By George Gray
Every day, millions of people put their lives into the hands of clinicians at healthcare systems they trust—and, increasingly, their care is being managed on medical technology that is wireless and connected. While the medical professionals work diligently to give their patients the best care possible, there’s also a different kind of threat to consider: malicious cybercriminals.
Leaders at hospitals and healthcare systems, as well as medtech device manufacturers, need to take steps to reduce risks and close large security gaps. The first step, of course, is awareness of the risks. Here are six points to think about.
1. The healthcare industry is a prime target for malicious cyberattacks.
Just look at the recent headlines: American Medical Collection Agency had more than 12 million patients recently affected by a data breach, along with another 7.7 million LabCorp patients. In a recent report, Armis Research found that about 200 million devices operating on the VxWorks platform, including medical equipment and IoT devices, are vulnerable to remote takeover due to 11 critical vulnerabilities.
While recent attacks and discoveries have prompted healthcare organizations to increase budgets from a maximum of 10% to almost 25% in 2018, according to HIPAA Journal, 39% of healthcare IT staff still reportedtheir biggest challenge when it came to implementing cyber-defenses is the lack of qualified employees, and it seems cybercriminals know it.
2. Protecting medical devices is critical to protecting the entire hospital IT system. Many medical devices are designed to operate over the hospital’s standard network, which makes them vulnerable to malicious attacks. Vendors once provided access to their devices to help support, and sometimes control, them remotely. However, this practice now makes such devices a huge vulnerability within the hospital network and a vector through which attacks to the entire system can be launched. Overall, as devices become increasingly connected, the ability to attack them remotely will also grow.
Many devices utilize old operating systems that have known weaknesses or have not been hardened to resist attacks. All these vulnerabilities expose the hospital to potential ransom demands and malicious control of life-saving devices currently in use with patients. So why do these new devices run on old operating systems? The progress continues to be limited because some vendors chosen by hospitals don’t offer updated interfaces. Additionally, these hospitals may not be even be aware their systems are outdated due to budget constraints and the unique expertise and skillset that’s needed within the hospital’s IT team.
This might be a tough conversation for some, but if you’re in healthcare and guilty of operating on an old system, it’s essential to speak with your vendors to update and fix it now. The FDA and other government agencies have also issued recommendations and guidance, including best practices, of which all healthcare leaders and medtech device manufacturers must be aware.
3. Wireless and connected infusion pumps are some of the most vulnerable devices.
The infusion pump is one of the most commonly used devices in hospitals. In fact, 90% of hospitalized patients receive an infusion during their stay, making a connected pump one of the most vulnerable devices in the hospital. Recently, researchers found attackers could install malicious firmware on a pump’s onboard computer, which in the worst-case scenario could be used to modify the program settings on the pump—including the infusion rates.
It’s a scary concept, but it’s also why healthcare organizations need to be properly informed about vulnerabilities and work with manufacturers to ensure that patches are applied and the technology their medical staff and patients use is safe.
National Institute of Standards and Technology also recently released a guide on the privacy and cybersecurity risks posed by Internet of things (IoT). Specifically, the organization outlined a set of voluntary recommended cybersecurity features to secure IoT for both manufacturers and organizations that connect these devices to the Internet.
4. Removing a device from the network or running it within a much more secure network is not a long-term option for keeping it safe.
While CISOs and IT staff at hospitals and healthcare systems may seek measures such as these to protect a device, this is not typically a reasonable mitigation in today’s healthcare environment.
To manage risks, healthcare system leaders must first ask device vendors to submit a Manufacturer Disclosure Statement for Medical Device Security for each network-connected device they supply to the hospital. With this document in hand, IT leaders can better understand the vulnerabilities of each of these devices and determine whether an acceptable mitigation to each vulnerability is possible. And, if not, they can consider alternative devices that better meet their needs. Executives should also ask vendors to supply any third-party security validation results they may have on file for their device. If none exist, they need to ask why and work with the vendor to ensure validation is performed in the near future.
5. Manufacturers and vendors need to raise the bar around the security of their devices and educate their customers on these vulnerabilities.
Manufacturers are truly the only ones who have the power and capabilities to fully secure the devices. In doing so, they need to have architectures that resist attacks, detect them if they occur and mitigate the effects once an attack is detected. The FDA is already beginning to play a role here by putting guidance in place for medical device vendors. However, cybersecurity is a moving target and will continue to be a critical part of how device vendors support their customers in the future.
6. As a whole, the healthcare industry needs to learn from other industries and share information and insights with organizations like the FDA to keep patients safe.
We mostly hear about IoT insecurities in consumer devices, and while the healthcare industry’s awareness of device security is improving, many clinicians still don’t even realize they use IoT-enabled devices. The healthcare sector needs to look at other industries to learn from mistakes and determine the best way to strengthen their own security approach and programs as well as to properly educate their workforce on all potential security vulnerabilities. For instance, there’s a lot the healthcare and medical device industries can learn from the victims of the WannaCry and NotPetya attacks.
There also needs to be more information sharing with internal stakeholders on risks and vulnerabilities, and while it can be hard to get the board and executives to spend time and money on risks, it needs to be made clear that the seriousness of these risks could make the difference between life or death for patients.
George Gray is CTO of Ivenix. Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe Stephens at [email protected].