A report that highlights the vulnerabilities in medical devices and the risks they pose to patient health issued by Independent Security Evaluators comes at an opportune time as the past month has shown that hospitals are becoming targets for criminals.Ted Harrington, executive partner at Independent Security Evaluators said, "It\u2019s a scary report in a lot of ways, but our hope is to organize an industry in recognizing these problems. We are trying to make an entire industry start changing, especially one that is very regulated and complex. The conversations need to start happening."What the report also evidenced is that the health care industry, guided by strict regulations for protecting patient data, "Has focused almost exclusively on protecting patient data and not patient health. The focus is entirely on making sure the patient\u2019s record is protected and not tampered with, but that doesn\u2019t directly correlate to protecting the patient" Harrington said.These findings are not entirely new according to security expert Billy Rios, who said he's been fighting for stronger security in medical devices for five or six years now. The vulnerabilities in infusion pumps that Rios brought to light last year are but one example.\u00a0"The Telmed pump is not even a vulnerability. It's\u00a0poor design, poor architecture. There is no patch for that. You can\u2019t patch the fact that a pump is running. It requires significant configuration changes," Rios said.Regulations are not the panacea to the issues of cyber security, and Rios said that he dislikes regulations. At issue, though, is the reality that unless vendors are compelled to do something, they won\u2019t.In reality, every hospital is a little different about how their landscape works. If the devices are all on the network as we saw from Hollywood Presbyterian, you are going to have vulnerability.Ellen\u00a0Derrico, senior director of health care and life sciences, RESRios said, "They have formal guidance for what they call pre-market solutions. You have to follow these to get clearance to sell your product. They have\u00a0guidance, but guidance is up to you to follow."\u00a0Hospitals are doing all they can to minimize the risks of these devices, but for smaller hospitals, the budgetary limitations are confining. "They don\u2019t have the budget or the staff, and device manufacturers don\u2019t care about those folks," he said.The general guidance, said Rios, is to put devices on their own networks. The problem is that hospitals have thousands of \u00a0medical devices. "Having all devices segregated creates a burden for the delivery\u00a0organizations," Rios said.Many medical device vendors recommend that hospitals segment the devices, according to Rios, but he said, "That doesn\u2019t mean every hospital is doing that. A small hospital is not doing that. Instead all of the devices are connected. More mature hospitals are the ones that are actually doing the segmentation.""Hospitals that have money and staff, those guys are segmenting devices as much as they can. Trying to segment as many of these devices becomes unwieldy from an architecture standpoint. No sane person would design their network this way," Rios said.Israel Levy, CEO, BUFFERZONE, disagreed arguing that today's technology allows for very flexible networks. Levy noted that the banking industry in some countries dictates that all the activities taking place with financials and money must be executed on a network not directly connected to the Internet. Still others execute a strategy of sub networks which allows them to keep the most important components in a separate location."Those separate locations create better security. You then regard subnets as insecure and take measures to transfer from the external to a secure network. These technologies are available today. As long as the strategy is to keep all the devices on a separate network, they will also need technology that allows the passing of information," Levy said.Though none of the medical device vendors contacted were available to comment, security industry experts posed some technology solutions to mitigate the risks to patient health.Jason K. Marchant, enterprise cybersecurity risk officer at Partners HealthCare System, said,\u00a0\u201cMost medical devices can be connected to a hospital\u2019s network, either wired or wirelessly, and communicate with the electronic health record (EHR)." Hospitals, in allowing this communication, might inadvertently\u00a0subvert security controls.For example, Marchant said, "Ports may be opened in a firewall to allow the medical device system to communicate with the EHR but these ports may also be\u00a0known to distribute malware.\u201dTo best mitigate these risks, Marchant said,\u00a0\u201cDevices should be allocated to their own IP space and operate in their own virtual LANs. This can allow for more fine-grained control over the systems that can and cannot communicate with each other. It may also\u00a0expedite the detection of\u00a0anomalous activities on the network.\u201dHaving a healthy network securityHere are five strategies for securing both patient data and patient health from security practitioners.Keep all systems and software up to date. \u201cAttackers are using known vulnerabilities, and when IT managers don\u2019t or cant patch those systems, they are at a heightened risk,\u201d said Chris Doggett, a senior vice president at Carbonite.Understand security controls. \u201cDevice companies may implement more lax security controls to expedite a system\u2019s installation and its support. Hospital staff should understand the risks to the system\u2019s configuration,\u201d said Jason K. Marchant enterprise cybersecurity risk officer, Partners HealthCare System.Be thoughtful about the long term. \u201cIncreasing budget, restructuring the organization, rearchitecting the network, or hiring additional personnel, are all long-term efforts. These long term plans should be created as soon as possible, and updated as the technology, threat, and defense landscapes evolve,\u201d wrote Independent Security Evaluators.Create a buffer zone. Run two environments on one machine. One side is connected to the medical device, and the other side is able to abstract the file and send it to the doctor,\u201d said Israel Levy, CEO, BUFFERZONE Security.Educate all staff. \u201cMake sure they don\u2019t know they are getting \u201csecurity training\u201d\u2014give them training that helps them personally, and they will bring that into work,\u201d said Ellen Derrico, senior director health care and life sciences, RES.Though Marchant believes that security is a shared responsibility, he said, "The healthcare industry,\u00a0especially\u00a0hospitals without dedicated cybersecurity staff,\u00a0could benefit from detailed vendor-provided documentation\u00a0that describes the security controls configured by\u00a0default in medical device systems and those that have not been configured."\u00a0Ellen\u00a0Derrico, senior director of health care and life sciences from\u00a0RES\u00a0said, "In reality, every hospital is a little different about how their landscape works. If the devices are all on the network as we saw from Hollywood Presbyterian, you are going to have vulnerability."Everyone needs to be educated about the risks with the growing number of network connected devices because, "Anywhere there is a point of entry between a device and a system there is a vulnerability," Derrico said.At the 2016 HIMSS Connected Health conference, Derrico spoke about the need to have technology in place to encrypt. "Hospitals need to have a white and black list of executable files. They need to elevate privileges so that not everyone can get administrative access, and they need to put in controls very carefully based on roles," Derrico said.Other ways that security teams can take action to protect the network and patient health, said Derrico, "Have blanketing that protects the network and devices that is read only so that a hacker can\u2019t write something on a device. Lock device ports so that someone can\u2019t get information off of it from a stick."There is both a technology piece and an education piece because if they are attacked, the whole network can get infected and affect the devices. Does this mean that protecting the network, where patient data lives, will in turn protect the devices?Chris Doggett, a senior vice president at Carbonite, said that he was not trying to be critical of the ISE survey as it is a comprehensive blue print, but "They missed the mark a little. There are individual or small group actors using un-targeted and unspecific threats to get money. Those can directly impact patient health."The kinds of threats and malicious actors assumed in the report, Doggett said, "The area of focus and the adversaries they highlighted--organized crime, terrorist, nation states--while those are true in theory, you\u2019d be hard pressed to find real-life examples thus far where patient health was impacted by those threat actors in that manner."While it\u2019s important to focus on cybersecurity\u2019s impact on patient health, Doggett said, "There are other categories that are more rampant today and they are going to unintentionally target patient health. Rasomware is a higher probability than an organized crime unit or nation state targeting a specific hospital."