The HHS voluntary guidance publication, described in the
preceding list in item five, identifies medical devices as one of
the top five cybersecurity threats to the healthcare industry.
Offering practical solutions for small, medium, and large organizations, the guidance can be downloaded from the Public
Health Emergency website.
Fortunately, within the last year, solutions designed specifically for medical and IoT device security have appeared on
the market. These systems leverage automated and intuitive
technology to passively scan the network without disrupting
the devices or network activity, then parse the network metadata to automatically classify, manage, and safeguard all the
This new visibility into device inventory and communications promises health systems the ability to apply sophisticated machine learning to accurately classify each device
and leverage artificial intelligence to baseline its dynamic
behavior within the context of a provider network. This additional level of detail should permit clinical engineers and
chief information security officers to engage the IT department in defining and implementing actionable policies that
significantly reduce exposure to patient harm and regulatory
Healthcare organizations like CHIME and AEHIS have dis-
covered that patient safety risks attributed to medical devices
are not contained to the device itself. These risks extend to the
network, firewalls, switches, and operating systems. Health-
care delivery organizations are recognizing that medical, Io T,
and OT device privacy and security are components of enter-
prise cyber and privacy risk management. A holistic approach
is the only reliable way to deliver closed-loop security for pa-
tient safety and critical assets in our hyper-connected health-
care enterprise. ¢
1. Ponemon Institute. “Medical Device Security: An Industry Under Attack and Unprepared to Defend.” https://
2. Kerravala, Zeus. “IoT Security Plans: 3 Things You Must
Include.” Network World, February 27, 2010.ht tps://
3. Roberts, Paul. “What’s the Value of a Stolen Chest X-Ray?
More Than You’d Think.” Data Insider. January 26, 2017.
4. The College of Health Information Management Executives
and the Association for Executives in Healthcare Information Security letter to Sen. Mark Warner, March 22, 2019.
Ty Greenhalgh (Ty@Cyber Tygr.com) is the managing principal and founder of Cyber Tygr.
Continued from page 39 (“The Danger of Being Connected”)
they need to visit the inormation systems (IS) department—or
have the IS department visit them if the termination is abrupt—
to have access to our email server manually removed from their
phones. We inventory and document all the mobile devices that
are receiving email. And as part of our bring-your-own-device
policy, we have the right to wipe an employee’s entire phone if
they don’t allow us to remove their hospital access. So far, we
have not had to wipe an individual’s phone involuntarily. However, their awareness of our right to do so ensures compliance
with our mandate and assures confidence that we have removed
all PHI that we possibly can.
Grady: Every time you repair a hole in the dam, you find three
new leaks. That is the nature information security in healthcare.
Through rapid adoption, IS evolved too quickly as organizations
were eager to take advantage of it. As a result, it’s difficult to
mitigate risk 100 percent. What we can do is exercise diligence
regarding vulnerability assessments and make sure we fill any
Pesci: About 400 decommissioned workstation hard drives
were being stored in one of our storage areas. We weren’t certain
about the level of data on them, but we discovered that some
had PHI information. Therefore, we engaged a HIPAA-compli-
ant recycling company to properly dispose of them, providing
documentation of proof of destruction and recycling.
Hidden PHI can expose any healthcare organization to extraordinary risk, regardless of the provider’s size, location, or
complexity. Look under every rock, in every corner, and any other place where PHI might reside. The panelists shared examples,
such as a storage room with decommissioned equipment—an
area that could easily be overlooked. But these vulnerabilities
can be found and addressed with the right assessment and mitigation processes. ¢
1. Healthcare IT News. “The biggest healthcare data breach-
es of 2018 (so far).” https://www.healthcareitnews.com/
2. IBM Security. "2018 Cost of a Data Breach Study by
3. Davis, Jessica. “Hancock Health pays $47,000 ransom
to unlock patient data.” Healthcare IT News. January 16,
Ken Reiher ( firstname.lastname@example.org) is vice president of operations at ComplyAssistant.
Continued from page 26 (“PHI Hide and Seek”)