From the January/February issue of HealthCare Business News magazine
End user training
In spite of all the warnings and continuous training, end users still represent a popular point of entry for bad actors. By falling victim to phishing campaigns or by unwittingly providing sensitive information, like network credentials, end users are effectively turning off the alarm system and leaving the front door unlocked. In other words, none of the technological best practices implemented will have much impact if end users do not have the proper cybersecurity training.
To illustrate the importance of end user training, here’s a brief summary of an actual incident that took place a few years ago. A large organization hired a cybersecurity consultant to conduct a thorough review of their systems and provide a detailed report of technological weaknesses that could be vulnerable to attack. Before examining a single system, the consultant simply walked into an executive’s office, made up a story about being from the IT support team, and within 5 minutes had a network username and password. No need to look any further. Until this organization trained its end users properly, no technological solution could keep them safe. And this is true for most organizations.
Quest Imaging Solutions provides all major brands of surgical c-arms (new and refurbished) and carries a large inventory for purchase or rent. With over 20 years in the medical equipment business we can help you fulfill your equipment needs
The good news is that end user cybersecurity training does not have to be overly expensive or administratively burdensome to conduct. There are some end user training programs offered online for as little as $2.70 per end user. End users should be trained annually, and these training records should be maintained in a central repository for reference in the instance of a cybersecurity event or audit. Some organizations conduct their own internal training, which is specific to their environment and infrastructure, and there are tools available to help develop that training content, as well.
In summary, there are actions that hospital security staff can take today in order to develop a more proactive posture toward medical device cybersecurity, but they don’t need to do it all on their own. Medical device cybersecurity is a shared responsibility, and neither stakeholder has all of the tools and information to address this problem alone. The alignment begins with effective communication, which should be transparent and open, and continues through the entire medical device life cycle. By working together, medical device manufacturers and hospitals can achieve their shared goal of improved patient safety.