IoT, Medical Device & Data Risk Assessment

Evaluating Your Unique Health Asset Environment

Your IoT, Medical Device and EHI Footprint

First combines deep healthcare, IoT/Medical Device security, and regulatory knowledge to bring Health Delivery Organizations (HDO’s) impactful and cost conscious services that immediately reduce enterprise risk.  As HDO’s look to bolster their readiness through assessment and compliance based needs, First’s approach is designed for program building engagements that accelerate your internal efforts and provide an outside perspective of your posture as it relates to privacy, security and vulnerabilities of all connected assets and associated data.

From medical devices, security cameras and panels to electronic health information (EHI) connected to consumers, First’s history in health information technology, device integration, regulatory adherence and cybersecurity frameworks create a unique understanding of how a through assessment can expedite initiatives surrounding inventory, device lifecycle, data at rest and in transit, pre and post market guidance and ambiguous ownership of overall asset security. The following services and deliverables are designed specifically for healthcare entities and are inherently flexible, recognizing that budgets must be maximized and providers have a variety of operational models.

Advisory Services

Cyber Health Assessments 

Identify and Manage Cybersecurity Risk
Once a healthcare organization has an understanding of their current standing, actions can be taken to assess the steps and costs associated with reducing risk. Conducting comprehensive assessments to baseline strengths, vulnerabilities and awareness are all components of proactive programs addressing PHI/EHI and valued information that may not be defined as PHI/EHI, such as educational or research data.

Comprehensive Risk Assessments and Programs
Conducting a Risk Assessment supports awareness and development of data security programs, allowing you to achieve your business goals while maintaining sound threat prevention and vulnerability mitigation in an environment of constant exposure. First leverages a NIST-based methodology when conducting a Risk Assessment, as the Office of Civil Rights (OCR) guidance on requirements for risk analysis points to recommendations and guidelines established by NIST for conducting a risk analysis. First’s healthcare specific assessment combines several security and technical tests into a single engagement aimed specifically at addressing the requirement of a risk assessment and ongoing risk management to “harden” your EHR, source systems, medical devices and associated hardware. Our risk assessments can be conducted as needed or as a part of a more in-depth compliance management program.

Risk Assessment Activities

  • External Security Assessment
  • IoT, Medical Device Inventory and Vulnerability Scans
  • Architecture Assessment
  • Internal Security Assessment
  • Wireless LAN Security Validation
  • Information Security Program Assessment
  • MACRA EHR Technical Controls Assessment
  • Executive Briefing

After data collection, First provides a detailed report of findings, observations, recommendations, and remediation steps. First uses the NIST CSF as a primary model, yet our experience with multiple frameworks allows for refinement and development of policies and procedures that map to HIPAA and work to support your organizations privacy and security targets.

Expertise in Regulatory, Frameworks and Controls

  • ISO 27001 and 27002
  • COBIT 5 Control Objectives for Information Related Technologies
  • NIST SP 800 Publications
  • HITRUST v9
  • CIS Critical Security Controls

Not all vulnerabilities are created equal. First’s automated testing evaluates devices, EHR’s, data, and source systems to test for known weaknesses. The First team then manually reviews the results of this testing to eliminate any false positives and acts on mitigating the high/critical vulnerabilities.

Questions that are answered include

  • What are the most critical vulnerabilities that threaten the security of your healthcare business?
  • What is the probability that a hacker could penetrate your perimeter and gain access to your data?
  • Does your organization have unauthorized hosts on the network?
  • How should the organization prioritize identified vulnerabilities, create a plan for improvement, and get the budget approved?

Pen Testing and Social Engineering Programs:
Penetration, social or behavioral engineering tests are an important element of overall vulnerability analysis. First is well versed in different penetration methodologies for healthcare entities, including internal and external network-based, web applications, mobile, wireless and physical, including social engineering. To maintain consistent quality results, each penetration test is led by an experienced information security consultant and conducted using our well-proven testing methodology, specific for healthcare clients.

First approaches each pen testing and social engineering engagement with an understanding that your organization is unique and will ultimately react differently to a standard process. Every healthcare client has variations in business processes, cultural characteristics, network topography, web and EHR applications and data requirements. First works diligently to ensure each client’s specific needs are accounted for throughout the process. No matter what type of test is conducted, the primary goals are to identify and prioritize security risks and to provide serviceable remediation recommendations.

Contact First to Learn More

Compliance and Readiness

Privacy and Security Rules and Policies – getting beyond compliance
Healthcare organizations are overwhelmed with regulations and requirements while protecting their critical assets. Understanding, updating and creating awareness of how to efficiently manage all this in today’s business environment is essential, yet may not warrant fulltime, in-house expertise. First’s healthcare compliance and readinessservices provide your organization immediate access to subject matter experts versed in recognized practice and approaches to go beyond compliance, creating a culture of proactive conduct. First will take that approach several steps further by leveraging our board and executive level experience to inform and educate leadership without technical rhetoric or complex decision paths.

