Report: Healthcare the least prepared sector against cyberattacks
Healthcare is the most targeted yet least prepared sector in the U.S. when it comes to cyberattacks, according to a report from the Institute for Critical Infrastructure Technology.
"Both providers and payers devote the majority of their resources to fulfilling their mission," the report's authors say. "Sadly, attackers have seen this selfless dedication to human life as sign of weakness."
Government and healthcare organizations manage complex infrastructure that has many layers that leave gaps, which allows hackers access to sensitive data, according to the authors. What's more, many times, manufacturers no longer support their technology, which creates even more vulnerability. One example of how malicious actors took advantage of this is the Office of Personnel Management hack, which put information of about 4 million federal employees at risk.
The Internet of Things also creates a massive attack surface, the report's authors say.
To that end, they advocate for mandated penetration testing before and after a medical device is released. This will not stifle innovation, but will require greater innovation to identify and patch vulnerabilities, they say.
"A cybersecurity-centric culture must demand safer devices from manufacturers, privacy adherence by the healthcare sector as a whole and legislation that expedites the path to a more secure and technologically scalable future by policy makers," the authors write.
The U.S. Food and Drug Administration, which critics have called "a toothless dragon" on medical device security, just issued draft guidance on postmarket cybersecurity of medical devices. In October 2014 it outlined how medical devicemakers should address cybersecurity risks in the pre-market design of their products.
To learn more:
- here's the report (.pdf)
OPM hack: A teaching moment for healthcare providers
FDA guidance addresses postmarket device cybersecurity
FDA a 'toothless dragon' on med device security, researchers say
Med device cybersecurity warnings will only grow, privacy expert says
Healthcare cybersecurity preparedness: Why it must start at the top