From the January/February issue of HealthCare Business News magazine
Maintenance of medical devices requires communication and participation with vendors, specifically with respect to security patches and updates. According to FDA’s Postmarket Management of Cybersecurity in Medical Devices, “Because cybersecurity routine updates and patches are generally considered to be device enhancements, manufacturers are generally not required to report these updates and patches as corrections under 21 CFR part 806.” So hospital staff should work with manufacturers to receive timely cybersecurity patches and updates, especially given the continuously changing threat landscape.
Segregating the hospital network into segments, sometimes called zones or sub-nets, is an effective method of limiting the network traffic and controlling the exposure of medical devices deployed to those sub-nets. This provides some protection against the proliferation of malware and can be done without entirely isolating the devices. Some MDMs can provide implementation guidance or documentation that can assist hospital security staff in device deployment, while some MDMs can provide information on segmentation strategies specifically for their devices. Of growing concern is the deployment of devices in a remote scenario, given the global pandemic, so hospitals should ask for information regarding remote accessibility, specifically focused on security measures that have been taken to limit exposure in remote deployment scenarios.
Numed, a well established company in business since 1975 provides a wide range of service options including time & material service, PM only contracts, full service contracts, labor only contracts & system relocation. Call 800 96 Numed for more info.
Hospital security staff should develop and maintain an analysis of data flows within their networks. Understanding where and how data flows through the hospital network is critical in its protection. Some areas to consider and specific questions to consider include: Are sensitive data encrypted as exchanged between hospital systems on the internal network? Are various data archives containing sensitive data protected with the appropriate levels of authentication and security? Are sufficient backup techniques in place that would enable shorter uptime cycles after an incident? Do these backup techniques include off-site storage or redundant servers? MDMs can help in this exercise by providing detailed information regarding their devices’ handling of sensitive data. For example, MDMs should be able to provide answers to questions like: Are sensitive data stored on the device itself? If so, for how long? Are there procedures in place to periodically remove or refresh the stored data? Are the data stored on the device encrypted, in case of theft? How does the device communicate with other hospital systems? Is this communication with other hospitals systems encrypted?