HIPAA Security Assessment:
HIPAA compliance is an ever growing responsibility and for good reason, an ongoing effort in attentive organizations. The rules are broad and risk assessments are essential to safeguarding ePHI in accordance with 45 CFR § 164.308(a)(1). First evaluates all aspects of HIPAA, including the Security, Privacy, Data Breach Notification, and Omnibus Rules. The Risk Analysis is an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of Electronic Protected Health Information (ePHI) held by your organization. If gaps are identified, a First security advisor can assist you in developing a roadmap to achieve HIPAA compliance and OCR audit readiness adapted from guidance by OCR and NIST.

First’s Security Risk Analysis Approach includes:

  • e-PHI Scope Identification
  • Documentation Gathering
  • Threat and Vulnerability Identification
  • Control Analysis
  • Impact Analysis
  • Risk Determination
  • Control Recommendations
  • Results Documentation

Physical Security Evaluation:
The best way to identify whether your employees are following your organization’s security policies or not is to watch their behavior in action. Walking through your organization’s facilities and measuring compliance to the HIPAA Security Rule requirements versus actual employee practices, can quickly and efficiently document physical security problems that require immediate correction.

First has experience in conducting physical security walk-throughs of pre-selected facilities to observe what your employees do or do not do in line with HIPAA’s security and privacy expectations.  First Certified Protection Professionals (CPP’s) are also well versed in security design for health systems and how the physical elements are integrated with the logical elements of security.

Web Application Security Assessment
First’s web application security testing will help your entity fully understand potential vulnerabilities in the organization’s online applications, clearly evaluating whether a public website serving your customers or a third-party supplier interface into your EHR has weaknesses that could lead to an unintended business exposure. Our web application assessment goes beyond a collection of automated tests and utilizes manual analysis to delve more deeply into application logic and security controls, giving you peace of mind and not simply a HIPAA compliance check mark.

Our assessment activities will Identify vulnerabilities and the potential impact at the infrastructure, application, and operational levels using OWASP’s Application Security Verification Standard as a recognized testing benchmark. This will provide you with an accurate view of the organization’s website security posture as presented to potential attackers.

PCI Compliance and Diagnostic:
First can help you plan, analyze, track and monitor your PCI compliance program. Our assessments address level 1 & 2 merchant status, providing an independent validation to customers, card brands, and acquiring banks. First accounts for healthcare specific processing models while helping you to understand compliance risk, control options and control strategies as you achieve and maintain PCI compliance. Our service can be customized to assist with data flow analysis, network architecture review, preliminary gap analysis and vulnerability scanning.

Policy and Governance Implementation and Refresh:
Covered entities and business associates spend exorbitant amounts of time authoring policies and procedures, leveraging internet templates or documents that are quickly out of date. First security and privacy experts can rescue your team by drafting and developing healthcare policies and governance approaches to meet regulatory requirements, specific to your organization. Our knowledge of healthcare, information security and regulatory compliance requirements set’s First apart. Our experience includes HIPAA, FISMA, PCI, and more.

Combining our experience reviewing healthcare specific policies and procedures, and our deep knowledge of the regulatory requirements, First will review, revise, modify and document existing privacy and security policies and procedures for your organization, or develop new ones as required.

Many hospitals are solely leveraging the NIST CSF, yet others will adopt recognized practices from a variety of frameworks when developing a program. First’s experience with ISO, HITRUST and CSF enable us to help our clients accelerate governance maturity and meet future state goals more quickly. In addition, our supplemental education and staffing expertise serves your organization through a full suite of workforce privacy and security solutions, bolstering enterprise resilience.

Contact First to Learn More

First Connected Asset Program Management

First Cyber Health advisors are experts in addressing Medical Device, IoT, and Connected Asset security concerns in major health systems, specialty hospitals and physician practices at all stages of cyber maturity. We understand the unique challenges facing healthcare, inventory management, device lifecycle pressures, network design and the difficulty in working with device manufacturers to address legacy and insecure technologies. First provides clients the right mix of cyber, technical, clinical workflow, BioMed, and regulatory knowledge to bolster your organizations risk approach to connected asset management.

A sound  program includes the following activities and initiatives. First has the expertise to provide any or all of these items to meet the needs of your organization and its security requirements.

  • Risk Assessment (Problem Definition, Inventory, Scope, Device Lifecycle Management)
  • Policy (Set Goals & Guide Behavior)
  • Process (Standardized Procedures for Actions & Interventions)
  • Design (BIA, Controls vs Intended Use/Workflow)
  • Procurement (Pre-Purchase Evaluation, Mandatory Documentation)
  • Implementation (Operationalize Planned Activities)
  • Measurement (Dwell Time, Intrusion Volume, Recovery Time)
  • Management (Risk Assessment Committee, Risk Tolerance, PDCA)

Longer term approaches to bolster the security posture of your organization are important to establishing independence and a culture of security resilience. First aims to bring leadership, IT, clinicians, biomedical engineering and end users together in the active defense of your valued assets and patients.  First’s services extend to retained support approaches of IoMT as an option to ensure resilience while managing a tight budget.