In today’s healthcare environment, medical devices send their data directly to the cloud. Connected devices can send data directly to electronic health records, or a remote-hosted storage area for sharing with other healthcare delivery organizations managing cloud connected devices
As these devices collect and transmit real-time electronic protected health information, they often rely on out-of-date software that can be susceptible to malware.
James Angle, information security architect at Trinity Health, says in order to prevent cybersecurity incidents, said healthcare providers need to get a handle on the enormity and complexity of this problem, and catalog the threats and vulnerabilities.
“Managing medical devices is complicated, connecting to the cloud increases the complexity of securing medical devices by adding to the attack surface and the points of failure,” said Angle, who is scheduled to speak March 11 at HIMSS20.
Once upon a time, before connecting to the cloud, most health systems were only concerned with the security of the devices themselves and their own network infrastructure.
But “once you add the cloud to the picture,” said Angle, providers have to be concerned with “security of the device, the edge, and the cloud.”
That’s similar, he said, to what happens when IoT devices are introduced into provider ecosystems as unmanaged devices. Not only does it increase the risk to the organization, it “requires additional steps to ensure the security of both the device and the cloud.”
Angle said he worries that most health systems are not as prepared as they could be, because many are are being hit with three things at the same time: Employees are purchasing cloud services without management knowledge; there has been a large increase in IoT devices being introduced into the clinical ecosystem, and more manufacturers are connecting their medical devices to the cloud.
“All three of these are putting a burden on the (health systems) and they are struggling to identify and secure everything connected to the cloud,” Angle said. “Many do not have the infrastructure to identify, monitor, and control data flowing to the cloud.”
He said in order to assess the risk, they must first understand what hardware and software the devices use and where the data is processed, transmitted and stored.
“Once they know this, they can conduct a risk assessment,” Angle explained. “A major part of the risk assessment is understanding the threats at each step of processing, transmitting, and storing data.”
