Just as you'll never be able to rid your body of all viruses and bacteria, healthcare organizations must learn to live with the reality of malware and cyberattacks, Kevin Fu tells HealthcareInfoSecurity.com.
While medical device makers are becoming more vigilant about security, it will take time for those measures to reach the marketplace, says Fu, who directs the Archimedes Research Center for Medical Device Security at the University of Michigan. In the meantime, hospitals must press their vendors to provide more meaningful security, he says.
To that end, Fu says, such security must be measurable. As he's said previously, some organizations are wielding the "power of the purse," making security requirements part of the procurement process.
Fu also points to three things that healthcare organizations must do:
- Understand their exposure to cybersecurity risks, which must start at the board level. In large organizations with so much equipment and so many systems, it's hard to keep track of it all.
- Apply appropriate compensating controls. If an infusion pump has known vulnerabilities, you need controls to ensure it's never hooked up to the internet. As threats evolve over time, so must those controls.
- Continuously measure the effectiveness of security controls.
"If any of these pillars is missing, you're probably just throwing technology at the wall in an ad hoc fashion and you're probably going to be rudely surprised when something doesn't work," he says.
To learn more:
- here's the HealthcareInfoSecurity.com interview