" cybersecurity policy Archives - LuxSci

Posts Tagged ‘cybersecurity policy’

Medical Device Cybersecurity Standards Are on the Way

Thursday, December 29th, 2022

Internet-connected medical devices have transformed healthcare, but not without introducing significant risks. After years of lobbying, changes to medical device cybersecurity standards are finally coming as part of the Consolidated Appropriations Act. The omnibus spending bill includes language requiring medical device manufacturers to ensure that their devices meet specific cybersecurity requirements. This article looks at the proposed changes and how they could trickle down to include other wearable devices and applications in the future.

medical device security

The State of Medical Device Security

Over the past few years, politicians and healthcare leaders have pushed for further guidance and regulations surrounding medical device security. Healthcare organizations often maintain thousands of medical devices, many of which are internet-connected and could pose security risks.

It’s no secret that cybercriminals frequently target medical devices. Capterra recently surveyed 150 healthcare respondents in the United States to explore the current state of medical IoT security and determine whether medical practices with a high percentage of their medical devices connected to the internet were experiencing more cyberattacks. They found that medical practices with a higher percentage of connected medical devices experienced more cyberattacks than those with a low percentage of connected medical devices.

medical device cybersecurity stats

Ongoing struggles with securing and keeping track of medical devices, the industry’s reliance on legacy systems, and increased federal cybersecurity focus prompted legislative action.

Proposed Changes to Medical Device Security Standards

Once enacted, the omnibus bill would require device manufacturers to “submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.”

Additionally, manufacturers must design and develop processes to ensure that their devices and related systems are secure, including post-market updates and patches. These updates will take effect 90 days after the bill is signed.

The bill would also require manufacturers to provide a software bill of materials (SBOM) to the Secretary detailing the software’s off-the-shelf, open-source, and commercial components. CISA defines a software bill of materials as “a nested inventory, a list of ingredients that make up software components.” SBOMs have grown in popularity because they make it easier to know if a specific threat impacts your software. For instance, one of the reasons that the log4j attack was so threatening was that log4j is widely used in various consumer and enterprise services, websites, and applications to log security and performance information. An average software user had no way of knowing if their services used log4j, putting them at risk of a breach. Having a SBOM makes it easy to know if the exploit threatens your software.

Finally, the omnibus bill would also require the Food and Drug Administration to issue further guidance on improving the cybersecurity of medical devices. The Government Accountability Office (GAO) would also be expected to release a report within the next year to identify remaining challenges surrounding device security. This bill represents only the first step in improving the security and regulations for medical devices.

The Future of Medical Devices and the Internet of Medical Things (IoMT)

These improvements are necessary considering the recent popularity of personal medical devices. Though the proposed regulations do not necessarily apply to fitness trackers and smartwatches, it’s easy to imagine a future in which medical providers use similar devices to record and transmit patient data to electronic health records.

As smartwatches, remote patient monitoring tools, and other devices that allow individuals to track, send, and store health data are gaining market share, they will also come under scrutiny by regulators. Organizations must decide how to safely use these tools and make decisions to ensure interoperability with their systems. Not all medical devices and applications are designed with patient security and privacy in mind.

People love how easy it is to track step counts with a Fitbit or Apple Watch, but as we know, balancing usability with security is a challenging task. Tracking physical activity is one thing, but as these devices evolve to collect more sensitive health information, integrating them with health systems while maintaining patient privacy will be a considerable challenge. It is clear that as health tech evolves, so too must our security practices. These new regulations are only the first step to securing the vast quantities of digital health data that are collected and distributed by third parties not subject to HIPAA requirements.

Tags: cisa, cybersecurity, cybersecurity policy, health applications, iomt, medical devices, remote patient monitoring, sbom, secure apps, smartwatch
Posted in Industry News, LuxSci Library: Security and Privacy
Comments Off on Medical Device Cybersecurity Standards Are on the Way

5 Ways to Prevent Human Impacts on Your Cybersecurity Program

Tuesday, October 12th, 2021

There are multiple ways that humans impact cybersecurity and can put data at risk. From being tricked by phishing emails to choosing easily guessed passwords, insider fraud and mistakenly classifying the security level of emails and other content, the actions of your employees can make your data vulnerable.

While the impact of human errors can’t be eliminated entirely, there are steps that can be taken to minimize the effects humans can have on your cybersecurity. Five of these steps are detailed below.

prevent human effects on cybersecurity

1. Adopt an “Opt-out” approach to encryption

At LuxSci, our philosophy is to limit risk by taking basic security choices out of employee hands. Instead of relying on employees to encrypt emails with sensitive contents, we automatically encrypt every message by default. This makes it more difficult for an employee to carelessly send out sensitive emails without the proper safeguards.

Conversely, when taking an opt-in approach to cybersecurity, employees are responsible for remembering to encrypt each email before sending. Anytime an employee forgets to take this step, it represents a potential security breach with all the liability that entails. Adopting an opt-out approach to encryption reduces this risk significantly. While many companies use opt-in processes because of their convenience, they introduce a high degree of risk. LuxSci’s SecureLine encryption technology enables a new generation of email encryption that features both flexibility and security.

