" secure apps Archives - LuxSci

Posts Tagged ‘secure apps’

Medical Device Cybersecurity Standards Are on the Way

Thursday, December 29th, 2022

Internet-connected medical devices have transformed healthcare, but not without introducing significant risks. After years of lobbying, changes to medical device cybersecurity standards are finally coming as part of the Consolidated Appropriations Act. The omnibus spending bill includes language requiring medical device manufacturers to ensure that their devices meet specific cybersecurity requirements. This article looks at the proposed changes and how they could trickle down to include other wearable devices and applications in the future.

medical device security

The State of Medical Device Security

Over the past few years, politicians and healthcare leaders have pushed for further guidance and regulations surrounding medical device security. Healthcare organizations often maintain thousands of medical devices, many of which are internet-connected and could pose security risks.

It’s no secret that cybercriminals frequently target medical devices. Capterra recently surveyed 150 healthcare respondents in the United States to explore the current state of medical IoT security and determine whether medical practices with a high percentage of their medical devices connected to the internet were experiencing more cyberattacks. They found that medical practices with a higher percentage of connected medical devices experienced more cyberattacks than those with a low percentage of connected medical devices.

medical device cybersecurity stats

Ongoing struggles with securing and keeping track of medical devices, the industry’s reliance on legacy systems, and increased federal cybersecurity focus prompted legislative action.

Proposed Changes to Medical Device Security Standards

Once enacted, the omnibus bill would require device manufacturers to “submit to the Secretary a plan to monitor, identify, and address, as appropriate, in a reasonable time, post-market cybersecurity vulnerabilities and exploits, including coordinated vulnerability disclosure and related procedures.”

Additionally, manufacturers must design and develop processes to ensure that their devices and related systems are secure, including post-market updates and patches. These updates will take effect 90 days after the bill is signed.

The bill would also require manufacturers to provide a software bill of materials (SBOM) to the Secretary detailing the software’s off-the-shelf, open-source, and commercial components. CISA defines a software bill of materials as “a nested inventory, a list of ingredients that make up software components.” SBOMs have grown in popularity because they make it easier to know if a specific threat impacts your software. For instance, one of the reasons that the log4j attack was so threatening was that log4j is widely used in various consumer and enterprise services, websites, and applications to log security and performance information. An average software user had no way of knowing if their services used log4j, putting them at risk of a breach. Having a SBOM makes it easy to know if the exploit threatens your software.

Finally, the omnibus bill would also require the Food and Drug Administration to issue further guidance on improving the cybersecurity of medical devices. The Government Accountability Office (GAO) would also be expected to release a report within the next year to identify remaining challenges surrounding device security. This bill represents only the first step in improving the security and regulations for medical devices.

The Future of Medical Devices and the Internet of Medical Things (IoMT)

These improvements are necessary considering the recent popularity of personal medical devices. Though the proposed regulations do not necessarily apply to fitness trackers and smartwatches, it’s easy to imagine a future in which medical providers use similar devices to record and transmit patient data to electronic health records.

As smartwatches, remote patient monitoring tools, and other devices that allow individuals to track, send, and store health data are gaining market share, they will also come under scrutiny by regulators. Organizations must decide how to safely use these tools and make decisions to ensure interoperability with their systems. Not all medical devices and applications are designed with patient security and privacy in mind.

People love how easy it is to track step counts with a Fitbit or Apple Watch, but as we know, balancing usability with security is a challenging task. Tracking physical activity is one thing, but as these devices evolve to collect more sensitive health information, integrating them with health systems while maintaining patient privacy will be a considerable challenge. It is clear that as health tech evolves, so too must our security practices. These new regulations are only the first step to securing the vast quantities of digital health data that are collected and distributed by third parties not subject to HIPAA requirements.

Email, Calls, Messaging Apps & More: How Can You Secure It All?

Tuesday, February 26th, 2019

In a forgotten time, if an organization wanted to secure their communications, all that they had to worry about was their conversations, postage and landlines. If a business was on the cutting edge of technology, it might use a fax machine as well.

In 2019, things are a lot more complicated. To start with we, now have email, mobile calls, and text messages. Then there are the countless messaging apps like WhatsApp, Facebook Messenger, Telegram, Signal, and Viber.

On top of this, there are online calls like Google Voice, Skype, and others. We can’t forget video calling either, or the fact that many of these services offer several different communication channels.

Landlines and postage haven’t gone away either, so they still have to be secured as well. Some businesses even persist in using fax machines.

The point is that in the modern world, we have a lot more to worry about. With so many different channels, how can an organization possibly secure them all?

While the task may seem like an unending battle against emerging and deprecating technology, the goal of securing all of your business’s communications is not unattainable. All it takes is planning, policy, and enforcement.

 

Analyzing the needs of your organization

Sure, all of these new communication methods have definitely complicated security, but you also have to look at the other side as well. They allow us to do things that we have never been able to do before – we can get results in seconds that may have taken months in earlier days.

