Cybersecurity Tips for Medical DevicesSteps Healthcare Providers, Manufacturers Should Take
"It's really knowing your systems, knowing your risk and the consequences of certain systems being exploited," Comeau explains in an interview with Information Security Media Group. That might entail having certain critical medical devices - such as those used for patient surgery - fully walled off from the organization's network, he adds.
"That means [using] firewalls, VLANs - fully separating systems and networks that are handling your most critical functions, containing your electronic protected health information from your other business or corporate network activities, particularly workstations where people are going to be scanning the Internet [and] sending e-mail, because they are such great vectors for malicious software and other threats impacting those systems," he says.
"If things are not segmented properly, if there are not protections installed for your most critical devices, they are directly at risk, and that's not a good thing."
To determine which systems and devices should be isolated, it's important to first evaluate the risk and criticality of all software, hardware and devices on the network, Comeau says.
"You have to figure out why they are there, and if they're not needed, they should be taken off," he says. "You need to reduce your attack surfaces as much as possible. Take a hard look at things you don't need because they are surfaces that can be exploited by malicious actors."
Besides "minimizing" devices and applications on networks, other key steps for improving medical device security include conducting risk assessments, including vulnerability assessments, and effectively managing systems administration privileges.
"Make sure your normal user doesn't have systems administration rights and cannot make changes to the system. ... Make sure that systems administrators don't have more authority than they need," he says.
In the interview, Comeau also discusses:
- The biggest emerging cybersecurity threats facing medical devices;
- What medical device manufacturers should do to improve the cybersecurity of their products;
- Best practices for patients to safeguard data on their mobile medical devices and health applications.
Comeau serves as strategic adviser and vice president of security controls and automation at the Center for Internet Security, a not-for-profit organization whose many cybersecurity activities include running the Multi-State Information Sharing and Analysis Center, or MS-ISAC. Before joining CIS, Comeau was the assistant deputy director for strategic planning and administration at the New York State Office of Cyber Security and Critical Infrastructure Coordination. He also formerly was a management consultant supporting several federal departments and agencies and spent several years as an officer in the U.S. Coast Guard.