2. Implement strict email filtering and network firewalls

Are you familiar with the aphorism “an ounce of prevention is worth a pound of cure”? By taking steps to prevent malicious threats from reaching your systems and networks, your employees will not have to spend their time trying to figure out what is a threat.

Email filtering

Phishing is one of the greatest threats to cybersecurity. Rather than relying strictly on human judgement with regard to which emails to open, using a sender policy system that filters or flags suspicious incoming emails can appreciably improve cybersecurity. Don’t count on your busy employees to know when an email is suspicious. Instead, use email filtering to keep those emails from even entering their inboxes.

Network firewalls

Firewalls help prevent attackers from gaining easy access to your network. They prevent suspicious connections or messages from connecting to the network or reaching their intended destination. By serving as a first line of defense, a firewall plays a major part in shielding your network from cyberattacks. By preventing external threats from accessing your applications, you don’t need to count on your employees to recognize when something isn’t right.

3. Prevent human impacts on cybersecurity by training staff

Almost every modern workplace relies on internet-connected devices to get work done. However, just training staff to use your technology effectively is not enough. With cyberattacks growing in frequency, keeping your staff aware of the latest cybersecurity threats is essential to protect your business. With data breaches, denial-of-service (DoS), and ransomware attacks accounting for tremendous financial losses, failing to prepare your staff for the danger these attacks pose to your IT operations can be costly.

Your employees can prevent security breaches if they are properly trained in the latest cybersecurity best practices. Some complex security breaches can evade even the best automated security measures. If your staff knows what to look for, they can play a crucial role in augmenting your existing security measures.

In addition, hackers often target employees as their first access point for gaining entry to a network. As a result, restricting cybersecurity training to just the IT department can leave your employees vulnerable to social engineering, phishing emails, and other exploits used by hackers to dupe them.

A cybersecurity training program can help reduce risks by familiarizing employees with the tricks used by hackers to gain access to their accounts. As part of the training program, it’s important to test employees on core concepts to ensure the message is retained.

4. Enforce strong password and access control policies

To reduce the risk of security breaches, a robust password protection program is necessary. One of the key elements is enforcing password complexity. Simple passwords are vulnerable to brute force hacking, enabling hackers to easily access employee accounts.

Requiring staff to use unique, complex passwords makes it much harder for hackers to gain access to an account. A complex password can include multiple types of characters (numbers, letters, capitalization, special characters) and minimum character lengths. Learn more about creating secure passwords in our blog archives.

Multi-factor authentication (MFA) is another key element of a robust security policy. By requiring more than a single action to access an account, you can drastically cut down on security breaches due to lost or stolen passwords. Given that compromised passwords are a significant cause of security breaches, using MFA is a powerful tool for bolstering network security.

In addition, setting up time-based access controls for your sensitive systems can prevent bad actors from gaining unauthorized access. For example, if you have an employee who works a 9am-5pm shift, you can prevent her from accessing the system from 6pm-8am. That way if a bad actor did get her credentials, they would be unable to login when she was offline. This could prevent someone from taking over your systems overnight.

5. Adopt the Zero Trust security stance

What is Zero Trust Architecture? Essentially, it is a policy for guarding against cyberattacks by assuming that every aspect of a network is subject to attack. This includes potential insider threats from employees or attackers who have infiltrated your network. This contrasts with other security approaches that assume that traffic within a network’s security perimeter can automatically be trusted. Instead, Zero Trust Architecture minimizes the security perimeter as much as possible to reduce the chance of a security breach and evaluates the credentials and actions of users at all levels of access to identify any actors inside the network who may pose a threat.

By providing a more granular level of threat detection and limiting access within the network, a Zero Trust security approach is more rigorous than existing security models focused primarily on perimeter security.

ZTA improves security without imposing unduly burdensome requirements. It gives users access to just the minimum level of data and services needed to fulfill their role. This can help stop insider threats from employees. If a lower-level employee with little access to sensitive data has their credentials compromised, it is less threatening to the organization’s data security. The attacker will not be able to penetrate other parts of the network without additional identity verification.

Limiting human impacts on your cybersecurity to decrease risk

Humans can amplify cybersecurity risks in many ways. Between careless mistakes and intentional sabotage, there are a number of things that employees can do to expose your company to cybersecurity risks. The steps listed above comprise a comprehensive set of measures you can take to minimize negative human impacts on cybersecurity. In conjunction with a robust security solution, these measures can significantly enhance your cybersecurity defenses.

Secure your organization by contacting us to find out how to get onboard with LuxSci.

Tags: cyber risks, cybersecurity, cybersecurity policy, email filtering, email security, encryption, firewalls, keeping business safe from cybercrime, secure email, secure passwords, social engineering
Posted in LuxSci Library: Security and Privacy
Comments Off on 5 Ways to Prevent Human Impacts on Your Cybersecurity Program