Approaches to cybersecurity: perspectives from the manufacturer and provider
In 2018, the average cost of a healthcare breach is almost $4M in the US and statistics from 2016 showed that of all the industries in the world, 88% of the cyberattacks are actually happening in healthcare.
In the context of the ever-increasing cybersecurity threats in healthcare, Lori Lazzara, VP of Technology & Engineering, Monitoring and Analytics & Therapeutic Care, Philips, gave a presentation at the HIMSS AsiaPac 19 conference in Bangkok, Thailand in October on how healthcare providers/organisations and manufacturers of healthcare related products/solutions can work together continuously in an ecosystem to improve their cybersecurity measures.
Network security and OS/software patch management: A three-prong approach
Lazzara spoke about a three-prong approach to network security and OS/software patch management – people, processes and technology and all three have to work together in an ecosystem. From the people perspective, it starts with the awareness of the problem and making sure everyone understands the importance of cybersecurity as it is an education process and everyone can contribute to making the organisation more secure.
The next area is processes. For instance, from a manufacturer’s perspective, thinking about the security risk assessment during the development process of products/solutions to be used in a healthcare system, as well as monitoring the risks prior and after it has been released into a healthcare system. There needs to be continuous monitoring and closing of the vulnerabilities that might be created.
As a healthcare organisation from the receiving side, it is vital to understand what products and solutions are in the organisation, as this will allow them to provide end-to-end continuous improvement processes to ensure that the systems are secure. Finally, from the technology standpoint, once both health organisations and manufacturers understand what the risks are and how to mitigate them, they need to execute and implement these changes inside the technology itself to enable the security of the system.
“It’s an entire and continuous ecosystem which never ends and I don’t envision cybersecurity (threats) to be going away and that we’ll ever get completely secure because somebody will always find ways to get into the software, but it’s important to partner across the ecosystem to address the issues”, Lazzara emphasised.
Three pillars to security: confidentiality, integrity and availability
From Philips’ perspective, Lazzara explained that there are three pillars to security: confidentiality, integrity and availability. Confidentiality in this case means ensuring that only the right people see the data that they should. “For example, if you have a Microsoft OS that is running the solution that you are accessing the data from, they have the ability to do active directory, which is role-based policies. A lot of the systems will use that role-base and sets limits on who can see particular types of data. This provides the ability to see who and what can see the individual data.”
When working with vendors who are delivering the solutions, the question of how they can be integrated into the role-based policies needs to be asked so that the data can be kept confidential. Integrity is ensuring that the information from the solution is trusted and it is not able to be manipulated by the wrong choices and services which can potentially impact how the service performs and patient safety. One way to approach this is to look at ways to harden the OS, or getting rid of any services that are not required to run that solution, so that there are no various background services that can allow hackers to get in.
The data also needs to be encrypted – is it encrypted at rest and in transit? There are various techniques to do that, such as node authentication that requires handshake authentication from point to point if data is going to be sent, so that it can only be assessed by genuine and verified users. These users are typically members of the care team who needs the data to be available when treating patients.
Philips’ approach to mitigating cybersecurity gaps/vulnerabilities
Lazzara provided an example on how Philips as a manufacturer of medical devices/solutions approach mitigating cybersecurity gaps/vulnerabilities: “If an external person who informs us about a possible gap in our solution that is ripe for a hacker to get in, we investigate it and try to see if we can replicate what they are talking about. This process is known as our Coordinated Vulnerability Disclosure (CVD). This industry standard is recognised globally and one that Philips instituted as a first in the medical device industry.”
“Then we look at how we could remediate and / or mitigate the vulnerability, which could require patching the system. We put that on our roadmap to actually implement it as soon as we can to close the gap and in alignment with regulatory and Philips policies. As a part of the CVD process, we expose those vulnerabilities on our public facing website so that we can communicate to the customer where we have those vulnerabilities, and the appropriate actions they should take in addressing them .”
Additionally, Philips also partners with industry researchers and white hat hackers at major conferences and hackathon events globally, as well as joining related workshops which provides opportunities to allow the industry to try to expose any vulnerabilities in our solutions, because it is an effective way for Philips to learn as an organisation in providing continuous improvement as we address cybersecurity across the healthcare ecosystem.