Small business operators have access to valuable data and information entrusted by patients, suppliers and employees, alongside access to medical devices that have been supplied to patients. The risks posed by inadequate medical device cyber security should be addressed as part of a business plan for information management, including in relation to privacy.
The commencement of the Notifiable Data Breach scheme is an additional incentive for improved medical device cyber security. From February 2018, agencies and organisations regulated under the Privacy Act 1988 (Cth) (Privacy Act) with personal information security obligations are required to notify affected individuals and the Office of the Australian.
Information Commissioner (when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach. Notifiable data breaches may give rise to complaints and other regulatory action under the Privacy Act.
Small businesses with significant involvement in medical device software should consider the guidance provided for large scale service providers, in particular development of an overarching risk management strategy, cyber secure procurement conditions, staff training, and cyber security planning.
Building on the advice provided for patients and consumers, the Australian Cyber Security Centre’s Essential Eight Maturity Model aims to raise the cyber security resilience of Australian organisations. While no single risk mitigation strategy is guaranteed to prevent cyber security incidents, organisations are encouraged to consider implementing all eight essential mitigation strategies.
The Essential Eight
Mitigation strategies to prevent malware delivery and execution
- Application whitelisting - to control the execution of unauthorised software
- Approved/trusted programs are whitelisted to prevent execution of unapproved/malicious programs.
- Patching applications - to remediate known security vulnerabilities
- Patches for extreme risk security vulnerabilities in commonly used programs should be applied within 48 hours if possible. To help with this, when practical, and appropriate, organisations should ensure software updates are set to apply automatically.
- Configuring Microsoft Office macro settings - to block untrusted macros
- Microsoft Office macros can be used to deliver and execute malicious code on systems. Microsoft Office macros from the Internet should be blocked and settings should not be able to be changed by users.
- Application hardening - to protect against vulnerable functionality
- Flash, ads and Java are popular ways to deliver and execute malicious code on systems. These should be hardened - either blocked or set so that users cannot change settings.
Mitigation strategies to limit the extent of cyber security incidents
- Restricting administrative privileges - to limit powerful access to systems
- Admin accounts are the very powerful; adversaries can use these accounts to gain full access to information and systems. Requirements for these privileged accounts should be validated initially and on an annual or more frequent basis.
- Patching operating systems - to remediate known security vulnerabilities
- Security vulnerabilities in operating systems can be used to further the compromise of systems. Verified patches for extreme cyber security risk within operating systems should be applied within 48 hours if possible, seeking clinical advice if required.
- Medical device products that operate on systems that have received a patch in response to an extreme risk will need to be managed to ensure that they operate as expected on the patched system.
- Multi-factor authentication - to protect against risky activities
- Stronger user authentication makes it harder for adversaries to access sensitive information and systems. Multi-factor authentication should be implemented for all remote access users.
Mitigation strategies to recover data and system availability
- Daily backups - to maintain the availability of critical data
- This is important to ensure information can be accessed again following a cyber security incident. Backups should be tested in line with relevant medical information standards.