The Healthcare Supply Chain Association (HSCA) has released guidance for healthcare delivery companies, medical device producers, and service suppliers on obtaining medical devices to make them more resistant to cyberattacks.
The use of medical devices in the industry has grown at an unbelievable rate and they are currently depended upon to provide essential clinical capabilities that cannot be compromised without lowering patient care. Medical devices are, nonetheless, frequently susceptible to cyber threats and may be attacked to bring about hurt to patients, be taken out of service to compel healthcare organizations into meeting the extortion demands of attackers, or can be accessed remotely to get sensitive patient information. Medical devices are usually linked to the Internet and could quickly be attacked, therefore it is important for proactive steps to be taken to enhance security.
The HSCA represents medical care group purchasing organizations (GPOs) and promoters for fair procurement practices and education to enhance the efficiency of purchases of healthcare products and services and, therefore, has a one of a kind line of sight concerning the whole healthcare supply chain. The HSCA guidance is made for the overall supply chain and describes a few of the key issues for medical device companies, HDOs, and service providers to enhance cybersecurity and deal with weaknesses before exploitation by cyber attackers.
Two of the most crucial steps to take on are to get involved in an Information Sharing and Analysis Organization (ISAO), like the Health Information Sharing and Analysis Center (H-ISAC), and to undertake an IT security risk evaluation methodology, for example, the NIST Cybersecurity Framework (CSF).
An ISAO is a community that actively collaborates to determine and share actionable threat information regarding the most recent cybersecurity threats that enable members to take proactive steps to decrease risk. The NIST CSF and other cybersecurity frameworks assist organizations in setting up and strengthening their cybersecurity plan, prioritizing activities, comprehending their present security standing, and knowing the security gaps that must be resolved.
HCSA additionally recommends employing an information technology and/or network security officer who takes overall responsibility for the safety of the organization who can speak about risks to decision-makers and supervise the security work of the company.
Cybersecurity training for the employees is vital. All workers should be aware of the risks they may encounter and must be taught with regards to best practices to observe to minimize risk. Training ought to be provided yearly, and phishing simulations performed routinely to strengthen training. Any worker who fails a simulation must have more training.
Good patch management practices are crucial for responding to known vulnerabilities prior to being exploited; anti-virus software program must be used on all endpoints and be kept up to date, firewalls ought to be carried out at the network perimeter and internally, least-privilege access must be employed to system resources, and networks must be segmented to avoid lateral movement in the event of a breach. Password policies that are in line with the most recent NIST guidance ought to also be put in place.
To avert the interception of sensitive data, all information in transit ought to be encrypted, backup and data restoration processes must be enforced and frequently tested to make sure recovery is possible if a cyberattack happens, and the life expectancy of all units and software solutions must be selected in all purchase contracts, which include all supporting parts. Plans ought to be set to upgrade equipment and software applications prior to reaching end-of-life.
Besides these regular cybersecurity guidelines, HCSA has given certain concerns for HDOs, device makers, and service providers in the guidance – Medical Device and Service Cybersecurity: Key Considerations for Manufacturers & Healthcare Delivery Organizations – which could be downloaded from the HCSA website.