In the news: another COVID variant, navigating the new medical device security law, and more
Over the past few weeks, several important developments have arisen that are poised to affect healthcare providers, manufacturers, and patients. One of the most significant among them is the emergence of a new COVID-19 variant, which has prompted concerns about its potential for increased transmissibility and vaccine resistance.
Additionally, with the recent passing of the Medical Device Cybersecurity Act of 2021, there are set to be significant changes in how medical device manufacturers and healthcare providers approach device security. In this month's news roundup, we will delve into these and other important healthcare news stories, including the risks posed by outdated operating systems and the KILLNET group's recent ransomware attack on US hospitals.
A new COVID-19 Omicron subvariant, known as B.1.1.529 or Ch.1.1, has been identified in South Africa and contains a Delta variant mutation. Health experts are concerned about the potential for increased transmissibility and vaccine resistance, with some countries already implementing travel restrictions on South Africa. Vaccine makers are also gearing up to update their vaccines, if necessary, to provide protection against the new subvariant.
The recently passed Medical Device Cybersecurity Act of 2021 aims to improve medical device security by requiring manufacturers to develop and maintain a cybersecurity vulnerability disclosure policy and to report device vulnerabilities to the FDA.
Healthcare providers should prepare for increased reporting of device vulnerabilities and ensure that their vendors are complying with the new law. Providers can also take steps to improve their own cybersecurity practices, such as conducting risk assessments, implementing security controls, and having an incident response plan in place.
Outdated operating systems on medical devices continue to be a major cybersecurity challenge for healthcare providers, as they may contain unpatched vulnerabilities that can be exploited by attackers.
To strengthen security, providers should implement a regular device inventory and risk assessment process and consider retiring legacy devices that are no longer supported by their manufacturers. Device manufacturers should also prioritize security in their product design and consider implementing mechanisms for remote updates and patches.
Third-party breaches are a growing threat to healthcare cybersecurity, with a recent example being the KILLNET ransomware attack that impacted several hospitals. Now, the U.S. Department of Health and Human Services (HHS) has issued new guidance to healthcare organizations on how to manage third-party risks, including assessing vendor security practices, monitoring vendor activity, and having a response plan in place in case of a breach. The HHS is also recommending that healthcare organizations consider cybersecurity insurance to mitigate the financial impact of a potential breach.
While healthcare organizations have made progress in implementing security measures, it appears that there is still room for improvement. Experts suggest that healthcare organizations should focus on employee education, implementing multifactor authentication, and improving incident response plans. The use of artificial intelligence and automation may also help healthcare organizations better detect and respond to cybersecurity threats.