DSS Announces New Capability to Improve Medical Device Security
Company will offer security solutions of Power Fingerprinting, Inc. (PFP) to federal clients
PRESS RELEASE — Document Storage Systems, Inc. (DSS), a leading provider of health information technology (HIT) solutions for federal, private, and public health care organizations, announced today it has added security solutions developed by PFP Cybersecurity (PFP) to its suite of solutions. PFP’s device credentialing toolsets will be offered by DSS to the Department of Veterans Affairs (VA) and the Defense Health Agency (DHA).
According to a shocking new report from the U.S. Government Accountability Office, 53 percent of connected medical devices and other Internet of Things (IoT) devices in hospitals have known vulnerabilities. Approximately one-third of health care IoT devices had an identified critical risk, potentially impacting the operation and function of the devices. And, the U.S. Department of Health and Human Services has released research showing that the medical data of over 61 million Americans has been stolen or exposed in more than 400 cyberattacks over the past year.
Current medical device security is software-centric and focuses primarily on how devices connect to the hospital network. Visibility into vulnerabilities with hardware components (for example, chips, boards, and power supplies) and firmware is currently a growing concern. The ability to credential device integrity based on hardware and firmware Bill of Materials (BOMs) is critical to protect medical devices from intrusion and unauthorized modifications, preventing patient harm and loss of patient data.
Besides security, PFP tools also enhance quality, safety, and reliability by detecting changes in settings, and performance degradation-lifecycle management. The protections provided for legacy medical devices that lack built-in security can be classified in for main areas:
Credentialing – Screening for counterfeit parts, firmware tampering, and other supply chain attacks
Maintaining confidentiality – monitoring without interrogating or connection removes the potential risks for disclosing confidential information.
Continuous Monitoring – Detect Anomalous Behavior due to unauthorized Hardware/Firmware modification and tampering after deployment
Cataloguing – Maintaining “Device Signatures” that reflect “known good” devices and configurations
“Combining machine learning and signal processing, the PFP SigLytics solutions can detect and address security threats that would remain undetected by other available solutions, enhancing security and safety in many applications such as computer servers, legacy devices, IoT, and more. We are honored to be working with DSS to apply SigLytics to health care applications,” said Dr. Carlos Aguayo Gonzalez, CTO and co-founder of PFP.
These security capabilities help medical facilities comply with the regulations established in cybersecurity legislation such as GSA 505.7002 pertaining to supply chain management risk and DFARS clause 252.246-7007, which requires contractors to establish and maintain an acceptable counterfeit electronic part detection and avoidance system that includes risk-based policies and procedures.
Here are some of the specific benefits of the new service offering:
Secure the Connected Network of Things: Compromised devices can impact direct patient care activities (i.e., IV Pumps) and provide access for adversaries to attack other connected solutions. Even peripheral devices, such as IP surveillance cameras, could be used to launch attacks. Stealth attacks in critical devices causing slight performance deviations could be unnoticeable to providers and IT departments but cause significant errors in patient care.
Protect Data: Compromised devices could generate corrupted clinical data that impacts clinical decisions with devices that are interoperable with the electronic medical record.
360 Degree Health: As health care innovation evolves and adopts broader remote patient monitoring/home health care capabilities, the requirement to create “hardened devices” that are less susceptible to intrusion will become foundational to standard operating procedures.
Zero Trust Model: Cybersecurity teams focused on accelerating defensive measures/posture such as medical device patching and vulnerability detection will benefit from PFP capabilities that complement efforts with Zero Trust from a single chips, devices, and systems.
“We are excited to work with PFP to make this new solution available to the VA and DHA,” said Mark Byers, president of DSS. “Research reflects that health care organizations and the federal government are top targets for cyberattacks. Our new solution will close a large visibility gap in their cyber defenses, allowing them to monitor, detect and remediate device-level hardware (medical and operational) vulnerabilities.”
These new solutions complement existing cybersecurity tools and do not compromise medical device operational or regulatory compliance. Continuous monitoring can be provided at the chip component level as well as full hardware diagnostics. PFP is one of the few solutions that can detect firmware and hardware anomalies.
About Document Storage Systems, Inc. (DSS)
Document Storage Systems, Inc. (DSS) is a catalyst for health care innovation and digital transformation, helping the Department of Veterans Affairs as a solutions provider, systems integrator, and services contractor. DSS is committed to assisting VA in its High Reliability Organization journey and delivering care quality for Veterans by meeting top initiatives, changing regulatory requirements, and implementing enhanced business transformation across VA enterprise. For more information, visit https://www.dssinc.com.
About PFP Cybersecurity
PFP is an analytics company dedicated to helping organizations protect their critical assets in an increasingly connected world. With a focus on innovative solutions and a deep understanding of cyber threats, PFP provides a comprehensive range of services and technologies to mitigate risks, strengthen resilience, and safeguard organizations against cyberattacks.