Security for health IT is an ongoing process. Hackers never stop learning and evolving, so IT teams need to do the same. For example, a hacker group called “Orangeworm” was recently identified. This group targets providers in the healthcare sector with a Trojan virus that can be installed on devices such as X-ray and MRIs. Cybersecurity providers are publishing patches that will scan for the malicious software, but it’s crucial that health IT leaders stay aware of the latest risks, work with secure vendors, and keep their software up to date.
It’s not just attackers that are changing the cybersecurity landscape, however. As threats continue to emerge, we can expect government agencies to take notice. In fact, the FDA has submitted new proposals to Congress which will require health systems and medical device manufacturers to take more responsibility for data security.
Here’s what you need to know about the proposed regulations:
What Has the FDA Proposed?
The goal of these new proposals is to enhance medical-device safety. The FDA’s stated goals are to streamline and modernize post-market safety measures, encourage manufacturers to create more secure devices, and consolidate oversight of device safety into a single FDA center.
Of most interest to health IT is that the FDA is seeking authority to issue new requirements for medical device manufacturers. Currently the FDA issues non-binding guidelines. Under its proposed new plan, the FDA would seek to require firms to build certain security features into new products, including the ability to update and patch security protocols.
The FDA is also considering requirement of a software “bill of materials,” similar to the bill of materials used for physical products. This document would be submitted to the FDA before the device goes to market and would be made available to end users.
Why Have These Proposals Been Made?
The proposed expanding of FDA authority seeks to address the growing crisis in cybersecurity for health IT. Healthcare was the most breached business sector in 2017, with more than 5.6 million patient records compromised. As the Orangeworm story demonstrates, healthcare continues to be a valued target for hackers.
Medical imaging is on the front lines of the cybersecurity struggle. Much of the valued data that hackers seek out is in the form of digitally stored medical images. For example, the FBI Cyber Crimes Team recently reported that a clean chest X-ray that matches a buyer’s physical dimensions can go for up to $6,000 on the black market. The buyers are people seeking to pass a tuberculosis screening to enter the United States.
How Can Health Providers Prepare?
The best way to stay ahead of new regulations is to audit the security of your current systems and devices. Contact a trusted vendor, like Change Healthcare, for an IT Risk and Security Evaluation. Getting security advice from the experts can help prepare your systems for pending regulations and keep your organization moving forward on the security continuum.
To evaluate your enterprise imaging security, it makes sense to choose an imaging vendor that focuses on software. This type of vendor can focus on securing your software, rather than pushing to change your existing hardware.
Keeping medical data secure takes a sustained commitment from health IT experts, clinicians, vendors, and health leaders alike. The right partners can help you stay ahead of the curve, prepared for new regulations, with reduced risk from hackers and damage mitigation should a breach occur.
Steven Ramirez is a Senior IT Solutions Consultant at Change Healthcare, with extensive experience in IT Risk/Security Management, Cyber Security, IT Regulatory Compliance, HIPAA Security, Business Resilience and Disaster Recovery Solutions.
Leveraging Technology to Help Automate the Patient Registration Process, Simplify Patient Payments, and Improve Staff Efficiencies
Increased regulation, value-based care, and skyrocketing patient payment responsibility means practices have more pressure on revenue than ever before. In a time when staff is being asked to do more with less, practices need a way to eliminate outdated, manual processes and leverage the right technology to improve ...