Session 139 at HIMSS 2018, 10 Challenges in Managing Medical Device Cybersecurity, reviewed the top 10 technology hazards in healthcare IT for 2018 released by the ECRI Institute. While the focus of the presentation was geared towards medical device security, many of these challenges exist for integration technologies as well.
Not surprisingly, patch management was near the top of the list. Patch deployment can directly impact patient care if patches to the most recent threats are not deployed in a timely fashion. This requires a patch deployment strategy, with regular patching processes in place. Patch implementation must evaluate clinical care impact – ideally vendors will have solutions to allow patching with little to no downtime. In addition, having a process for critical patching with no downtime is essential as well. Corepoint Integration Engine’s high availability feature, Assured Availability, ensures that no data is lost during planned or unplanned downtime.
Also near the top is the necessity to keep legacy technologies secure. This can be a big challenge because technologies designed five years ago likely did not place a premium on security. Ideally, vendors allow for upgrades that are not disruptive to clinical workflows. However, if upgrading is too difficult or even not possible, the security risk must be weighed against the clinical need of the technology.
From an integration standpoint, a non-functioning integration engine can bring down all the data flow in a health system if it is not updated and secured properly. Read: Improve PHI security using a modern interface engine.
In addition to securing the application, providing proper security for the servers they run on is just as important. It is important that the application run on operating systems that are still being updated for the latest security attacks. It is also imperative that the application be compatible with antivirus software protection. Ideally, a virtual environment would be preferred over a physical requirement, thus simplifying server management.
If remote access is required for support, maintenance, or analytics it can provide a security hole to the server and application. Unsecure external communications should be strictly avoided. This would include default service passwords and unsecured transports. Remote access should be limited to VPN or encrypted transports such as TLS, and passcodes should be temporary or have an expiration.
Security was more widely discussed at HIMSS18 than in previous years. Recent ransomware attacks have certainly contributed to the growing emphasis on security. Providers and application vendors must stay on top of the latest technologies and processes to keep patient data safe and available.
These are four of the key challenges discussed in the session as they apply to integration technologies. For the full list of all 10 challenges, you can view the full presentation from ECRI here.