Connected devices require well-thought-out security strategy

Despite the benefits of mobile devices, healthcare organizations must have specific cybersecurity protection plans for them, Robert Clyde, board director of ISACA, an organization focused on IT governance, tells HealthITSecurity.

Because physicians and staff don't want to carry multiple phones, organizations must have a BYOD policy in place or have corporate-issued devices tied to a comprehensive security plan, Clyde says. The proliferation of devices, including connected medical devices, creates a larger attack surface for criminals, which calls for a carefully constructed strategy to minimize risk.

The FDA device security draft guidance a good start, but Clyde says it doesn't go far enough. The industry needs to set standards for device security, he says, though he doesn't necessarily see federal regulation as the way to go about it.

His views stand in contrast to those of James Scott, senior fellow at the Institute for Critical Infrastructure Technology, who has deemed the FDA guidance "too subtle" and called for more regulatory enforcement.

In addressing the threat of ransomware, attention to the basics can go a long way, including having current anti-virus and anti-malware installed, performing routine backups and making sure employees understand the dangers of a phishing or social engineering attack, Clyde says.

"The good news is we are passed the point where people just don't get it, that there's an issue to be dealt with here," he says of healthcare security. "We need to figure out how to safely embrace these technologies and take advantage of the opportunities they afford us, and ensure that the value actually outweighs the risk."   

To learn more:
- here's the article