Despite the complexity of healthcare, there are several measures to mitigate the risks of cyberattacks on medical equipment.
A hospital bed has up to 20 medical devices connected to it, on average. All those devices have a digital component, which transmits patient data to a hospital’s computer network. This means there’s always a risk of a compromised system, as all it takes is one vulnerable endpoint.
“Like other industries, healthcare is undergoing digital transformation,” says Oliver Noble, a cybersecurity expert at NordLocker, a data encryption solution. “Medical technology is evolving, so more and more computerized devices get installed and connected to a healthcare facility’s network. The downside of this improvement is that it might become easier for hackers to intercept the system because unprotected devices accelerate vulnerabilities.”
The Complexity of the Industry
A healthcare organization’s network is a very complex environment to control as it consists of a massive variety of equipment, databases, and systems that often include connections to external sources and third-party providers. On top of that, there are personal devices, like smartphones and laptops, brought in and used by the staff and patients.
“Healthcare providers have a large attack surface, and the complexity of the industry makes it extremely difficult for them to come up with effective defensive mechanisms, cybersecurity policies, and procedures,” says Noble.
Outdated systems and practices are one part of the problem. Underinvestment in cybersecurity, which leads to the inability of healthcare practitioners to identify and deal with persistent cyber threats, is another big issue. “Add a vast array of substantial medical records a hospital stores, and we have a ticking bomb. Deliberately tampering with stolen patient data could facilitate identity theft, extortion, or even put human lives in danger,” Noble warns.
Even though vendors providing hospitals with medical equipment and services must comply with various standards and regulations, staff members can also contribute to making sure the technologies are used securely. Everything starts from breaking cybersecurity down into smaller parts and taking it one step at a time.
Thwarting Attacks Before They Happen
Below, Noble shares 12 potential ways to mitigate the risk of medical device cyberattacks:
- Train employees on what information each device collects and how it’s stored, as well as the risks and threats of each piece of equipment.
- Enable encryption between the hospital’s PACS and the hosts in the hospital’s radiology network.
- Install digital signatures to sign every critical action with a secure mark of authenticity.
- Put the right protection around each device individually, as different devices have different configurations.
- Create a centralized view of all devices connected to a network to monitor their expected behavior and look for red flags if any of the activities deviates from the norm.
- Use a custodial provider to protect medical records. This means that an agency safeguards the data, and third parties like clinics need to request temporary access.
- Store data backups in an encrypted cloud in the case that a ransomware attack hits. This ensures the data doesn’t get leaked and access to it isn’t lost.
- Control access to information. Employees should be able to access only the information necessary to do their jobs. Limiting personal devices connected to the network should be considered, as well.
- Invest in multi-layer detection and recovery systems. Installing such a system helps to identify and prevent malware installation.
- Stop using File Transfer Protocol, or FTP, servers operating in anonymous mode. After all, malicious actors can use the anonymous flaw in such servers to steal sensitive information or launch a targeted cyberattack.
- Include security requirements with vendor purchasing agreements. The vendor should make sure the firmware is up to date and that hospitals are notified of the ways their equipment could be exploited.
- Add strong firewalls and use a virtual private network to offset some of the risks that come with additional connected devices.
“There’s a great need for reform within the healthcare industry as it is still lacking the initiative to prioritize cybersecurity,” Noble concludes. “However, a lot can be done, starting from within an organization. As a part of risk management, contingency plans for different scenarios should be set up in advance.”
Skirmante Akinyte works in media relations at NordLocker. Questions and comments can be directed to firstname.lastname@example.org.