There are 6 key business requirements for medical device security:
- Prevent data leakage of ePHI (electronic protected health information) via the device itself, the management system and or the hospital information system interface.
- Ensure availability of the medical device
- Ensure integrity of the operation and data of the medical device
- Ensure that a networked or mobile medical device cannot by exploited by malicious attackers to cause damage to the patient
- Ensure that a networked or mobile medical device cannot by exploited by malicious attackers to cause damage to the hospital enterprise network
Just like theft, data is leaked or stolen because it has value, otherwise the employee or contractor would not bother. There is no impact from leakage of trivial or universally available information. Sending a weather report by mistake to a competitor obviously will not make a difference.
The financial impact of a data breach is directly proportional to the value of the asset. Imagine an insurance company obtaining PHI under false pretenses, discovering that the patient had been mistreated, and suppressing the information.
The legal exposure could be in the millions. Now consider a data leakage event of patient names without any clinical data – the impact is low, simply because names of people are public domain and without the clinical data, there is no added value to the information.
But why, does data leak?
The main reason is people. People handle electronic data and make mistakes or do not follow policies. People are increasing conscious that information has value – all information has some value to someone and that someone may be willing to pay or return a favor.
This is an ethical issue which is best addressed by direct managers leading from the front and by example with examples of ethical behavior.
People maintain information systems and make mistakes, leave privileged user names on a system or temporary files with ePHI on a publicly available Windows share.
People design business processes and make mistakes – creating a business process for customer service where any customer service representative can see any customer record creates a vulnerability that can be exploited by malicious insiders or attackers using APT (Advanced Persistent Threat Attacks) that target a particular individual in a particular business unit – as seen in the recent successful APT attack on RSA, that targeted an HR employee with an Excel worksheet containing malware that enabled the attackers to steal SecurID token data, and then use the stolen tokens to hack Lockheed Martin.
According to Wikipedia, APT attacks utilize traditional attack vectors such as malware and social engineering, but also extend to advanced attacks such as satellite imaging. It’s a low-and-slow attack, designed to go undetected. There is always a specific objective behind it, rather than the chaotic and organized attacks of script kiddies.
Cross-posted from Israeli Software