Cybersecurity is a shared responsibility — this sentiment has resounded within healthcare circles around the world over the past decade. But what does it really mean for different groups to share the responsibility for cybersecurity in healthcare?
If you represent a healthcare delivery organisation (HDO), it might mean that you understand your organisation can’t fully control the cybersecurity posture of the devices that you acquire and plan to deploy within your hospital IT networks.
If you’re a medical device manufacturer, it might mean that you need to make certain assumptions about the network environment into which your product could be placed and then design the product accordingly.
One common approach is for the HDO to try to get the device manufacturers to make all technical details about the product available to them.
There are certainly some pros to this approach, such as:
However, there are also some cons, such as:
Device patches generally need to be validated by the manufacturers to maintain safety, effectiveness and security before being deployed within a clinical network
Another approach is to structure hospital IT networks in a way that allows for the safe and secure integration of ‘untrusted’ devices. This approach offers some pros, including:
However, just like with the device-centric approach to security, the network-centric (‘zero trust’) approach also has cons, such as:
A hybrid approach, leveraging both the network security posture and product security, can be advantageous in providing the best of both worlds. To overcome some of the challenges of each, using third-party attestations or certifications to technical product security standards in conjunction with standards’ compliant, defensively designed hospital IT network architectures can be an ideal middle ground.
Reputable third parties that operate testing and certification programs are typically accredited to and conform to standards such as ISO 17065 – “Conformity assessment — Requirements for bodies certifying products, processes and services”, ISO 17025 – “Testing and calibration laboratories,” and ISO 17024 – “Conformity assessment — General requirements for bodies operating certification of persons.” Such accreditations help demonstrate the competency, consistency, and impartiality of the third-party and a baseline of independently assessed trustworthiness or quality when leveraging the testing, inspection and certification services of such a third-party.
One significant benefit of having an independent third party as part of this ecosystem is that sensitive information can be shared by different supply chain stakeholders with the third party while maintaining the confidence that such information will be handled and maintained as confidential, remaining subject to strong technical and procedural security controls. This level of rigor in handling sensitive data allows medical device manufacturers to share very detailed information about product design with an accredited third- party while also allowing healthcare delivery organisations to share information such as personally identifiable information (PII) and protected health information (PHI) with the same third party as needed for system evaluation. Thus trusted third-parties can serve as a technology transfer and claim verification bridge between supply chain stakeholders.
Third-party testing, inspection and certification organisations are also required, per their own accreditations, to establish and maintain the necessary technical competencies and properly calibrated and managed equipment to effectively and consistently deliver any services (including cybersecurity) that they offer. The existence of such third-parties can help medical device manufacturers and HDOs overcome the workforce shortages in areas like cybersecurity that we see today. Having such quality attributes can also make the delivery of support services measurable, repeatable and reproducible. Additionally, this means that supply chain relationships can establish metrics for continuous improvement. There can be standardisation of practices and procedures, and when problems or anomalies arise, they can be tracked and reproduced to support remediation.
For example, when following the ANSI/CAN/UL 2900 cybersecurity standards, many security concerns can be addressed through compliance. These include:
There are many options when it comes to standards, certifications, third-party cybersecurity service providers, implementation strategies, testing approaches, etc. But some basic concepts need to be applied no matter what options you choose:
Many best practice guidelines and standards are available in the healthcare ecosystem that can help. All UL Standards are freely available to the public online, and all NIST standards are also available for free. Organisations like the Healthcare Sector Coordinating Council provide free tools and resources to help improve the global cybersecurity posture of critical healthcare infrastructure.