Document Storage Systems, Inc. (DSS), a leading provider of health information technology (HIT) solutions for federal, private, and public health care organizations, announced today it has added security solutions developed by PFP Cybersecurity (PFP) to its suite of solutions. PFP’s device credentialing toolsets will be offered by DSS to the Department of Veterans Affairs (VA) and the Defense Health Agency (DHA).
According to a shocking new report from the U.S. Government Accountability Office, 53 percent of connected medical devices and other Internet of Things (IoT) devices in hospitals have known vulnerabilities. Approximately one-third of health care IoT devices had an identified critical risk, potentially impacting the operation and function of the devices. And, the U.S. Department of Health and Human Services has released research showing that the medical data of over 61 million Americans has been stolen or exposed in more than 400 cyberattacks over the past year.
Current medical device security is software-centric and focuses primarily on how devices connect to the hospital network. Visibility into vulnerabilities with hardware components (for example, chips, boards, and power supplies) and firmware is currently a growing concern. The ability to credential device integrity based on hardware and firmware Bill of Materials (BOMs) is critical to protect medical devices from intrusion and unauthorized modifications, preventing patient harm and loss of patient data.
Besides security, PFP tools also enhance quality, safety, and reliability by detecting changes in settings, and performance degradation-lifecycle management. The protections provided for legacy medical devices that lack built-in security can be classified in for main areas:
- Credentialing – Screening for counterfeit parts, firmware tampering, and other supply chain attacks
- Maintaining confidentiality – monitoring without interrogating or connection removes the potential risks for disclosing confidential information.
- Continuous Monitoring – Detect Anomalous Behavior due to unauthorized Hardware/Firmware modification and tampering after deployment
- Cataloguing – Maintaining “Device Signatures” that reflect “known good” devices and configurations
“Combining machine learning and signal processing, the PFP SigLytics solutions can detect and address security threats that would remain undetected by other available solutions, enhancing security and safety in many applications such as computer servers, legacy devices, IoT, and more. We are honored to be working with DSS to apply SigLytics to health care applications,” said Dr. Carlos Aguayo Gonzalez, CTO and co-founder of PFP.
These security capabilities help medical facilities comply with the regulations established in cybersecurity legislation such as GSA 505.7002 pertaining to supply chain management risk and DFARS clause 252.246-7007, which requires contractors to establish and maintain an acceptable counterfeit electronic part detection and avoidance system that includes risk-based policies and procedures.
Here are some of the specific benefits of the new service offering:
- Secure the Connected Network of Things: Compromised devices can impact direct patient care activities (i.e., IV Pumps) and provide access for adversaries to attack other connected solutions. Even peripheral devices, such as IP surveillance cameras, could be used to launch attacks. Stealth attacks in critical devices causing slight performance deviations could be unnoticeable to providers and IT departments but cause significant errors in patient care.
“We are excited to work with PFP to make this new solution available to the VA and DHA,” said Mark Byers, president of DSS. “Research reflects that health care organizations and the federal government are top targets for cyberattacks. Our new solution will close a large visibility gap in their cyber defenses, allowing them to monitor, detect and remediate device-level hardware (medical and operational) vulnerabilities.”
These new solutions complement existing cybersecurity tools and do not compromise medical device operational or regulatory compliance. Continuous monitoring can be provided at the chip component level as well as full hardware diagnostics. PFP is one of the few solutions that can detect firmware and hardware anomalies.
Not Yet a Premium Partner/Sponsor? Learn more about the OS AI Premium Corporate and Individual Plans here. Plans start at $250 annually.