There are tremendous advantages to many of these technologies, so there is no point in being a Luddite and staying away from technological developments. As long as potential security risks are addressed, these solutions can be more than worthwhile.

Your organization should be leveraging these technologies to simplify its work processes as much as it can. But it needs to be doing with a security-first mindset.

 

Take stock of your organization’s current communication methods

The first step is to look at the channels that are currently being used. Email is a given, most businesses probably use cell phones and landlines as well. Does your business use messaging apps on top of this? How about VOIP or video call services? Is there a workplace Slack, Facebook or Telegram group?

 

What does your organization really need?

Once you have accounted for each of the channels that are being used, and what they are being used for, you can consider whether or not they are necessary. Does your business really need to use landlines, cell phones and VoIP, or can these be consolidated? Are texting apps important for getting work done quickly, or can you restrict messaging to email in order to simplify your systems?

If you can reduce the number of different communication channels that are used in your workplace without impacting productivity, it will make it much easier to administer them securely.

Does it need to be secured?

Let’s be honest, a lot of information doesn’t need to be secured. While SMS may be insecure, it probably doesn’t matter if all you are using it for is to send certain offers and promotions to your customers (although there may be certain healthcare situations where even something this simple can violate HIPAA).

If you can ensure that a given communication channel won’t be used to transmit sensitive or valuable information, then you may not need to find a secure alternative. Take the human factor into account when you consider this because these mistakes and laziness can end up being incredibly costly for businesses.

 

Look for Secure & Compliant Alternatives

There are a number of different solutions that allow you to message, call or video-call in a secure and compliant manner:

  • Calls – Neither landlines or cell phones offer a safe way to voice call. Any calls that require security should be done over encrypted VoIP connections.
  • SMS – SMS is an insecure protocol, so secure email or messaging apps should be used whenever you are sending sensitive or valuable information. Despite this, a service like SecureText can be used to send SMS messages that alert recipients that there is a secure message waiting for them.
  • Email – Standard email is inherently insecure, but services that use portal pickup, PGP or S/MIME can be safe. Secure Email is a HIPAA-compliant option that offers a wide range of security configurations.
  • Messaging apps – SecureChat is HIPAA-compliant and secure. While options like Signal and WhatsApp also offer encryption, they do not offer HIPAA compliance.
  • VoIP – Signal and WhatsApp both encrypt their voice calls from end to end, but they do not offer HIPAA-compliance.
  • Video calls – Secure Video allows its users to deliver telemedicine or run conference calls with up to 100 people, all in a secure and HIPAA-compliant manner.

 

Establish a Policy

Once you have determined your business’s communication needs, analyzed the risks and come up with secure alternatives, it’s time to establish a workplace-wide policy that ensures these secure communication channels are used every time that sensitive and valuable information is transmitted.

 

Design the Policy to Handle Worst-case Scenarios

It’s best to be overly cautious in the policy and account for mistakes – remember, simple errors often cause of massively expensive HIPAA penalties.

Sure, a workplace Facebook group can be a great way to facilitate communications. You could even have a strict policy that sensitive and valuable information should not be exchanged in the group. It might even be effective for a long time.

But what happens when Robert from accounting just woke up from his 2pm nap, and in a brief, bleary-eyed moment he forgets about the rules and posts something he shouldn’t? Even if it was a simple accident and Robert from accounting didn’t mean to do it, his actions could still lead to a HIPAA violation or the information getting stolen by a hacker or publically exposed.

This is why it’s best to be overly cautious. Sure, you could have a workplace Facebook group, but why run the risk when you can use secure alternatives instead?

 

Training & Awareness

Once a policy has been established, you need to make your employees aware of it so that the new regulations are followed. Compliance can often be improved by explaining the reasons why the policy is in place and discussing the risks during training sessions.

 

Monitor & Enforce the Policy

Once your new policy has been set up, you will need to monitor whether or not it is being followed. In the transition period, you may notice violations, but if you address these carefully at the start and strictly maintain the policy, you will soon break the old employee habits.

 

Over time, there may need to be some reinforcement, otherwise the old habits can end up slipping back. This can be achieved through periodic training, continuing to provide awareness about the policy and the reasons behind it, as well as taking extra time to address those employees who have violated the policy.

 

Adjust the Policy as Necessary

Over time, new solutions will become available, while your current services may also become less secure. If you want your business to maximize its security and productivity, there is no reason for the policy to be set in stone. Instead, it should be adaptable, taking advantage of services that may improve performance, while leaving behind those that may pose a threat.  Policies should be reviewed and updated at least yearly.

 

Workplace-wide Secure Communications

Protecting all of your critical communication channels may sound like a challenging process, but luckily there is already a wide range of security-focused applications that are easy to implement.

At LuxSci, we offer a variety of secure and HIPAA-compliant alternatives in-house:

Arranging to take care of all of your secure communication services through one provider will result in systems that are more interoperable, save on overhead, simplify implementation and make management far less of a headache.

With the right approach and an expert technology partner, securing all of your organization’s communications is an easy way to drastically reduce the risks that it faces.