It is no secret that 2021 was a year of lessons learned within healthcare systems, especially as the SARS-Cov-2 pandemic continues to pose unprecedented challenges across the world. Some of those challenges are not directly related to the troublesome virus, instead arising from new practices and infrastructures created to keep pace to rapid changes within the healthcare space. Such is the case with cybersecurity, where increased use of remote and telehealth programs, networked medical devices, and “smart” product storage come with their own inherent risks.
A Call for Better Cybersecurity Hygiene
Cybersecurity experts from two leading medical technology organizations warn that cybersecurity concerns are coming to a head in the healthcare space, as of 2021. This is a concern, they argue, not only for information technology (IT) professionals, but also for a hospital’s frontline personnel, who use or maintain interconnected medical devices every day.
“In fact, the greatest security exposure for the installed base of medical devices and systems is in how the medical device owners, operators, and technical support staff acquire, care for, operate, maintain, support, and eventually dispose of those devices/systems,” wrote Stephen Grimes, principal consultant at Strategic Healthcare Technology Associates in Swampscott, MA, and Axel Wirth, chief security strategist at MedCrypt.
In an open-access commentary published in BI&T, the peer-reviewed journal of health technology and sterilization from AAMI, Wirth and Grimes outlined 20 practices that should be followed by frontline personnel involved in either operating or supporting medical devices and systems.1
The practices range from “common sense” steps such as the use of unique and strong passwords and multi-factor authentication; to uncommon preventative measures, such as physically blocking network ports on a device that are not needed for its intended use.
Wirth and Grimes’ commentary comes on the heels of a rash of cybersecurity threats to hospitals within the last few years. In the last 24 months alone, The U.S. Department of Health and Human Services Office for Civil Rights launched investigations into a whopping 860 cases of health information breaches—the great majority of which can be attributed to hacking.
Additionally, according to a recent report from the HHS Cybersecurity Program, 60% of 2021’s ransomware attacks were directed at healthcare facilities or healthcare industry services. Of those attacked, clinics and healthcare industry services were the top targets. A survey of 130 hospital executives in security and IT roles conducted May 21–July 16, 2021 revealed that these attacks can cost dearly, with large hospitals reporting an average shutdown time of 6.2 hours at the cost of $21,500 per hour after an attack. Midsize hospitals averaged nearly 10 hours at $45,700 per hour.
“If you haven’t already realized it, the security of medical devices will continue to be a major focus of healthcare providers for the foreseeable future,” Wirth and Grimes wrote. “The security chain is only as strong as its weakest link, and it only takes one stakeholder’s one-time failure to learn and practice appropriate cybersecurity to result in a major cyber compromise.”
A Threat to the COVID-19 Vaccine Supply Chain?
“In January 2021, a large U.S. healthcare system asked for help to protect its refrigeration systems from radiofrequency (RF)-based analog cybersecurity threats against the temperature sensors used in COVID-19 vaccine cold chain transportation and storage,” an international team of researchers recently shared in BI&T, the peer-reviewed journal of health technology and sterilization from AAMI.
“It is well known in the security research community that intentional electromagnetic interference (EMI) can not only disrupt but also control the output of temperature sensors,” the team explained, citing concerns that “a malicious party can use EMI to drive the temperature readings for [COVID-19] vaccines higher or lower than its real value and cause false temperature excursions. Because EMI essentially refers to radio waves that can penetrate walls, malicious parties may launch this attack stealthily by generating EMI even in a different room from where vaccines are kept.”
The team, led by University of Michigan electrical engineering and computer science associate professor Kevin Fu, Acting Director of Medical Device Cybersecurity, FDA CDRH, investigated methods in which a malicious party may launch an attack on vaccine supplies. They also described “analog cybersecurity” strategies for protecting against such an attack. Their results are published as an open-access study.2
The study outlines key strategies health systems and companies can take to protect against an EMI attack, such as restricting access temperature display data. By limiting who has access to this data, novice hackers will be unable to rely on trial and error to determine which kind of EMI most effectively interferes with the shipment. Similarly, keeping the make, model, and other key details about a shipment’s sensors confidential will keep malicious parties guessing.
The team also suggests health systems keep cold supply chain equipment hidden or frequently moved around. However, the researchers were quick to point out that the security of these devices ultimately relies on the knowledge of the professionals using them. The study describes how, in some cases, it is acceptable to use temperature gauges that are simply not very susceptible to EMI, such as chemical-based readers or silicon-based microelectromechanical systems.
However, the authors note that both alternatives rarely function at temperatures lower than −40°C “and therefore are not applicable to monitoring COVID-19 vaccines, many of which require storage at ultra-cold temperatures.”
- Grimes, S. and Wirth, A. (2021). “The Case for Medical Device Cybersecurity Hygiene Practices for Frontline Personnel”. BI&T. https://doi.org/10.2345/0890-8205-55.3.96
- Long, Y., et al. (2021). “Protecting COVID-19 Vaccine Transportation and Storage from Analog Cybersecurity Threats”. BI&T. https://doi.org/10.2345/0890-8205-55.3.112