Despite the complexity of healthcare, there are many measures to mitigate the risks of cyberattacks on medical equipment.
A hospital bed has up to 20 medical devices connected to it on average. All those devices have a digital component, which transmits patient data to a hospital’s computer network. This means there’s always a risk of a compromised system, as all it takes is one vulnerable endpoint.
“Like other industries, healthcare is undergoing digital transformation. Medical technology is evolving, so more and more computerized devices get installed and connected to a healthcare facility’s network. The downside of this improvement is that it might become easier for hackers to intercept the system because unprotected devices accelerate vulnerabilities,” says Oliver Noble, a cybersecurity expert at NordLocker, a data encryption solution.
The Complexity of the Industry
A healthcare organization’s network is a very complex environment to control as it consists of a massive variety of equipment, databases, and systems that often include connections to external sources and third-party providers. On top of that, there are personal devices, like smartphones and laptops, brought in and used by the staff and patients.
“Healthcare providers have a large attack surface, and the complexity of the industry makes it extremely difficult for them to come up with effective defensive mechanisms, cybersecurity policies, and procedures,” says Noble.
Outdated systems and practices are one part of the problem. Underinvestment in cybersecurity, which leads to the inability of healthcare practitioners to identify and deal with persistent cyber threats, is another big issue. “Add a vast array of substantial medical records a hospital stores, and we have a ticking bomb. Deliberately tampering with stolen patient data could facilitate identity theft, extortion, or even put human lives in danger,” Noble warns.
Even though vendors providing hospitals with medical equipment and services must comply with various standards and regulations, the staff can also contribute to making sure the technologies are used securely. Everything starts from breaking cybersecurity down into smaller parts and taking it one step at a time.
Potential Measures to Mitigate the Risks of Cyberattacks on Medical Devices
- Training employees on what information is collected on what devices and how it’s stored, and what the risks and threats are.
- Enabling encryption between PACS and the hosts in the hospital’s radiology network.
- Installing digital signatures to sign every critical action with a secure mark of authenticity
- Putting the right protection around each device individually, as different devices have different configurations
- Creating a centralized view of all devices connected to a network to monitor their expected behavior and look for red flags if any of the activities deviates from the norm
- Using a custodial provider to protect medical records. This means that an agency safeguards the data, and third parties like clinics need to request temporary access.
- Storing data backups in an encrypted cloud in case a ransomware hits. This ensures the data doesn’t get leaked and access to it isn’t lost.
- Controlling access to information. Employees should be able to access only the information necessary to do their jobs. Limiting personal devices connected to the network should be considered, too.
- Investing in multi-layer detection and recovery systems. Installing such a system helps to identify and prevent malware installation.
- Stopping to use File Transfer Protocol, or FTP, servers operating in anonymous mode. After all, malicious actors can use the anonymous flaw in such servers to steal sensitive information or launch a targeted cyberattack.
- Adding security requirements to purchase agreements with vendors. The latter should make sure the firmware is up to date and keep hospitals notified of the ways their equipment could be exploited.
- Adding strong firewalls and using a virtual private network can offset some of the risks that come with additional connected devices
“There’s a great need for reform within the healthcare industry as it is still lacking the initiative to prioritize cybersecurity. However, a lot can be done, starting from within an organization. As a part of risk management, contingency plans for different scenarios should be set up in advance,” says Noble.