'Bolted on' cybersecurity: Not enough for healthcare providers

All too often, cybersecurity is treated as a feature that can be added on to healthcare technology as a separate entity, when instead, it should be built into such tools, according to health IT analyst Shahid Shah (aka, The Healthcare IT Guy).

Shah, in a recent post for Med Device Online, says that developers who do the latter with their products can be seen as ahead of the curve, which ultimately can be used as a market driver.

"Security and data privacy should be elevated to ... competitive differentiator status," he says. "Many device manufacturers will treat security as a compliance activity bolted on at the end--those designers will end up creating insecure devices that will get their customers' data hacked or stolen, and land their customers on the front pages of newspapers."

Safety efforts also should not be limited to "think[ing] about authentication, authorization and encryption," according to Shah, but rather should include answering questions on several fronts. Three include:

  1. Patching: In particular, how will hospital staffers go about creating patches for such tools?
  2. Internal and external threats: Were both taken into account during the development process?
  3. Data loss prevention: "Is there monitoring in place to ensure data leakage outside of the device doesn't occur?"

A report published last week by the Atlantic Council, in conjunction with Intel Security, also calls for security to be a priority from the outset of development. "Adding security features to products after their initial rollout is a losing battle," the reports author's say. "It is simply too costly and ineffective to try to secure systems already in the possession of the end user."

Shah says that designers who are more progressive about cybersecurity will be rewarded with deeper customer trust.

"Don't treat security as a problem for engineers to solve," he says.

To learn more:
- read Shah's full post