Protecting yourself, your organization & your products from cybercrime
It’s hard to imagine our lives today without the benefits of technology, but along with its positive impact comes real risks and threats. “Whether it be in your work life or your personal life, if you are a user of technology, you are a target of cybercriminals,” says Joey Tamboli, Director of Information Security Assurance at HealthTrust.
Cybercriminals are individuals or organizations who use technology to commit criminal activities. “They are well funded and take advantage of political upheavals,” explains Tamboli. “They don’t discriminate who they target, as demonstrated by attacks against all industry sectors, especially healthcare.”
Common threats
The most common threats currently seen include malware and ransomware, plus a relatively new threat on the rise—scareware.
Malware—such as a virus or a worm—is software designed to harm a computer, server or network and has existed for decades. More recently, ransomware has increased in use. “Ransomware has seen a huge proliferation in the last five or six years, and a lot of that is because, while criminal, it’s become a profitable business model,” says Tamboli. In a ransomware attack, the cybercriminal encrypts the person or organization’s data and demands payment for its safe return.
Cybercriminals use social engineering to trick people. “It’s the manipulation of the natural human tendency to trust. They prey on your good nature,” notes Tamboli. A common form of social engineering is phishing, which tricks a person into opening an email or clicking a link by building trust, often by pretending to be a legitimate organization. Other similar techniques use text messaging and voicemails.
These types of cyberattacks are common, in part, because it’s easier for cybercriminals to target people who have access to the data they want, rather than going after the data directly.
“It’s almost like a never-ending game of whack-a-mole, where you’ve got the good guys against the bad guys,” explains Tamboli. “In a game where the stakes are high, it’s often the person being targeted who is the last line of defense. The bad guys only need one person to click the link.”
How to stay safe
While you should always follow your organization’s IT and security guidelines, there are industry best practices to help protect you and your organization from cybercriminals. Here are six ways to start:
- Use unique passwords. Using different passwords across all of your accounts helps minimize the impact if data is compromised.
- Get a password manager. Now that you have multiple, unique passwords, a password manager will help you safely keep track of them.
- Opt for multifactor authentication. This creates an extra level of security and requires users to verify their identity in some way, often via a text message.
- Know that less is more. Every download comes with a level of risk, so consider if you really do need that extra browser extension before downloading it.
- Stay current. Make sure your business and personal devices are up-to-date with the latest software patches as they typically contain valuable security updates.
- Keep personal separate. If possible, keep your work passwords separate from your personal ones.
Securing Medical devices from cyber attacks
Recent improvements in the medical device space are helping HealthTrust’s IT security professionals work with members and suppliers to improve security and increase understanding of cybersecurity around medical devices. The team also provides HealthTrust’s supply chain and clinical boards with the cybersecurity information they need to decide which products and services to bring on contract.
Over the past three years, HealthTrust has developed and tested a security information protection agreement (SIPA), which outlines the minimum expectations that HealthTrust has around cybersecurity for contracted suppliers.
“We’re all about informed business decisions. The requirements we have of suppliers are designed to inform our members on product and service capabilities as well as where their limitations are from a cybersecurity perspective,” says Marc Sammons, Director of Security Sourcing, HealthTrust.
SIPA covers all of a supplier’s products and services, regardless of where they’re purchased. “We didn’t want to leave our members with a document that only partially covers security,” says Sammons. “If a member needed to purchase a product and it wasn’t on a HealthTrust contract yet, then SIPA will actually apply to that product.”
Even with SIPA, suppliers must continue doing security assessments and answer any additional questions around security that members might have.
HealthTrust also facilitates communication between suppliers and members so both can better understand what the other requires. For example, HealthTrust’s Cybersecurity committee is made up of members representing 12 health systems and meets at various times throughout the year. “It’s a good way for us to hear from members about what is going well and the areas that need improvement so we can communicate back to our suppliers,” explains Sammons. Suppliers are also invited to introduce new product lines and security features to the committee.
Industry strides
“From an industry perspective, there have been great strides in the medical device space for a number of years now,” Sammons says.
This includes post-market guidance from the Food and Drug Administration for medical devices that promotes a standard expectation of how cybersecurity should be managed. “While it’s not a one-size-fits-all situation, it is a start for helping medical devices get more standardized in the area of cybersecurity,” says Sammons.
Another useful tool is the Manufacturer Disclosure Statement for Medical Device Security (MDS2), developed by the Healthcare Information and Management Systems Society (HIMSS). This gives medical device manufacturers a way to disclose the security features of their products. It also includes a software bill of materials, which lists the various versions of software and hardware used within the device. “Having this bill of materials is very helpful in keeping our eyes as wide open as possible on the risks that are coming into the medical device space,” says Sammons. “For instance, maybe one of these pieces of software will have a vulnerability discovered. The software bill of materials allows suppliers to respond quickly and specifically about whether their medical devices are vulnerable, and that helps members manage their risk faster and more accurately.”
Many suppliers are now providing cybersecurity portals where their customers can access a wide range of information, including disclosed vulnerabilities. Some suppliers offer access to MDS2 documents through portals and are also creating API interfaces.
HealthTrust is also working strategically with contracted suppliers to help them design their portals to meet members’ needs. “Some of our members have different levels of maturity around cybersecurity or different ways that they want to handle it,” says Sammons. For example, some members might want the supplier to patch devices on their network, while others want the documentation and ability to do it themselves. “We’re seeing a higher degree of flexibility in the space of medical devices and that enables members to better manage the risks.”
To learn more about HealthTrust’s SIPA with contracted suppliers, contact Marc Sammons at marc.sammons@healthtrustpg.com or Matthew Webb, AVP of Product Security, at matthew.webb@healthtrustpg.com
Share Email Cybersecurity, Information Technology, Medical Device Sourcing, On-contract product, Q3 2022