Tag Archives: cybersecurity

How Two-Factor Authentication can Improve HIT Security

How Two-Factor Authentication is a Small-Scale Standard for Protecting Information

This year is no stranger to cyber-security attacks. One need only to refer to the Equifax data leak to recall security mishaps, or the ransomware culprit “WannaCry” that holds protected information “ransom” unless victims pay to have the compromised files released. These and other attacks hit several corporations utilizing infrastructure weaknesses and security ignorance, compromising information for voters, financial records, email records, and other sensitive information, bringing higher awareness to the online community about keeping all information as safe as possible. One area that is often overlooked is personal medical records, which can be just as valuable to cyber criminals as personal financial data. That’s where Two-Factor Authentication can come into play for healthcare IT professionals. It can ensure data is just as safe at the individual user level as it is protected on a massive, corporate scale.

Problems of Single Authentication

Authentication refers to one of various methods of accessing important information, whether it’s a remembered password, a physical authentication token, a common access card, a biometric scanner storing user-specific information, or other methods. The problem with some of these methods is they’re too weak—unsophisticated passwords can be guessed by brute force, passwords can be forgotten, or worse, passwords can be stolen and then used by unauthorized individuals. Access cards can get lost, stolen, or “ripped” by devices that pull the information off of them to be reused maliciously. Cheap biometric devices may incorrectly read a person’s face or fingerprint, locking out access or providing access to the wrong individual. Compound these problems in an environment with a lot of sensitive data, and suddenly single authentication becomes the problem rather than the proper security protocol.

How Two-Factor Authentication Addresses Problems

Instead of using complex passwords that can lock users out or flee bad memory, authentication can be approved by using accurate biometric scanners and RFID identifiers integrated onto the medical grade PCs and tablets that healthcare  professionals use on a daily basis. removing human entry altogether. By removing the human element—loss and forgetfulness—medical professionals can access patient information with minimized risk to violating HIPAA laws.  Imprivata’s intelligent Single Sign-On platform removes the need to remember complex passwords and erroneous entries—this is a security protocol standard that requires certified hardware in order to authenticate successfully. Also, using a highly accurate biometric scanner is a must-have since fingerprints cannot be lost or “stolen” much like cards can. Ensuring these systems are in place and functioning properly is key for maximum possible security on patient information.

Two-Factor Authentication is a Growing Standard for Medical Computers

Seen as Two-Factor Authentication is a growing tech trend in hospitals in some states, it’s already at the forefront of security protocols for medical professionals and hospitals to use on their medical computers. Ohio is the first state to require Two-Factor Authentication for HIPAA laws. However nearly half the hospitals in the United States are using Two-Factor protocols, meaning it is quickly becoming the standard, even if it isn’t mandated by law. Corporations are using high-quality authentication protocols that require certified hardware in order to authenticate properly, such as Imprivata’s sophisticated Single Sign-On platform and CrossMatch’s high-quality biometric scanners that are Imprivata-certified. These necessary certifications are the best market-available products to ensure security.

Two-“Fact”or Authentication Facts

The Office of the National Coordination for HIT recently reported that there was a 53-percent jump in hospitals over the course of four years that started utilizing Two-Factor Authentication for their HIT needs. Christus Health, an Imprivata user, reported over 2.3 million dollars was saved using Single Sign-On technology. Crossmatch’s DigitalPersona technology has been implemented in several HIT companies, touting ease-of-use across multiple IT infrastructures. Using these technologies together is making an impact in today’s HIT world.

Solutions for Two-Factor Authentication

The good news is that every medical computer that Cybernet manufactures is customizable for Two-Factor Authentication—biometrics, CAC integration, or RFID scanning can be added for security needs. Plus, Cybernet’s computers are approved for Imprivata Single Sign-On use, so the human element has been removed for password entry. Our biometric scanners come from CrossMatch, which are high-quality readers certified to work with Imprivata—you can rest assured that a biometric reading will be accurate and that it will authenticate users with Imprivata SSO. These security protocols in place minimize information leaks and keep out unwanted individuals from accessing what they shouldn’t have access to. Visit the Cybernet website to see how we can customize our hardware to meet your unique needs.

What The FDA’s Postmarket Management of Cybersecurity in Medical Devices Means for Manufacturers of Medical Devices

The FDA‘s guidance on “Postmarket Management of Cybersecurity in Medical Devices”[PDF] is a complementary document for the 2014’s “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” [PDF]. The 30 pages of the guidance contain detailed recommendations, and the manufacturers of medical devices need to study them thoroughly.

The guidance is consistent with the cybersecurity guidelines set by the U.S. Government for other industries such as power grids and financial organizations and aims to protect critical infrastructures from cyber threats. Since most of the medical device manufacturing is in the private sector, the guidance also aims to facilitate cooperation between the public and private actors in preventing and mitigating cyber attacks.

