<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Subscribe to our Blog!
Show all

How the FDA and NIST are Improving Cybersecurity in Healthcare IoT

The Internet of Things (IoT) is a term that is synonymous with digital disruption and rapid transformation affecting every aspect of our daily lives. In Healthcare, IoT has transformed many aspects of modern medicine. It has improved efficiencies in emergency rooms, given doctors the ability to monitor their patients’ health remotely, and has introduced new ways to manage chronic conditions. However, as IoT devices continue to evolve and become a more integral part of medical care, authorities have launched several initiatives to increase the security of these devices.

IoT is Transforming the World But Security Remains a Challenge

IoT is everywhere. From connected devices that can automate your home to industrial controllers that run nuclear power stations, IoT’s promise of a connected digital world is fast becoming a reality. With the imminent upgrade of mobile networks to the new 5G standard, the applications for IoT will exponentially increase. High-speed, low latency, and the ability to connect many more devices to a single node create the platform that IoT needs for real-time connectivity. Solutions like autonomous vehicles, field robotics, and telemedicine will develop from fledgling technologies into the mainstream of society.

However, IoT does have its challenges. When it comes to cybersecurity, this emerging technology is a prime target for hackers. IoT offers malicious actors a target rich environment of millions of connected devices. The Mirai botnet attack in 2016 provides an excellent case study on the potential cybersecurity dangers of millions of unsecured connected devices. Leveraging vulnerabilities in IoT devices, attackers launched a Distributed Denial of Service (DDoS) attack that severely impacted Internet access for a large part of the U.S. East Coast. There have been other IoT cybersecurity incidents where some have even invaded the sanctity of peoples’ homes. In December 2018, a hacker leveraging unauthorized access to a Nest device terrorized a family.

The FDA and NIST Tackle Cybersecurity in Healthcare

As IoT devices infiltrate more of our daily lives, authorities are starting to introduce standards for cybersecurity in healthcare. The U.S. Food and Drug Administration (FDA) and the National Institute of Standards and Technology (NIST) have developed several measures to secure medical IoT devices and protect patients.

The FDA Provides Guidance on Securing IoT Healthcare Devices

In October 2018, the FDA released its cybersecurity playbook for medical devices. In coordination with the Mitre Corporation (MITRE), this initiative aims to promote cybersecurity readiness in healthcare delivery organizations. It provides an incident response framework that includes elements such as conducting a device inventory, developing a security baseline for medical device information, and conducting cybersecurity awareness training.

The FDA has also released a draft document titled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. This document deals with the premarket submission requirements for IoT devices. Its purpose is to provide device manufacturers with guidance on premarket submissions for FDA device approval with a cybersecurity vulnerability and management approach at its core. The draft document leverages the NIST Cybersecurity Framework and recommends that manufacturers follow its principles in creating trustworthy medical devices. It includes measures such as preventing unauthorized use, maintaining the confidentiality of data, designing the device to detect cybersecurity events in a timely fashion, and responding to potential cybersecurity incidents.

This FDA guidance addresses various key cybersecurity risk areas to enhance device security. It recognizes existing vulnerabilities in healthcare IoT devices such as insufficient access control and the unencrypted transmission of patient care data. It also addresses the issue of malware, recommending manufacturers implement a program for updating the software on their devices regularly. If we consider these recommendations, it is apparent that the FDA advises healthcare organizations to take a holistic approach when it comes to securing IoT medical devices and the patient data they store. Enhancing healthcare cybersecurity requires hospitals and other related organizations to include these devices in their security risk assessments. They also need to ensure they store data securely to comply with regulatory standards like HIPAA and HITECH.

NIST Recommends Implementing Cybersecurity Best Practices for Healthcare IoT

NIST also issued new guidance in late 2018 for securing medical IoT devices. In partnership with the National Cybersecurity Center of Excellence (NCCoE) and leading industry vendors, it aims to create standards and best practices for healthcare delivery organizations (HDOs). Like the FDA, it recommends HDOs implement various cybersecurity best practices. These include the implementation of a defense-in-depth deployment strategy to reduce the operational risk around medical devices and patient data.

Cybersecurity in Healthcare IoT is Vital

While IoT promises to revolutionize healthcare, ignoring the inherent cybersecurity risks in IoT devices could lead to catastrophic consequences. The FDA, NIST, and other leading standards organizations appreciate this risk and have actively engaged with the healthcare industry to reduce it. By guiding manufacturers as well as healthcare delivery organizations, they aim to ensure IoT in healthcare delivers its promised benefits securely.  Manufacturers and HDOs should take this issue seriously and implement strong security controls in medical devices.nist guide assess cybersecurity risk

 

Sanjay Deo
Sanjay Deo

Sanjay Deo is the President and Founder of 24by7Security Inc. Sanjay holds a Master's degree in Computer Science from Texas A&M University, and is a Certified Information Systems Security Professional (CISSP) and Healthcare Information Security and Privacy Practitioner (HCISPP). Sanjay is also a co-chair on the CISO council and Technology Sector Chief at FBI Infragard South Florida Chapter. Subscribe to the 24by7Security blog to learn more from Sanjay.

Related posts

December 3, 2019
November 27, 2019
November 18, 2019

Comments are closed.

Are medical devices a security risk for your healthcare organization?
MACRA/MIPS and the Annual Security Risk Assessment!