From 2016 to 2021, the annual number of ransomware attacks on healthcare delivery organizations more than doubled from 43 to 91, according to research published by the Journal of the American Medical Association. Over that period, these data breaches exposed the personal health information of nearly 42 million patients.
That’s unacceptable. Despite the healthcare industry’s stringent HIPAA cybersecurity requirements, a major reason organizations remain vulnerable is that they’re an extremely high-value target for cybercriminals. And there are so many network access points within any organization — each one a potential chink in the armor.
Hospitals and clinics have been careful to secure their workstations. However, there are many more connected devices, such as insulin pumps, intracardiac defibrillators, mobile cardiac telemetry devices and cloud-connected pacemakers. Research from an FBI Private Industry Notification found that 53% of connected devices in healthcare organizations have known critical vulnerabilities. This problem is escalating due to an increase in cloud-based and “smart” technology platforms within the healthcare industry.
Cybersecurity in healthcare under the 2023 Consolidated Appropriations Act
In the U.S., federal government defense and non-defense discretionary spending is often allocated through omnibus bills. These bills consolidate appropriations and detailed provisions into one legislative package. An omnibus bill is easier to pass than multiple bills. However, it is likely that many details will go unnoticed by the public.
In the $1.7 trillion 2023 omnibus bill, one such provision is Section 3305, Ensuring Cybersecurity of Medical Devices. This section authorizes the Food and Drug Administration to require anyone who submits an internet-connected medical device for approval to offer a plan to monitor, identify and address any healthcare cybersecurity vulnerabilities.
OEMs must demonstrate to the FDA reasonable assurance that their devices are cybersecure today, and they must develop processes to ensure that devices remain cybersecure in the future, for example by providing any necessary post-market updates and patches. Device manufacturers must also provide the FDA with a software bill of materials, including off-the-shelf, open-source and commercial components.
Although the FDA has issued nonbinding guidance on cybersecurity for healthcare devices since 2014, the long-awaited regulatory requirements of Section 3305 are now effective as of March 29, 2023.
Going forward, the FDA will be tasked with soliciting feedback from device manufacturers, healthcare providers and other stakeholders, and using that information to periodically update cybersecurity guidance on pre-market submissions as well as to provide resources to help OEMs improve the cybersecurity of their devices and achieve compliance. The U.S. Government Accountability Office will be heavily involved in recognizing potential issues. It will also coordinate federal agencies to assist manufacturers and providers in improving medical device cybersecurity.
As the internet of things rapidly grows to encompass nearly all of healthcare — from the smallest implantable devices to diagnostic systems interconnected across multiple hospital sites — medical device OEMs have now been placed under a great responsibility to ensure that their systems are hack-proof. And as a result, IT and security professionals charged with enforcing HIPAA cybersecurity requirements are looking forward to sleeping better at night.
Device-level authentication: Stopping attacks before they can begin
As with any legislative or regulatory mandate, the devil is in the details. Grant Geyer, chief product officer at Claroty, has stated the problem succinctly: “Even well-constructed code can contain highly impactful vulnerabilities that can impact the ability of software to function properly, and with the highly prolific use of third-party and open-source software, medical device manufacturers may not even be aware of exploits that can impact patient care.”
Achieving compliance across healthcare at a software level will take time. Many vulnerabilities will only be revealed after they have been exploited. At rf IDEAS, we believe the best way to avoid these exploits is to prevent cybercriminals from accessing vulnerable software, protected health information and intellectual property in the first place.
That means an important part of the answer is to secure all network endpoints — including connected medical devices — by means of an ironclad authentication solution. rf IDEAS provides a complete portfolio of credential readers that work with physical, digital and even biometric authentication credentials to ensure that device, workstation and network users are always authorized and that their activities can be audited.
Embedding security within each device
The WAVE ID® Embedded OEM family of readers is particularly useful for medical device manufacturers. These readers are designed to be seamlessly integrated into multiple medical devices, including IV pumps, dialysis machines, nurses’ stations, handheld diagnostic tools, medical carts and patient monitoring devices. Direct integration of credential readers not only increases the efficacy of existing security measures, but also makes the user experience faster and simpler.
These embedded RFID readers, along with authentication software from Imprivata and other rf IDEAS partners, allow hospitals and clinics to control and track access to medical devices without interrupting workflows or consuming valuable space in the clinical setting. Users simply wave or tap their existing ID badge over the device, allowing them to prioritize patient care over managing and entering logins.
The WAVE ID Embedded OEM portfolio includes a variety of form factors and models, including single-frequency, dual-frequency and read-only models. They all work with a broad range of proximity and contactless smart cards in use worldwide, so healthcare staff can authenticate using the ID badges they already have. These readers also offer support for credential advancements such as digital wallets and FIDO2.
Whether you’re engineering a new device or need to add credential-based authentication to an existing design, WAVE ID Embedded OEM readers are easy to integrate to give medical device customers a powerful first-line defense for compliance with HIPAA cybersecurity requirements as well as the new healthcare cybersecurity directive included in the 2023 omnibus bill.
Explore the possibilities
Want to learn more about WAVE ID Embedded OEM readers for simple, seamless authentication to medical devices? Get our brochure, “Security You Don’t See. Productivity You Do,” and let’s start a conversation about your device and how best to secure it.