The Department of Health & Human Services (HHS) Cybersecurity Program has published a slide deck on potential use cases for blockchain in healthcare. It includes a basic non-technical description of the fundamental features of blockchain, including a peer-to-peer decentralized network and distributed ledger, hashing, and a consensus mechanism. The distributed ledger is a record of transactions over time that documents transfer of ownership. A block is a unit of data that holds a collection of transactions which, together with other blocks arranged in a specific order, form a blockchain. A hash is the digital equivalent of a fingerprint, which identifies the block and its contents uniquely, and is irreversible. The first block in any blockchain is the genesis block; each subsequent block will contain the hash of the block before it. Hashes are a necessary but not sufficient mechanism to prevent tampering. Also needed is a consensus mechanism; that is, a methodology used to achieve agreement, trust and security across a decentralized network. The most common consensus mechanisms are proof of work and proof of stake. A mechanism such as proof of work slows down the creation of new blocks, making the cost of an attack greater than the reward.
The Cybersecurity Program discusses potential use cases for blockchain in healthcare, including supply chain transparency, electronic health records, smart contracts, and Internet of Things (IoT) technologies for remote patient monitoring. With regard to supply chain transparency, the use of blockchain could assure the authenticity, origin and supply chain of medical products across a worldwide marketplace. For example, blockchain could enable companies throughout the prescription drug supply chain to verify the authenticity of the product, expiration dates, and other information. In this example, the manufacturer would mark each drug with a unique code which would be stored in the blockchain. The wholesaler would verify the origin of the drug and add this transaction to the blockchain; the pharmacist would verify, adding this transaction to the blockchain; and the drug is dispensed to the patient in the final transaction.
- Published: 21 October 2021 21 October 2021
- Last Updated: 23 October 2021 23 October 2021
On August 17, 2017, Blackberry disclosed that its QNX Real Time Operating System (RTOS) is vulnerable to BadAlloc, which can cause a denial-of-service or execute arbitrary code on affected devices. An alert about the vulnerability was issued by the Cybersecurity & Infrastructure Security Agency (CISA), part of the Department of Homeland Security. CISA is not aware of incidents where the vulnerability was exploited, but encourages organizations using affected QNX-based systems to patch affected products as soon as possible. BlackBerry programs which depend on the C runtime library are affected by the vulnerability, including QNX Neutrino RTOS for Medical Devices.
- Published: 17 August 2021 17 August 2021
- Last Updated: 17 August 2021 17 August 2021
Wisconsin has enacted its version of the Insurance Data Security Model Law developed by the National Association of Insurance Commissioners. The law requires licensees of the Insurance Commissioner to develop an information security program meeting standards set forth in the law. The law contains an exception for licensees that are subject to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Standards, which applies to health plans. However, health plans are still required to report any cybersecurity event to the Insurance Commissioner.
- Published: 12 August 2021 12 August 2021
- Last Updated: 12 August 2021 12 August 2021
On July 14, 2021, the U.S. Department of Homeland Security (DHS) launched a website intended to serve as a one-stop hub for ransomware resources. DHS stated that ransomware is a growing national security threat: $350 million in ransom was paid in 2020, and there have already been notable ransomware attacks in 2021. The intent of the new website is to collect resources from all federal agencies to assist organizations in protecting themselves against ransomware attacks and respond to incidents.
For the health care sector, the site links to several updates and resources, including resources compiled by the Cybersecurity Act of 2015, Section 405(d) Task Group. The task group created a publication in 2018 entitled Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, two technical volumes on cybersecurity practices for small health care organizations and for medium to large health care organizations, and a volume of resources and templates. The Task Group identified the ten most effective actions to mitigate common threats to the health care system: email protection systems; endpoint protection systems; access management; data protection and loss prevention; asset management; network management; vulnerability management; incident response; medical device security; and cybersecurity policies.
- Published: 25 July 2021 25 July 2021
- Last Updated: 25 July 2021 25 July 2021
The Health Sector Cybersecurity Coordination Center (HC3) warns that many Picture Archiving Communication Systems (PACS) continue to have unpatched cybersecurity vulnerabilities, even though researchers identified vulnerabilities in these systems in 2019. PACS systems use the Digital Imaging and Communications in Medicine (DICOM) format, which was developed three decades ago. PACS systems can include security vulnerabilities such as known default passwords, hardcoded credentials and lack of authentication within third party software. Vulnerable PACS servers can cause patient information to be exposed and malware to be introduced into connected clinical networks. The HC3 report lists 23 vulnerable PACS devices, noting that the list is not all-inclusive.
To mitigate PACS vulnerabilities, HC3 suggests the following:
- validate connections to ensure access is limited to only authorized users
- enable secure connections (HTTPS) for internet connected systems
- place PACS systems behind a firewall and require access via a virtual private network (VPN).
- Published: 18 July 2021 18 July 2021
- Last Updated: 18 July 2021 18 July 2021
The Food and Drug Administration (FDA) has published a discussion paper on strengthening cybersecurity practices associated with servicing of medical devices. The paper is not regulatory guidance but rather requests industry comment on the role of companies servicing medical devices in maintaining effective cybersecurity practices. The paper focuses on the role of servicing entities other than the original equipment manufacturer (OEM), such as independent service organizations or healthcare providers.
The FDA defines cybersecurity as the process of preventing unauthorized access, modification, misuse or denial of use, or unauthorized use of information that is stored, accessed or transferred from a medical device to an external recipient. The FDA's published guidance has incorporated a total product lifecycle (TPLC) approach to maintaining cybersecurity throughout the device's product life cycle. The discussion paper highlights cybersecurity challenges in several areas. First, devices should be designed to limit access only to privileged device users. The ability to grant certain entities privileged access can be designed into the device by the OEM, so that the device may be serviced by the healthcare provider or a service entity. The FDA suggests that service entities may have an important role in identifying cybersecurity vulnerabilities and sharing postmarket data so that mitigations can be developed to reduce cybersecurity risk. Entities that service medical devices also are well-positioned to ensure that the device has received software updates needed to maintain cybersecurity. Finally, the FDA notes special concerns related to legacy devices. Healthcare organizations may have reasons, including financial concerns, for continuing to use devices that are no longer supported by the OEM but continue to meet clinical performance standards. In that scenario, users must understand the nature of cybersecurity risks they are taking and develop strategies to address such risks.
- Published: 21 June 2021 21 June 2021
- Last Updated: 21 June 2021 21 June 2021
The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued a report dated June 2021 on oversight by the Centers for Medicare and Medicaid (CMS) of hospitals' cybersecurity controls for networked medical devices. The OIG concluded that consistent oversight was lacking. CMS's survey protocols do not explicitly address cybersecurity, nor do audit practices of the accreditation organizations (AOs). The OIG points out that hospitals have increasingly become targets of ransomware attacks. While most such attacks have affected electronic health record (EHR) systems, there was a ransomware attack in 2017 that infected radiology equipment. Because many radiology, laboratory and other systems connect to the EHR, malignant code introduced into networked devices can affect the entire EHR system.
Direct responsibility for hospital surveys rests with the AOs as well as the state survey agencies (typically, the state department of health). State survey agencies follow guidelines in CMS's State Operations Manual, including Appendix A applicable to hospital surveys, which includes the Medicare Conditions of Participation (CoPs) for hospitals and the Interpretive Guidelines, which provide more detailed instructions on application of the CoPs. The AOs establish their own audit guidelines, which are required to be at least as stringent as those contained in the State Operations Manual.
- Published: 26 June 2021 26 June 2021
- Last Updated: 26 June 2021 26 June 2021