Key Highlights

#1. Medical devices: the guidance applies to medical devices containing software, firmware, programmable logic, as well as mobile medical devices and applications, and devices that are part of interoperable systems – the legacy devices already in use, or on the market.

The agency explains the scope of medical devices has increased to include any device that is connected to computer networks and can, therefore, be compromised.

#2. Patient Harm (IV): the guidance stresses the importance of risk-based assessments of cybersecurity vulnerabilities that could cause patient harm. Of note: Patient Harm replaces Essential Clinical Performance that was present in the draft version. Patient harm definition is aligned with ISO 14971.

Interestingly, the guidance excludes compromise of private data from the definition of patient harm and refers to HIPAA for privacy protection recommendations.

#3. Evaluation of Risk of Patient Harm (VI) is the key purpose of the cyber-vulnerability risk assessment that needs to define if the risk of patient harm is:

  • controlled/acceptable (low probability of an exploit harming patient health)
  • or uncontrolled/unacceptable (high probability of an exploit harming patient health).

The agency suggests a matrix to evaluate risk acceptability, involving:

  • the exploitability of the vulnerability
  • the severity of patient harm in case the vulnerability is exploited

Of special note here is the recommendation to adopt a vulnerability disclosure policy and recognize that mitigation changes may affect the device’s performance.

#4. Postmarket Considerations (V) section introduces recommendations to deploy robust cybersecurity risk management program throughout the entire product lifecycle. The FDA emphasizes that such programs must include:

  • Monitoring information sources (ISAO, customer complaints, service records) for news on new vulnerabilities and threats.
  • Deploying threat modeling to define how to maintain safety and essential performance.
    Implementing mechanisms for monitoring third-party software for emerging vulnerabilities during the device’s entire lifecycle; and design verification and validation for software updates and patches for vulnerabilities, including those in Off-the-shelf software.

The cybersecurity program needs to be comprehensive, systematic, thoroughly documented and in compliance with the Quality System Regulation (21 C.F.R. Part 820). NIST has a guidance on cybersecurity programs for manufacturers, and the FDA’s guidance contains an Appendix “Elements of an Effective Postmarket Cybersecurity Program.” It encompasses five elements -1) identify; 2) protect or detect; 3) protect/respond/recover; 4) mitigate risks to safety and essential performance.

#5. Maintaining Safety and Essential Performance (V) links cybersecurity risk management to safety, essential performance, threat modeling, and mitigation actions.

Controlled risks can be patched in a routine update. They fall under the “cybersecurity routine updates and patches” group. These patches are not considered as repairs and do not call for reporting under 21 CFR 806. If a manufacturer holds a PMA, an annual 21 CFR 814.84 report needs to mention the patch.

Uncontrolled risks must be patched as soon as possible in the form of a patch, update or a temporary “fix” (for example, disabling the Internet connectivity). It is advisable to start with a quick temporary fix to ensure patient safety, and then proceed with a permanent patch in cases when a permanent patch takes some time to design and deploy. Manufacturers must report these fixes to the FDA (21 CFR part 806).

#6. Reporting exceptions. The FDA waives the 21 CFR 806 reporting if the three requirements are met:

  • No deaths or other serious adverse events happened due to the vulnerability.
  • The manufacturer has notified users of an available fix (temporary or permanent) no later than 30 days of learning of the vulnerability. The manufacturer has instructed the users on how to apply the fix.
  • No later than 60 days after learning about the vulnerability, the manufacturer fixes it, validates the change and distributes the patch. The manufacturer should follow-up with end-users after the distribution of patch.
  • The manufacturer is a member of an ISAC/ISAO.

#7. Criteria for Defining Active Participation by a Manufacturer in an ISAO (IX) urges the manufacturers to participate in the Information Sharing Analysis Organization.

ISAO/ISAC – Information Sharing & Analysis Committee/Organization, non-profit, industry-specific organizations created to let the members share knowledge about data security. Members of these organizations have a few legal exemptions that apply to the information they share. NH-ISAC is an ISAC, where the National Healthcare organization is a partner.

#8. Impact on Industry

The basic principles of NIST framework must be adopted in the manufacturers’ cybersecurity program. Take into account medical device cybersecurity throughout the entire product lifecycle. Pre-market, manufacturers should incorporate cybersecurity management inputs and design an approach that would determine:

  • Assets and vulnerabilities;
  • How threats/vulnerabilities may cause Patient Harm;
  • The likelihood of threats;
  • Risk levels based mitigating promptness and strategies;
  • Residual risk assessment, and risk acceptance criteria.

Manufacturers must define the risk of patient harm, identify the cybersecurity vulnerabilities of their devices, assess and classify the existing risks and engage in remediation. A proper documentation of the process is expected.

