Privacy & Security
Privacy & Security
While healthcare organizations are better understanding and investing in cybersecurity needs, hackers are keeping pace -- and then some, according to a panel of CISOs at the HIMSS Security Forum in Boston.
Juniper
Chad Wilson, director of information security at Children’s National, explains how timely access to applications in a healthcare setting is measured in seconds so the balance between usability and security is a big challenge.
Cybersecurity
Theresa Payton, president and CEO of Fortalice Solutions, explains how to avoid digital disasters with a segmentation strategy that includes on-going testing with data, equipment and third-party vendors to put security assumptions to the test.
Digital Health
Experts at the HIMSS Healthcare Security Forum said the next phase of infosec should be to secure the human and put safety nets in place to protect them.
Privacy & Security
The Food and Drug Administration issued a cybersecurity alert on two Medtronic devices that could allow a hacker to hijack the software update process to change the device’s function. Medtronic disabled the online software update to eliminate the flaw.
IMPACT
Following a review of potential security vulnerabilities around the internet connection, the FDA found 34,000 CareLink cardiac implantable electronic devices are at risk. If exploited, a hacker could change the programmer’s functionality or the device itself during the implantation or follow-up visits.
The flaw is found in the internet connection between the CareLink 2090 and Encore 29901 Programmers, used for downloading software from Medtronic’s Software Distribution Network. The programmers are used by providers to adjust the cardiac device settings and collect locally stored data.
While software updates typically include new software for the programmer functionality and updates to the implanted device firmware through a virtual private network, the programmers don’t verify they’re still connect to the VPN before downloading the updates.
As a result, attempting to update the program through the internet connection will result in an error message.
Medtronic updated its network, which was approved by the FDA on Oct. 5. The fix will intentionally block the currently existing programmer from accessing the Medtronic SDN. The vendor is continuing to implement security updates to further address the flaw.
The FDA recommends providers continue to use the programmers, as network connectivity isn’t required for normal CIEF programming. Further, providers should not attempt to update the programmer through the SDN, which is no longer available. Future updates are currently only available through Medtronic with a USB update.
THE TREND
Medical device vulnerabilities are well-known, and vulnerability reporting by vendors have increased 400 percent per quarter since the FDA released its cybersecurity guidance in 2016. However, the increase in FDA alerts is meant to further improve cybersecurity, rather than to shame the vendor.
Medtronic has reported several vulnerabilities in recent years, as has Philips, Abbott and a host of others.
.jumbotron{ background-image: url("http://www.healthcareitnews.com/sites/default/files/u2231/cybersecurity-jumbotron-712.jpg"); background-size: cover; color: white; } .jumbotron h2{ color: white; }
Focus on Cybersecurity
In October, we take a deep dive into security strategy and pressing threats.
Twitter: @JF_Davis_
Email the writer: jessica.davis@himssmedia.com
Privacy & Security
For more than a month, two separate employee accounts were compromised by the cyberattacks before the IT department discovered the hack.
Privacy & Security
Keeping software up to date without disrupting care delivery requires a plan for regular patching – and responding to emergency alerts when necessary.