By Susmit Pal
With stories about ransomware attacks, security breaches, and device hacks looming in the headlines, healthcare organizations must invest in a comprehensive cybersecurity strategy. Solutions such as traditional firewall and antivirus protection, encryption, and sophisticated data analytics solutions aren’t enough as standalone solutions to mitigate risks of breach to an ever-expanding healthcare IT network.
Such a landscape requires a more thorough and progressive solution that includes hardening devices, protecting data, access management, multi-layered protection, and adopting intelligent, proactive security. One area of particular importance is the need for hardening devices that have access to networks, especially with the growth of personal technology and smart medical equipment in healthcare environments.
Beyond the Traditional PC
Today, there are a multitude of device types and formats that connect to a healthcare network, each with their own set of unique security requirements. Namely:
1. Computing devices such as laptops, desktop computers, tablets, and smartphones comprise one category. One of the biggest challenges for this category of device is being able to effectively combat the growing threat of advanced cybercrime, particularly malware, with 97% of malware being unique to a specific endpoint. Unfortunately, traditional antivirus software does not work against today’s sophisticated malware attacks.
2. Medical equipment such as diagnostic imaging machines, smart beds, and vital signs devices operate essentially as special-purpose computers. HIMSS reports that “hospitals and similar healthcare organizations typically have 300% to 400% more medical equipment than IT devices.” Most of this equipment operates as a “black box,” using its own specialized software and hardware. IT staff are typically unaware of the technology stack used in such equipment, so these devices typically do not undergo routine security testing and simulation.
3. Implantables, such as pacemakers and infusion pumps, raise the risk of breach to not only include patient health information, but also expose a new level of risk related to the patient’s wellbeing. Recent reports show these devices, such as perfusion pumps, are now vulnerable to hacking. A malicious breach that involves tampering with device settings puts the patient’s health, and potentially life, at risk. In fact, Johnson & Johnson recently issued a statement warning of vulnerabilities in one of their insulin pumps, citing that “a hacker could exploit to overdose diabetic patients with insulin.”
Beware of Legacy Devices
In healthcare, workflow is critical, which makes providing a layer of protection to help eliminate risks and threats especially challenging. Staff members rightly fear that changes made to technology essential to treating patients might impede or prevent the device from operating properly. The issue in keeping these devices outdated while connected to the network is that it leaves a rather large door open for cybercriminals. In fact, one study found that healthcare endpoints, such as laptops and desktops, are almost four times as likely to have an outdated Internet Explorer version.
These devices commonly have hard-coded passwords, redundant or unused code bases, and other software vulnerabilities. In addition, most systems have inadequate access controls and weak passwords. Other legacy devices, such as older ultrasound machines, medical imaging systems, and so forth, can expose organizations through security vulnerabilities from outdated operating systems, like Windows XP or NT; a lack of cybersecurity features including updates, patches, and protocols; and outdated coding standards.
Device Security Guidelines
According to FDA guidelines, device manufacturers, including those making medical imaging systems, perfusion pumps, and implantable devices, must remain “vigilant in communicating risks and hazards associated with their devices.” Healthcare Information and Management Systems Society and National Electrical Manufacturers Association developed the Manufacture Discloser Statement for Medical Device Security form, which enables manufacturers to list security features in a standardized way.
This standardization facilitates providers’ comparisons of device security. The form also helps health systems more efficiently assess risk for multiple devices. These types of efforts for increased transparency and information sharing will help drive manufacturers to better prioritize security concerns and introduce new protocols across a product lifecycle, including the initial design and testing stages.
So, what is the right path forward to hardening devices?
- Cybersecurity at the device level must address all components in the software and hardware stack.
- Hardening devices begins with regular patching and configuration management, including outfitting devices with hardware-level security.
- Protect data wherever it goes both at rest and in transit with data encryption, in addition to including advanced malware protection on all endpoints. Traditional antivirus software does not work against advanced threats.
- Detection methods using machine learning and artificial intelligence can deliver better results.
- Security should be embedded as part of the software development lifecycle of a device.
Although such measures represent only a fraction of what can and should be done to develop and expand a comprehensive cybersecurity plan, hardening devices is an effective, inexpensive way to help protect sensitive personal health information, as well as to shore up protection at some of the organization’s most vulnerable endpoints.
Susmit Pal is a healthcare strategist for healthcare and life sciences at Dell EMC.