Health IT community must engage in better information sharing. The FDA encourages the medical device manufacturers and the health IT community as a whole to collaborate closer in ISAO and ISAC to facilitate threats identification and remediation. The FDA Center for Devices and Radiological Health (CDRH) also encourages the fostering of ISAOs and the role of NH-ISAC. The manufacturers of medical devices should consider joining an ISAC to:

  • Have access to information and intel about the cyber threats.
  • Be exempt from some reporting requirements under 21 CFR 806 (uncontrolled risks).
  • Have access to the community where manufacturers can share information exempt from regulatory use and civil litigation, and the federal Freedom of Information Act, given the data shared meets the requirements of the Critical Infrastructure Information Act.

Manufacturers must understand and comply with the mandatory reporting requirements under 21 CFR 806. One of the most complex points since reporting is difficult to draft and apply and raises concerns about proprietary data protection.

Summary

The FDA has been explicit that manufacturers must deploy the comprehensive cybersecurity and risk analysis – over the entire lifecycle of a medical device. The primary focus of the analysis is the risk of patient harm. The guidance includes legacy and mobile devices in the scope of medical devices, recognizing that connectivity increases the chances of a device compromise.

The good news is the reduced reporting to the agency in certain cases, and ways to disclose vulnerabilities without assuming a litigation risk.

At this point, manufacturers should acknowledge the FDA’s increasing attention to cybersecurity, and take these recommendations as seriously as possible. As medical devices become more connected and smart than ever, we can expect that some of the recommendations, if not most, could become mandatory in the foreseeable future.

How Hackers Can Infiltrate Networked Medical Devices

Until fairly recently the medical community was not aware of the fact that there are hackers out there who have the ability to infiltrate a hospital’s medical devices and exploit the data contained in them for profit or for other purposes. Even though these devices tend to be protected using a firewall, they are still highly vulnerable to potential hacker attacks.

What’s more, the number of devices used in hospitals has been growing for decades. Roughly 20 years ago, there was just one medical device for a single patient, on average. Today, there are approximately 10 to 15 devices per bed. In total, in the United States alone, the estimates total number of such devices is between 10 and 15 million. When a hacker is capable of infiltrating one such a device or hospital, that person has the ability to do the same with other hospitals, too, as they often use the same type of equipment.

So the first thing to ask is: what kind of data could be stolen?

The computers at hospitals often store personal information about the patients, including their Social Security numbers, dates of birth, addresses, relationships within the family, and emergency contact information.  This data can easily be used for blackmailing. On top of that, many hackers do not hesitate to assume the identity of the person whose data has been stolen, thereby engaging in insurance fraud and other types of fraudulent behavior. It’s also not uncommon for hospital PCs to also contain credit card information of the patients. This information has value to the hacker, as it can be used to make purchases online and in certain cases, is re-sold.

Devices That May Be Targeted

The list of devices certainly does not end with computers, however. There are also ventilators, CT and MRI scanners, infusion pumps and other types of medical equipment that can be accessed externally and controlled from a far distance.  This is because most, if not all of these devices, are connected to the Internet. They also tend to be inter-connected so once one of them is infiltrated, the others are usually affected as well.

Consider an infusion pump as an example. These can be found in virtually every hospital room, attached to a stand right next to the patient’s bed. What’s scary is that these pumps are usually controllable from a distant location. A capable hacker could find a way to push these buttons without a remote control and pour an overdose of a drug into the patient’s body, which could prove to be fatal. Even a slightly higher dose can be lethal in some cases.

Hackers use various tactics to get into the system. They can take advantage of email phishing and send deceptive emails to the staff of the hospital, making them believe the email is coming from an acquaintance, a colleague, or a friend. These emails often contain malware, which once installed, gives a hacker to the device. In many cases, once one device is infected with malware, a hacker can then infect other devices as well, thus gaining full control of the networked medical device system.

How to Protect Yourself

Fortunately, since there have been many attacks on hospitals in the past, hospitals can now learn from how these events took place in order to be able to anticipate such an attack and take measures to prevent it from happening. It is advisable to use up-to-date antivirus software on the computers used within the hospital and perform regular scans to decrease the likeliness of having some sort of malware on the computers. Often times, the malware is kept hidden from you and, just like viruses that attack living cells, may remain dormant for many months until a hacker realizes your computer is infected and exploits it.

If a member of the hospital staff finds out one of the devices is under a cyberattack, one thing to consider is to disconnect all of the devices from the internet. As the saying goes, anything that is connected to the internet can be hacked in one way or another. Until recently, medical devices, such as infusion pumps, were not online and so hospitals still need to get accustomed to the idea that their equipment could be attacked. Many of them simply do not consider this to be an option due to a lack of imagination. They do not see why a hacker would be motivated to choose a hospital as the target. However, there is a motivation behind such actions, as the hacker is trying to get the patients’ bank account information and other pieces of highly confidential data. Therefore, it is a bad idea to under-estimate this menace.

