminal activity and collaborate to strengthen the security of patient information and medical device systems.
One of the key organizations addressing this issue is the US Food and Drug Administration (FDA), which mandates that medical device manufacturers and software providers adhere to a process known as security by design. This process entails embedding certain security controls into the products, making it easier for hospitals to deploy and utilize them securely. These controls typically include features such as configurable encryption, secure login pages, and user authentication requirements.
In order to optimize the security controls embedded in these products, hospitals are tasked with the responsibility of activating and maintaining these features. For instance, when it comes to product access control, hospitals are responsible for identifying which users have authorized access to the system and configuring the product accordingly. Failure to do so can leave the network vulnerable to unnecessary risks.
Even mobile and cloud-based applications require a shared responsibility. Hospitals must ensure that browsers and mobile devices are equipped with the necessary security features to complement the manufacturer’s cloud-based security controls, such as multifactor authentication. This emphasizes the need for hospitals to play an active role in maintaining a secure product implementation.
To further address this issue, medical equipment manufacturers must embed security controls using proven algorithms and designs guided by the security-by-design process. Hospitals, in turn, have their own set of responsibilities and activities to ensure the secure usage of the products within their facilities. Collaboration between hospitals and manufacturers is crucial to determining the best approach to meeting the hospital’s security needs, considering the wide array of products utilized within their systems.
Manufacturers play a vital role in educating hospitals on how to optimize medical data security, offering guidelines and documentation to provide step-by-step instructions on protecting medical device data from intrusion. These resources may include manufacturer disclosure statements, software bills of materials, hardening guides, and other security guidance materials to empower healthcare providers to take necessary measures in protecting the integrity of the data.
Furthermore, it is important for hospitals to consistently review manufacturers’ recommended security guidelines, especially when deploying new versions of products or software. Enhancements in security controls may require additional measures, and regular assessments of the current security configuration are necessary to ensure its effectiveness.
In a landscape where cybercriminals are constantly seeking vulnerabilities to exploit, the collaboration and clarity between manufacturers and hospitals are crucial in maintaining a secure end-to-end data environment. Both parties must be proactive and diligent in fulfilling their shared responsibilities to protect the personal health information of patients and the integrity of medical devices.