CSA Official Press Release

Published 03/12/2020

Newest Cloud Security Alliance Paper Sheds Light on Best Practices for Managing Risks Associated with Cloud-Connected Medical Devices

Newest Cloud Security Alliance Paper Sheds Light on Best Practices for Managing Risks Associated with Cloud-Connected Medical Devices

Paper provides key stakeholders with guidelines to procuring, securing medical devices to ensure vulnerabilities are mitigated

SEATTLE – March 12, 2020 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, announced today the publication of Managing the Risk for Medical Devices Connected to the Cloud. The paper, produced by CSA’s Health Information Management Working Group, identifies requirements for purchasing new medical devices to ensure the identification and mitigation of vulnerabilities prior to implementation and provides best practices for managing risk using degrees of separation from the patient (implantation, measurement, diagnostic, etc.) and those responsible for support (i.e., vendor, clinical engineering, medical staff, or IT).

“With the increased number of the Internet of Things (IoT) devices, healthcare delivery organizations (HDO) are experiencing a digital transformation bigger than anything we’ve seen before. However, while the new breed of connected medical devices brings the promise of improved patient care and myriad other benefits, they also bring increased security risks,” said Dr. Jim Angle, the paper’s lead author and co-chair of CSA’s Health Information Management Working Group.

The number of files with sensitive data that are shared in the cloud has increased 53 percent year over year. As the number of files stored in the cloud increases, the percentage of files containing sensitive data also grows. Given that today, 21 percent of files stored in the cloud contain sensitive data, and of that, nine percent contains protected health information, cloud security is paramount.

“Running commercial, off-the-shelf software makes the device susceptible to the same vulnerabilities as any other computer. Compounding the problem, device manufacturers continue to use old technologies due to the time required to gain approval for medical devices, meaning these devices are sold even after the software has passed the main support period. This presents healthcare delivery organizations with threats and vulnerabilities that include technology issues, software risks, and human factors,” said Vincent Campitelli, co-chair of CSA’s Health Information Management Working Group.

The paper recommends controls be evaluated against the CSA Internet Of Things (IoT) Control Framework, which allows an organization to evaluate and implement an IoT system within its ecosystem. This control framework is being expanded to include the Medical IoT (MIoT), specifically medical devices. The MIoT Security Control Framework is relevant for healthcare organizations that provide care that incorporates multiple types of connected devices, cloud services, and networking technologies. The paper also recommends that continuous monitoring of the devices be used to ensure the mitigating control effectiveness.

The Health Information Management Working Group aims to provide a direct influence on how health information service providers deliver secure cloud solutions (services, transport, applications, and storage) to their clients, and foster cloud awareness within all aspects of healthcare and related industries. Individuals interested in becoming involved in the future research and initiatives of this group are invited to do so by visiting the Join page.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

Share this content on your favorite social network today!

About Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.

For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.