Health care still between hackers' hairs, but defenses improve


ORLANDO, Florida – There are both good and bad news in health care safety trends: 74% of health care companies have been affected by "significant" security incidents in the past Last year, of which 56% were conducted by so-called bad actors targeting specific organizations with sophisticated, targeted and financially motivated attacks. The numbers were stable compared to last year, according to the 2019 HIMSS cybersecurity survey, released this week at the HIMSS 2019 Health Informatics Conference.

The good news is that it appears that health care organizations are better prepared for such incidents and are spending more money for safety and training of staff, said Rod Piechowski, senior director of systems health information for the HIMSS. Organizations are better able to convince "everyone believes it is part of the solution," he said. eWEEK. "Too often, security is considered an IT responsibility only."

There is further good news in the work of the Food & Drug Administration, suppliers, supplier networks and volunteer groups who are working to set standards for securing medical devices, To develop plans for the mediation of the next big cyber attack on the WannaCry model, which decimated companies and healthcare organizations across Europe in 2017.

FDA offers update on medical device safety

For example, here at HIMSS, Suzanne Schwartz, Associate Director for Science and Strategic Partnerships at the FDA, presented an update of the FDA's work on its action plan for medical device safety, its supplier's marketing guide and sandbox for cybersecurity of medical devices.

The FDA has become more involved in the past two years, at least in part to resolve disputes between device makers and hackers, like the one announced at last summer's Black Hat conference involving the Medtronic provider. The I Am The Cavalry Hacker Co-op, which co-hosts the Biohacking Village at this summer's Def Con conference, is one of the FDA's advisers.

The parties seek to avoid incidents in which vendors threaten hackers with lawsuits for discovering and publishing vulnerabilities and "helping to reduce friction and get the truth on the ground more quickly around some of these issues" said Dr. Christian Dameff, a practicing emergency physician. and pirate for life. "How do we protect security researchers, how do we better help device manufacturers in this process, and how to focus most of the energy on patients?"

Among the FDA's pre-market recommendations, it is stated that vendors include software "nomenclature" and cybersecurity nomenclature, which would also include hardware, to detect or detect vulnerabilities. Another part is the CyberMed Security Expert Review Committee (CYMSAB), which is led by MITER. At the same time, the Massachusetts General Hospital received a $ 950,000 grant this month from the Department of Homeland Security to develop a data repository on cybersecurity for medical devices.

Secure access while simplifying workflows

Security solution providers, including Imprivata and Cylance, are also looking for ways to protect computers and devices from unauthorized access while trying not to interfere with clinical workflows. At HIMSS, Imprivata unveiled Proximity Aware, a version of its card access and authentication solution.

Instead of a card, Proximity Aware uses a smartphone as a token, as well as a Bluetooth connectivity to the machine. Once the phone is configured as a secure token, providers only need to access a terminal that allows the machine to connect. Once the user moves away from the machine, the machine is automatically disconnected. Such functionality is essential for electronic controlled substance prescribing (EPCS) services, which will be needed from 1 January 2020.

"In the case of most two-factor authentication, which you need for EPCS and future workflows, use a token on your phone and enter a number.It is inefficient," said the director. General of Imprata, Gus Malezis eWEEK. "We automatically read this token, and the connection becomes completely invisible.This is the 2FA hands-free, which saves you from taking the phone out of your pocket."

Cylance, publisher of endpoint protection solutions based on artificial intelligence, is also working on a technology that applies artificial intelligence models to the concepts of "continuous authentication" on workstations health care, eliminating the need to re-enter passwords, "said Rob Bathurst, global director of Cylance for Healthcare. Embedded systems. The technology, which is about to enter the phase of early adoption, is tentatively called Persona.

Ensure that users are what they claim to be

"If you look at your typical healthcare environment, hundreds of people connect to these systems and can switch from one system to another, or the credentials may be stolen or transmitted," he said. said Bathurst. eWEEK. "And the goal is to make sure that the person who is connected to this system is that person."

Bathurst explained that Cylance is creating user behavior models that examine how users type on a keyboard, what types of applications they use, and when they perform tasks or open applications. In short, what does a normal "routine" look like?

If the machine detects unconventional behavior, it uses a "progressive friction process that becomes increasingly incredulous to the user because it differs from the model," said Bathurst.

Scot Petersen is a technology analyst at Ziff Brothers Investments, a private equity firm. He has extensive experience in the field of technology. Prior to joining Ziff Brothers, Scot was Managing Editor, Business Applications & Architecture, at TechTarget. Previously, he was director of editorial operations at Ziff Davis Enterprise. At Ziff Davis Media, he was an editor and publisher at eWEEK. No investment advice is offered on his blog. All the homework is declined. Scot works for a private investment company, which can at any time invest in companies whose products are discussed in this blog. No disclosure of securities transactions will be made.