Your CISO has a big job: develop network security processes and procedures, while addressing privacy, confidentiality and compliance standards, while investigating and managing health information security/privacy system-wide, while also striving to proactively protect patient data and facility resources from cybercriminals.
Try reading that sentence in a single breath. Not so easy, right? Now imagine having to tick all those boxes in a single day — every day. The job is as challenging as it is far-reaching and hackers endeavor to make it more challenging with each and every keystroke.
Malicious actors are zeroing in on the healthcare industry with such zeal and relentlessness that it would be admirable were it not so destructive. In fact, a 2017 report from the Identity Theft Resource Center found that more than 25% of all data breaches were related to healthcare.
Surveying the Threat Landscape
Pilfering protected health information is a lucrative business, and connected medical devices are uncomfortably vulnerable to cybercrime.
In order to protect health data, patient care, and your reputation, hospital CISOs need to develop a cross-organizational strategy to ensure security of medical devices at their facility.
What questions should you ask your CISO? And how should they answer? The following healthcare cybersecurity questions and answers provide a window into the most critical considerations that ought to factor into your CISOs daily operations and long-term strategy.
1. How Do We Patch Our Operating Systems?
Because medical devices have a long lifespan in a facility, technology often surpasses medical equipment software and unpatched operating systems become common. These system vulnerabilities give hackers the space to deploy and deliver malicious malware.
Ask your CISO how he or she intends to remedy unpatched medical devices. If you can’t replace your equipment with state-of-the-art technology, which software can you use to patch your operating system? How up-to-date are vulnerability patches on all devices?
Answer: Your CISO should perform a risk assessment; are there risks involved with patching the system? Will your system still operate as normal after patching. If patching is not an option, does that mean your operating system is too old to be patched? What is the hospital’s policy on patch validation? Does the hospital even have access to the latest patches?
2. What Does Our Medical Device Risk Assessment Strategy Look Like?
How does your CISO currently identify hazards or cyber threats? Is there a clear medical device research and risk assessment policy in place?
Third-party vendors (and their vendors) should also be scrutinized.
If something were to slip through the cracks, what plan do they have to rectify the issue?
Answer: The goal of any medical device risk assessment plan is to analyze and remediate the risks affecting medical devices. One of the preliminary steps to working with a vendor should include a device and system quality questionnaire.
The questionnaire should include questions that help you understand the company, such as where the manufacturer retails their devices most often, the standards of quality management the company upholds, and any device documentation they can provide.
Next, a threshold assessment should be performed on new vendors and their devices. A comprehensive assessment will look at device performance, as well as financial and continuity risks associated with a malfunctioning device.
In addition to a risk assessment for the medical device manufacturers, a conscientious CISO should respond by ensuring your organization has implemented software to actively protect medical devices. The technology should identify security compromises, provide a risk analysis for each device, automatically document all issues, and be able to act on them swiftly.
3. Does HIPAA Ensure the Security of our Patient Data?
Meeting HIPAA standards is not enough to keep patient data secure. HIPAA was created as a policy framework to protect patient information, yet there often is a conception that HIPAA compliance equates to secure data. HIPAA was created in 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act was established in 2009. Since then, the threat landscape has changed drastically
Hospitals both large and small must do much more than simply monitor legally protected health information that is created, received, used, or maintained by a hospital.
Answer: No. Regulation and standards like HIPAA are not enough to prevent PHI data breaches and ensure the protection of patient data. Hospitals must deploy comprehensive cybersecurity solutions that help protect all critical assets - and the PHI flowing to and from these connected devices.
4. How Did We Respond to Our Most Significant Cybersecurity Incident?
It’s highly unlikely your hospital or medical facility has been unscathed by cybercrime. Often, hospitals are unaware that a breach has occured. How aware is your CISO about these incidents, and more importantly, what did they do to respond and to prevent future attacks?
Answer: Ask about specific strategic changes. If a medical device was compromised, what corrective actions were implemented to prevent infiltration in the future? How did the IT team re-establish governance or engage stakeholders?
What does your escalation matrix look like?
Finally, have they identified and procured a suitable software solution dedicated to monitoring and protecting medical devices for suspicious activity?
For Top Cybersecurity Questions, CISOs Must Have the Answers
Data breaches have an enormous range of risks, like patients' safety, financial losses, disruption of operations and reputational damages. This makes every eligible security precaution imperative, if not to implement then at least to robustly discuss and honestly consider.
These 4 top cybersecurity questions ought to be considered basic and need to be asked of every CISO. The answers received will in turn either push you toward success or reveal your vulnerability to cyber hackers.