Patch Management a Big Challenge for Hospitals
Healthcare facilities face a major cybersecurity challenge in terms of patch management—a problem exacerbated by the fact that there is inconsistency across manufacturers and hospitals about how patches are added.
John Rhoads, PhD, interoperability and standards architect at Philips Healthcare, and Axel Wirth, national healthcare architect at Symantec, provided an overview of ways facilities can protect themselves in a session titled “IT and Cybersecurity Challenges in the Medical Device World” at the AAMI 2013 Conference & Expo in Long Beach, CA.
Security is always a tradeoff, and “nothing is truly secure,” Wirth told attendees. Facilities need to decide just how much risk is acceptable as the motives and actors perpetrating these attacks change. As Wirth noted, cyberattacks originally involved younger people looking for fame as they one-upped their peers. But other bad actors soon discovered the moneymaking potential with a new attack profile. While the earlier attacks were big and obvious, the newer ones were “micro outbreaks” and more stealthy. Now the nature of the attacks is changing yet again, becoming very targeted and well-executed and usually done for political purposes.
These targeted attacks are affecting healthcare facilities all over the world, and electronic medical records, with their wealth of personal data, are at risk. In fact, the records from a facility in Queensland, Australia were the target of hackers, who held them hostage, last year.
Despite the risks, facilities are slow to get patches, as manufacturers have long said that implementing such changes would require a new 510(k) submission. Because of this situation, one of the biggest threats remains the Conficker virus, even though protections have been available for several years. Furthermore, patch management has been widely inconsistent across manufacturers and hospitals. Vendors often are slow to approve commercial-off-the-shelf patches, leaving hospitals vulnerable to attack.
One attendee noted that hospitals have good intentions, but it's difficult to go to 10 different websites to find out when the latest patches become available. He suggested a patch notification system to incorporate in the devices as a potential solution. The speakers acknowledged the difficulty and said they would work on developing such a solution
Wirth advised healthcare facilities to keep devices segmented from the business network. In addition, having a deep defense policy, with antivirus software, working with supply chain management, and having a multilayer approach to protecting critical systems also could help mitigate risks.
The duo also encouraged attendees to join the Integrating the Healthcare Enterprise Patient Care Device Domain, an initiative to create a standards-based framework for passing vital health information.
Posted: 06.02.13