The 10 Best Revenue Cycle Management Solution Providers 2018 Cycle Management Final File optimize | Page 37

What’s being done about it?
Truthfully, not enough. Rather than
pile on the device manufacturers
themselves, let’s consider 3
stakeholders and where each carries a
share of the burden. First, it’s the
device manufacturers who’s brands are
on the line, so one would think they’re
doing all they can to strengthen their
final products. That may not be the
case. The Ponemon study goes on to
state most device manufacturers have
yet to adopt more stringent software
and device security protocols, resulting
in production devices with vulnerable
code. The urge to get to market as
quickly as possible often supersedes
adhering to the proper process of
security and vulnerability testing.
Second, one must consider the security
of the facilities who house these
devices, namely hospitals, other care
facilities, and even our own homes.
From a hackers perspective, medical
devices are simply another node on a
network, much like a computer or a
printer. That means they’re as
vulnerable as any other networked
device. If medical devices are not
being routinely patched and updated,
whether manually or automatically,
then they’re vulnerable to new threats
and exploits.
Finally, the third culprit in our trio is
the facilities who refuse to update their
devices. Believe it or not, there are still
medical devices in use today that are
running Microsoft XP as their
operating system. This OS became
unsupported in April of 2014, which
means for the past 4 plus years, any
new Microsoft based attacks would
find an open door to those devices.
Again, to be fair, a significant reason
these devices haven’t been upgraded is
because the cost to small and rural
facilities is prohibitive. Many of these
smaller organizations, like solo
providers, are struggling to stay above
water in our new healthcare
environment. The thought of spending
$200,000 or more on a new X-Ray
machine, for example, is beyond their
reach and reason. This particular issue
doesn't have a simple fix.
What was left off the list?
Many industry insiders grew
accustomed to blaming the
bureaucratic morass as their reason for
not developing and pushing out
updates to their devices. However, as
far back as 2005 the FDA began
making allowances for security related
patches and updates and this year again
issued an update to this policy with the
intent to streamline the process.
Frankly, we can’t accuse the FDA of
standing in the way on this issue.
We also omitted the fact that few IoT
devices communicate their data over
encrypted channels. This includes
medical devices. Citing the Ponemon
study, only a third of device makers
built encryption into their devices and
few healthcare facilities were
deploying it on their own IoT devices.
While the percentages have likely
improved since the study was
published, those devices, and the
thousands produced before them, are
still in use and will be in use for years
to come. Lack of encryption of data in
transit and data at rest violates a
HIPAA recommendation and can be a
source of fines from the Office for
Civil Rights (OCR), so it should be
implemented wherever possible.
significant as the technological
advancements that led to them. The
traditional way of contracting with a
software development team to add the
soft layer on top of a device is no
longer valid. Gone are the days when
an offshore software team can be hired,
given a functional specification, and
then be released once the project is
completed. Now, medical device
manufacturers need to bring software
development in house and incorporate
it into the design cycle as early as
possible. Likewise, the firmware team
needs to stay intact post development
and work closely with the software
team to coordinate patches and updates
on an ongoing basis. Needless to say,
these teams aren’t cheap, nor is this
talent easy to come by. As a result, it’s
going to take some time for medical
device manufacturers to get the right
teams in place and to adjust their
business models to account for the
increased overhead they present.
Like all things cybersecurity related,
the manufacturers can do everything
right, but a secure environment is as
much dependent on the training of the
workforce as the hardware itself. Even
today, despite the security holes that
exist in the bulk of the currently
deployed medical devices, the greatest
source of breaches originate at the user
level.
Ultimately, the costs of this shift will
be borne by the consumers through
increased costs of care. We can hope
that more vigilant cybersecurity efforts
will leverage down the risks involved,
but unfortunately this new business
model is here to stay.
What needs to change?
Due to these increased vulnerabilities,
a paradigm shift is required and it’s as
| December 2018 |
35