The first known ransomware attack that affected networked medical devices occurred in May 2017. At this time, the global ransomware attack WannaCry affected radiological devices in some hospitals.
Cancer patients undergoing radiation treatment at four healthcare facilities had to reschedule appointments after a software outage caused by a cyberattack on their third-party vendor’s oncology cloud service.
These examples show how cyberattacks and data breaches affect the healthcare industry, which relies heavily on connected medical devices. It is imperative to safeguard the Patient Health Information (PHI) captured and stored in these connected medical devices. PHI is transmitted over the cloud through server-based systems, making it particularly vulnerable to hackers.
Medical Devices Are Everywhere
Whether it is stationary, implanted, or wearable external medical devices, patients’ lives, and well-being depend on the safety of these devices.
Many medical devices, such as insulin pumps, heart defibrillators, artificial cardiac pacemakers, and ventilators, are life-saving devices and equipment. Other examples include artificial joints, MRI and CT scanners, infusion pumps, clinic programmers, and home monitors. Devices in a hospital or healthcare setting–such as security cameras, RFID readers, point-of-sale systems, and guest access cards–should be safeguarded from possible cyber attacks and security breaches. Medical devices include computer systems and networks as well.
Modern medical devices are not isolated. They are interconnected locally and over the Internet.
Connected medical devices use built-in sensors to collect data that can be transmitted over the Internet and to other devices.
These devices and the data constitute the Internet of Medical Things (IoMT), helping to diagnose, monitor, and deliver treatment quickly to patients over the Internet.
Increase In The Use of Medical Devices
By 2030, the baby boomers are expected to reach retirement age. The percentage of people aged 65 and over is expected to double by 2050. This factor has led to the rise of connected medical devices to serve this segment–not just at care facilities but also at home.
During the pandemic, the use of medical devices saw a significant rise. Along with the convenience of using medical devices by patients at home come potential cybersecurity risks.
The use of medical devices is cost-effective and reduces healthcare costs, bringing benefits to many patients. They are in high demand due to the benefits of availability, connectivity, cost-efficiency, and accuracy.
What Are The Risks?
Some of these devices are considered weak links in the network. Health systems, medical equipment, and devices increasingly connect over wired and wireless networks and are interconnected with other devices and systems; thus, they are vulnerable to cyber attacks, security breaches, and risks.
The risks are numerous, including HIPPA regulatory risks, loss of sensitive Personal Health Information (PHI), the risk to patients’ lives, and loss of reputation of the healthcare facilities, companies, and the IoT ecosystem partners involved.
Since these devices have the same software and hardware, if one is successfully hacked, all other devices of the same make and model in that segment can be compromised, too.
There are a surprising number of IoT devices with default passwords on production networks. If compromised, these devices may act as the springboard for the attacker and can allow immediate lateral movement within the VLAN. The prime target is the data center, where Electronic Health Records (EHR) and Electronic Medical Records (EMR) systems are present and contain highly confidential Personal Health Information (PHI). From a threat perspective, that’s the primary data store. That’s where the Personal Health Information (PHI), payment information, and all the data required to generate the required health reports and financial statements are stored.
Making Devices Cyber Secure
Medical devices are vulnerable to security breaches, although the Food and Drug Administration (FDA) allows them to be marketed with a reasonable assurance that they are safe and effective.
Nonetheless, some guidelines to protect medical devices are worthy of mention.
In 2018, the FDA introduced the concept of a cybersecurity bill of materials for medical devices. The bill of materials has to be submitted by the medical device manufacturers before the devices are marketed. Also, the US Department of Homeland Security has categorized the healthcare and public health sector as one of sixteen critical infrastructure sectors whose assets, systems, and networks are vital to the United States.
Moreover, the recent executive order by the US government covered important aspects of medical device cybersecurity.
Ensuring The Safety of Medical Devices
Here are some best practices to protect against cybersecurity threats to medical devices.
Security During The Medical Device Development Process
Medtech companies need to adopt a “security by design” approach. Specific risk management protocols must be followed in the medical device product development cycle: From the management framework and planning, analysis, evaluation, and control of risks to their reporting and documentation.
● Cloud security measures
In a data breach, the onus is on the healthcare company and not the cloud services provider. Yet, cloud providers should follow specific guidelines to ensure security. This includes following FDA Cybersecurity Guidelines, implementing cloud security engineering best practices, conducting regular security audits, developing disaster recovery scenarios, and initiating action based on well-defined security and data-protection incident management process.
● Continuous measures
The medical devices or their software should enable real-time monitoring, cyber threat modeling and analysis, threat mitigation, and remediation. With regular logs and monitoring, any breach is detected as it happens. Prompt detection of a breach helps assess its impact and ensure its mitigation.
● Regular upgrades and installation of software patches to fix security flaws
Medical devices are often old, and upgrades are not always available. These inadequately supported medical devices are vulnerable to attacks, which can disrupt their critical functions and endanger lives. The medical device owner should proactively contact the vendor or manufacturer for any maintenance or upgrade issues related to their medical devices.
● Security from insider threats
The healthcare staff involved in handling and monitoring the device and the data generated through the devices should be trained regularly. Encryption of medical device data, security of the endpoint systems, proper access management, and asset management, and vulnerability assessments are simple steps to protect devices used in healthcare. Besides deploying appropriate user authentication measures, the facility should also consider physical locks on devices and communication ports.
The connected medical devices, which significantly improve patient care and provide better patient outcomes, should be maintained and upgraded to ensure patient safety from the design stage to their use in healthcare organizations or at home.
The IoT ecosystem consists of medical device manufacturers, providers, systems and software providers, system integrators, connectivity providers, and end-users. More collaboration between all the stakeholders to tackle the cybersecurity vulnerabilities and risks of connected medical devices will help prevent cyber attacks.