The recent jump in cyber attacks against the healthcare industry—especially ransomware attacks—aren’t a coincidence. The reality is that the healthcare industry presents the perfect opportunity for attackers.
A balance of valuable personal data and hospitals that simply aren’t prepared for advanced attacks.
In May 2016, the Diabetes Technology Society (DTS) took a step forward in defending the new world of connected healthcare devices by releasing the DTSec standard. Now the question remains—can this new standard change the cyber security narrative for an ailing healthcare industry?
What Is DTSec?
The DTS Cybersecurity Standard for Connected Diabetes Devices (DTSec) was released with the goal of making the healthcare industry more confident in the security of network-connected medical devices. While the standard will first focus on life-critical diabetes devices (such as insulin-pump controllers), it can be applied to any medical product.
DTSec hinges on thorough, independent expert evaluations of connected healthcare devices. The DTSec standard contains specific performance requirements that provide a concrete measurement platform for device security.
Certain approved labs will conduct the DTSec tests and the fundamental idea is that having multiple stakeholders involved in the process—not just a biased vendor—will improve the state of healthcare security.
With the ISO/IEC 15408 international standard for computer security certification at its heart, DTSec can potentially offer the healthcare industry a framework necessary for protecting Internet of Things (IoT)-enabled devices. However, the truth is that deploying medical devices that are built with security in mind is only one step toward securing electronic health records.
Why DTSec Can’t Change Healthcare Security by Itself
Urgent patient care is the chief concern for healthcare providers, which is why budget is generally used for increasing staff as opposed to consistent security equipment upgrades. However, IoT-enabled devices are becoming essential to providing quality patient care and improving outcomes in life-or-death moments.
Improving the security features of connected healthcare devices is important, which is why DTSec is such an important new standard. As IoT-enabled products become more inherently secure, the entire stack of security solutions must improve as well.
Keeping hackers from controlling devices such as insulin-pump controllers is an obvious concern for patient safety. However, The DTSec standard does not include testing or certification for in-line security appliances such as next-gen firewalls and intrusion prevention systems.
As IoT devices collect increasing amounts of patient data, defending hospital networks themselves—not just the smart devices—will become more critical than ever. Without a solution in place to identify and mitigate attacks, having DTSec-approved devices in place won’t mean much.
Visibility Is the First Step in Defending Healthcare
DTSec can certainly change the narrative for IoT-enabled medical device security. However, the narrative remains the same for the rest of the healthcare network. In any cyber security strategy, visibility must be the first step—especially as more in-line security appliances become necessary at the edge of the network.
2015 may have brought the 5 biggest data breaches in the healthcare industry, but 2016 is already proving to be equally troublesome for healthcare providers. Budgets are tight, but you have to build visibility into your cyber security plan as you continue complicating the security stack.