From imaging to monitoring systems, infusion pumps to therapeutic lasers and life support machines, medical devices are used to improve and streamline patient care.
Many of these are networked and they can be found everywhere in today’s hospitals. Depending on who you ask, in the U.S. there are, on average, either a handful or between 10 to 15 connected devices per bed, and keeping an eye on them is a difficult.
“Our data shows that hospitals on average have lost track of 30% of their networked medical devices, making it much harder to protect them against hackers. This is particularly concerning because some 61% of all medical devices on a hospital network are at cyber risk and can be compromised by malicious attackers seeking to steal data, harm patients or ransomware,” says Motti Sorani, CTO of medical cybersecurity provider CyberMDX.
“Adding this to the broader picture, where nowadays almost 50% of endpoints in hospital networks are unmanaged devices, IoT or medical – It is apparent there’s a huge blind spot, with hardly no visibility of the devices or them being attacked.”
The (security) problem with connected medical devices
Unlike other critical IT assets, connected medical devices are hardly visible in their native IT control systems, Sorani told Help Net Security.
“The IT teams often cannot even tell how many medical devices are connected, or their type, and they lack critical insight of the devices cybersecurity risk status, threats and vulnerabilities. Even more shocking, most hospitals lack the visibility to determine whether medical devices have been hacked.”
And they are getting hacked and/or impaired, by hackers who are after information (personal, healthcare and financial data of patients and employees), money (mostly through ransomware and cryptocurrency mining), disorder (terrorists or “hacktivists”), or want to conscript new devices into their botnets.
“WannaCry, NotPetya, Orange Worm and botnets effectively attacked medical and IoT devices because they are easy targets. Just last month the newly deployed Silex malware started bricking IoT devices, wreaking havoc everywhere, including in the healthcare sector. And we hear of hospitals around the world getting hit by ransomware nearly every week,” he pointed out.
Real-world repercussions are many: hospital shutdowns, compromised patient care, regulatory infractions, potential lawsuits and the loss of a hospitals’ good reputation.
Unfortunately, there isn’t much patients can do when it comes to securing medical devices or their information.
In the U.S., HIPAA was created to protect (among other things) the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care, but that’s not nearly enough.
“All stakeholders involved must join together with renewed vigor to create more guidelines, regulations, and oversight,” Sorani opined, and said that the same goes for the cyber protection of medical devices: hospitals, device manufacturers, security providers, and regulatory bodies must collaborate to set higher standards for security.
Preparing for the future
The future holds in store an even greater number of IoT devices deployed everywhere, and that includes wellness and health-assisting IoT devices.
These technological advances will surely improve patient care – once the patient care model is reinvented to take advantage of wearable health technology and telemedicine – but will also bring new risks.
“If we judge by the recent healthcare attacks – ransomware downing the systems in two Ohio hospitals, phishing attacks that breached 21,000 patient records in Minnesota, the enormous SingHealth data breach – no healthcare organization can hope to be overlooked in the long run,” he noted.
“While many attacks are launched by lone wolves or small-time criminal affiliates, bigger attacks are usually performed by well-organized groups, often acting on behalf of nation-states. Given the global political situation, it’s likely these types of attack will become bigger, bolder and more frequent.”
Advice for healthcare CISOs
In an increasingly digitized world, protecting everything equally is not an option and HTM professionals must prioritize in order to focus mitigation efforts on more urgent needs and/or highest returns.
“Healthcare CISOs must gain visibility into their entire fleet of devices and incorporate the IoTs and medical devices into their cybersecurity program. They should look at solutions that could help them to automate, provide panoramic visibility into each device, and take control of them. Hospitals must deploy technology that not only identifies a security problem, but also solves it – from discovery and detection, to risk assessment and prevention,” Sorani says.
It’s also important for healthcare organizations to build cybersecurity strategies that cross multiple departments and functions.
“A cultural shift is required – one that breaks down silos between HTM professionals, IT and IS (and even the silos within those departments),” he added.