One thing a hospital can do to be prepared is to use medical devices created with security as the primary goal. A tablet with an added layer of ID verification can be the way to go. Such a tablet may include a fingerprint reader, so that only authorized personnel may access the data on the tablet. Furthermore, it can feature a smart card reader to allow only people with the card to access the device.

Conclusion

Cybersecurity in hospitals is a growing concern not only in health care but in defense and other areas, too. As an example, a metallurgical furnace located in Germany was cyberattacked and the iron contained in the furnace was cooled and solidified in the process. The incentive for hackers is mostly financial, but sometimes they pick an institution just because they want to do harm, just like in the case of the furnace. The most effective ways to tackle this problem and prevent security breaches within your organization are to:

  • Use modern, secured devices
  • Continuously stress the importance of security to your employees

Reducing Cybersecurity Threats with Biometric and Smart Card Readers

Health organizations have dedicated millions toward implementing security tools to thwart cybersecurity threats. Unfortunately, these efforts have been challenged, as firewalls, prevention systems, intrusion detection and email security have proven that executives and employees are among the biggest threats. To prevent this threat to cybersecurity, healthcare providers are urged to implement strong and effective authentication measures to control who access what within a healthcare facility. As a countermeasure to cybersecurity threats by employees and executives, biometric and Smart card readers have proven effective.

Biometric Readers

With the implementation of electronic health records, there has been positive feedbacks regarding the effectiveness of healthcare organizations and quality patient care. As more hospitals and medical centres migrate to these electronic systems, there are increasing concerns about data integrity management, prevention of information from unauthorised access and corruption.

As these electronic health record systems proliferate, they become increasingly vulnerable, susceptible to cybersecurity threats. Preventing corruption within the system is a life and death situation; hence, these healthcare organizations should proceed with care. This ensures that the appropriate care is given to the right patient, and medical records are current and connected across the network.

To address this issue, healthcare organizations need to integrate biometric readers into their systems. This reinforces the security of medical records without deferring workflow. Implementing biometric readers within your healthcare system can be used for the following security purposes:

  • Absolute privacy of patient information
  • User authentication
  • Secure storage and retrieval of data
  • PKI (Public Key Infrastructure) Management

Through a biometric system, operational efficiencies prevail, as a patient’s identification is tied to their appropriate treatments and medical records. In addition, this system has achieved what many medical agencies pined for – a universal patient ID number – which possesses the capacity to connect patients to a unique number linked to biometrics.  Overall, medical computers with biometric readers provide tremendous results in accuracy, specifically for identifying staff and patients.

CAC /Smart Card Readers

The healthcare industry is awash with smart cards. Smart cards are similar in appearance to credit cards, but the security within the card is just so much more. With a microprocessor embedded within the card, the host computer and smart card reader actually communicates with the microprocessor. The processor then executes or enforces whatever command is given when used. When complemented by a smart card reader, this can be used as a powerful means of authentication. When implemented within hospitals, smart cards strengthen the hospital’s security, providing so many benefits. Among the many benefits include:

  • Irrefutable patient identification across the board, including organization and geographic boundaries.
  • Counters the provision of providing duplicated ID cards
  • Capacity to locate where a patient’s ID has been used.
  • Provides a secure means by which patient health information can be accessed
  • Provides confirmation of a patient’s medical insurance.
  • Provides risk mitigation in countering identity theft, fraud and even breaches to data.
  • Safely stores identifiers for patients and deactivation for lost identifiers.

How Hospitals Benefit when Using Biometrics and CAC Cards with an EMR/EHR System

An EMR system is very important. Securing medical records stored on these systems is tantamount to the continued operation of any healthcare organization. A compromise to this system could spell immense trouble. To secure EMR systems from cybersecurity threats, biometrics and CAC cards have done wonders for healthcare providers in various ways.

  • Users of EMR (nurses, physicians, pharmacists etc.) enjoy an easy but powerful login process, without the need to remember difficult passwords.
  • Quick and easy access to their patient’s health records. This improves the collective process of gathering information, as it does not need to be collected from the patient’s memory.
  • Information is on hand in cases of emergencies to ensure successful results.
  • Physicians do not need to distribute a patient’s medical history to another as records are integrated. Importantly, the smart cards are used with an EMR system to prevent or minimize the risk of a patient’s confidential information being leaked or a stolen identity.
  • Smart cards reduce the risk of excess medical tests and hospital admissions that aren’t necessary.

These procedures are all important for healthcare providers. Once biometric readers and smart cards are implemented in conjunction with medical PCs and tablets, cybersecurity threats will be significantly reduced, as executives and employees would have received education on security measures and effective authentication measures in various healthcare facilities.