When purchasing medical devices, software, and services from vendors, healthcare organizations must understand exactly what information the vendor can access and use and for what purpose. Often the data is used by vendors to perform routine maintenance, enable features, or address potential vulnerabilities. Regardless of how data is used, healthcare organizations must protect sensitive data.
Ensuring that vendors are appropriately accessing and using data is crucial to your reputation and to the privacy of your patients. When it comes to managing vendor data risk, comprehensive risk assessments are a necessary component.
Vendor Assessments to Determine Remote Access
A vendor risk assessment should include questions to vendors regarding how their products are connected to their environment. Medical devices, as well as any other connected smart devices, should be covered, such as smart thermostats or HVAC units controlled by mobile apps. These connections can transmit a variety of data, depending on the device.
For example, when using a cloud-based portal or a mobile app, healthcare staff may receive personal health information (PHI) via a medical device. Meanwhile, an operating room sanitization robot may send diagnostic data about its performance to the vendor's system.
Vendors must be transparent about all connections to their devices and software as well as the type of data that’s sent back to the vendor’s network. Any Internet connection can give a hacker access to a device and software, even if it's only used to send diagnostic data from a smart printer to alert the vendor that more toner is needed. Vulnerabilities that could expose your organization to security risks should be documented, and mitigation efforts should be tracked.
Managing Third-Party Remote Access Risks
During your vendor risk assessment, confirm that there aren’t any “backdoors” left unattended that could compromise the medical devices and software. If a backdoor exists, your organization needs to know about it. In the case that that backdoor is absolutely necessary for debugging, for example, the vendor should make sure proper security controls are in place to prevent a bad actor from finding and exploiting it.
Effective security controls that you should look for include:
- Multifactor authentication (MFA) tools
- Encryption software and network connections
- Zero-trust model
- Robust cybersecurity policies
- Security awareness training for all employees
- Virtual desktop infrastructure (VDI)
Vendors can provide technologies that help improve patient care and make it more efficient. Still, when shopping for medical devices, software, and services, your organization must conduct comprehensive vendor risk assessments. Those risk assessments help your organization determine whether the vendor is being transparent regarding the types of data connections utilized in their devices or software and how that data is transmitted to and from the Internet. But, most importantly, you can identify and validate the types of security measures that are in place to protect your organization and patients.