The Healthcare Sector Coordinating Council, a public-private partnership of hospitals and medical devices working on critical infrastructure security and resilience, has published a joint security plan document outlining a series of vulnerabilities and needed improvements in the industry. Essentially a “to-do list” for manufacturers, it highlights the current vulnerabilities of existing medical devices. This includes advising manufacturers to describe their cyber vulnerability review plans, how and when devices will receive patches, and how long devices will receives patch support. This document was released a month after the Department of Health and Human Services published their own cybersecurity responsibilities for hospitals, including what device manufacturers should provide. “This begins to resolve the tension between medical device makers and hospitals, because device makers have not been building security in over the past several years and, meanwhile, hospitals have not been doing enough to secure their broader networks,” the Healthcare Sector Coordination Council’s Executive Director summarized.
According to the Executive Director, 4 key reasons drive healthcare’s weakness in the cybersecurity. The first is simple regulation; manufacturers are strictly limited from seeing data, making it difficult for them to work with data systems and improve protections. Second, many hospitals have tight margins and cannot afford chief information security officers or a full team. Third, many medical devices are extremely expensive and designed to last for decades. Thus, even if they are designed with cybersecurity protections, they will face completely new attacks within their lifetime. Lastly, the healthcare system was targeted after other sectors where attacks could be more easily linked to cash. The sector has been slow to catch up.