Reducing Medical Device Cyber RisksSecurity Specialist Justine Bone Discusses Steps to Consider
Many medical devices, especially older ones, were not designed with cybersecurity in mind, so healthcare organizations need to take special precautions to reduce risks, says security expert Justine Bone.
For instance, when it comes to ID and access management controls, "authentication is being built into devices today, such that users of the devices and patient data is protected," says Bone, CEO of the consultancy MedSec, in an interview with Information Security Media Group. "But in some cases, especially in the case of legacy systems, the authentication protocols just can't be built into the device ... [because] they may not have the computational capabilities to handle strong authentication and/or encryption."
As a result, Bone says, "what we're seeing is a lot of hospitals re-architect the network itself - the way the device is connecting to the network and the protections around that."
Entities should consider grouping together "high-risk" medical devices and architect their networks so that there are additional safeguards in place to protect those devices, she says.
In the interview (see audio link below photo), Bone also discusses:
- The risks posed by hardcoded and default passwords that some manufacturers have built into their medical devices;
- Other cybersecurity challenges involving medical devices;
- Top cyber threats facing the healthcare entities;
- Lessons that the healthcare sector can learn from other industries about reducing cyber risks.
As CEO of healthcare cybersecurity consulting firm MedSec, Bone is responsible for the overall management of the company. Before joining MedSec, Bone's previous roles include CISO at Dow Jones, CSO at Bloomberg LP, CTO of Secured Worldwide and CEO of Immunity Inc. Bone began her career as a vulnerability researcher with Internet Security Systems, now IBM's X-Force, and New Zealand's Government Communications Security Bureau.