In the last week, the Food and Drug Administration, Cybersecurity and Infrastructure Security Agency, and the Health Sector Cybersecurity Coordination Center released three separate insights on crucial challenges facing the health care sector: communicating medical device risks to patients, securing insider threats, and hardening remote access via virtual private networks.
The HC3 alert provides CISA guidance on hardening VPN access points, commonly used for telehealth, telemedicine, patient access, and other applications. Further, CISA recently unveiled a new tool for public and private sector organizations to assess insider threat risks within the enterprise.
Lastly, new guidance from the Food and Drug Administration aims to support health care delivery organizations with how to explain connected medical device security risks to patients and caregivers, including cybersecurity events that could impact public health.
As many small- and medium-sized providers continue to struggle in these areas, the free resources can shed light on these risks and best practice measures need to improve overall cyber posture.
FDA shares insights on communicating medical device risks to patients
One of the largest, unsolved, challenges in health care is medical device security. There are no standalone devices, while providers struggle with effective patch management practices and an overreliance on legacy devices. The ongoing COVID-19 pandemic has exacerbated these risks.
The new FDA insights are designed to further support these efforts and are updated from an earlier draft with incorporated industry stakeholder feedback. The FDA explained the guide targets industry stakeholders and federal partners in developing their communication strategy.
“Clear, actionable communication is one way to help protect and promote public health, and help ensure that patients, who depend on their medical devices, stay informed and protected,” according to the guide.
“When developing safety communications, the messenger needs to communicate complex messages in clear and plain language consistent with the audience’s need to receive and understand the messages conveyed,” it adds. “Several factors, such as timeliness, relevance, simplicity, and readability for diverse audiences, are key for patients and caregivers to read and understand.”
The insights are broken down into key elements that include interpretability, risks and benefits, addressing unknown risks, availability and and discovery of information, a breakdown in communication materials, and outreach tools. A 2019 Patient Engagement Advisory Committee (PEAC) meeting deemed these were the most crucial elements to safety communications.
Providers can leverage the guidance to better understand these elements, as well as the importance of timely, relevant, simple communication strategies.
The FDA warns it’s important for those communicating risks and benefits to convey a balanced message that includes adequate information to support patients with decisions on whether to act on certain issues.
These insights should be readily accessible for patients ensuring communications are easy to find in online searches. To accomplish this, organizations should employ best practice search engine optimization (SEO) tactics, with patients preferring to see the vulnerability and medical device name in the title of the communication.
Evaluating insider vulnerabilities
Insiders have been consistently named the biggest risk to the health care sector in the annual Verizon Data Breach Investigation Report nearly every year since the report’s inception. The 2018 report found health care is the worst industry when it comes to stopping insider-related data breaches.
The CISA Insider Risk Mitigation Self-Assessment tool aims to allow organizations to analyze the potential for insider risk across the enterprise by answering several questions, which will also inform needed steps for prevention and mitigation programs.
“CISA urges all our partners, especially small and medium businesses who may have limited resources, to use this new tool to develop a plan to guard against insider threats,” said CISA Executive Assistant Director for Infrastructure Security David Mussington, in the release. “Taking some small steps today can make a big difference in preventing or mitigating the consequences of an insider threat in the future.”
Hardening VPN access
In the last year, health care rapidly expanded the use of telehealth and remote technologies to support patient care throughout the pandemic. As previously noted, the scope of these platforms have inadvertently added to ongoing health care risks. VPNs are commonly used for access in health care, but also come with inherent risks that require specific security needs.
“Compromise can lead to disruption of healthcare operations and leaking of sensitive health information, including research-related intellectual property as well as protected employee and patient information, leading to a leak of protected health information and a potential HIPAA violation,” according to the HC3 alert.
HC3 is urging all health care delivery organizations to review the CISA and NSA information sheet detailing VPN concerns and best practices to take the needed steps to bolster their risk management strategy.
The CISA-NSA insights include best practices for selecting VPNs from reputable vendors and strengthening VPN connections by reducing the attack surface. There is also a section on vulnerabilities under active exploit and steps for protecting and monitoring VPN traffic.