The Internet of Things (IoT) has brought many improvements to the healthcare industry. Connected devices make it easier to track hospital resources, transfer critical data and enable telemedicine, but the industry’s increased reliance on these tools raises new concerns. Most notably, device developers, hospitals and regulators have fallen behind in implementing higher levels of cybersecurity.
U.S. hospitals host an average of 10 to 15 connected devices per hospital bed—and that does not include at-home devices, such as medical wearables. While connectivity makes health care more accessible and efficient, it requires new cybersecurity standards.
Medical Devices Are Vulnerable
A recent study revealed more than 50% of hospital-based connected devices currently have unpatched critical risks. Similarly, more than half of lab departments run on outdated operating systems.
These types of vulnerabilities arise because the industry, overall, isn’t used to cybersecurity as it relates to IoT devices. Healthcare systems also often rush to implement new technologies that offer increased benefits for their patients and facilities without fully understanding their unique security requirements.
Cybercriminals are aware of these vulnerabilities and are acting on them with rising frequency. Ransomware attacks against the healthcare sector grew by 90% in Q2 2022, making it the most-targeted industry. Due to the sensitivity of data available on these devices this trend will likely continue if security remains low.
The Dangers of Weak Security in Medical Devices
The current state of medical device security is even more concerning when considering the implications of these vulnerabilities. Breaches in this sector could be far more costly than others considering tighter privacy regulations and the potential for physical harm.
Poor device security could allow a cybercriminal break into a telehealth platform and talk to patients, impersonating doctors. Providers could lose access to pathogen and drug information. The cybercriminals could then cause widespread health problems or spread dangerous misinformation.
Alternatively, criminals could hack into connected hospital devices to interfere with their operations. In 2019, a man ended up in a hospital after exploiting a security flaw to re-program his own insulin pump. A hacker could do the same and intentionally disrupt normal operations to endanger people’s lives.
How to Improve Medical Device Security
Improving medical device security requires effort and collaboration among multiple parties. Device manufacturers, providers that use these devices and regulatory agencies all carry responsibility for securing these technologies. Here’s a closer look at the steps each should follow.
Device Manufacturers. Cybersecurity starts with the device itself. One of the reasons connected medical devices are so vulnerable is because many of their designs limit their security. Strong authentication controls are often optional and 82% of corporate IoT devices don’t use transport layer security (TLS) on all data transmissions.
Medical device manufacturers should include stronger built-in and default security controls. That includes TLS for all traffic, robust encryption methods and multi-factor authentication (MFA), which provides another layer of security beyond usernames and passwords.
Using cryptographic tokens as substitutes for sensitive data in transmissions will also help. Swapping actual patient data for dummy information ensures cybercriminals won’t access anything sensitive if they intercept communications.
Healthcare Providers. Responsibility for medical device security also falls to providers. Understanding the potential security risks of the devices in use and communicating them with staff is an essential first step. Human error accounts for many breaches, so regular cybersecurity training is crucial for anyone using connected devices.
Changing default device settings is also vital. Hackers can typically guess default passwords or look them up using manufacturer resources, so hospitals and clinicians should change the default passwords to stronger options. Disabling any unneeded features and turning on MFA and encryption will also help.
Providers must also segment their networks to keep IoT devices separate from other systems. This separation minimizes risks from lateral movement, where attackers move from device to device to find the weakest link to access more sensitive data. Hospitals should also practice regular software updates and implement network monitoring tools.
Regulatory Bodies. Government regulators should also adapt to changing security landscapes. The HIPAA Security Rule came into effect in 2003, with its latest update coming in 2013. Cybersecurity concerns and needs have changed dramatically since then, so the industry needs more up-to-date standards.
Regulatory agencies should offer guidance and specific standards for medical IoT device manufacturers and end users. These guidelines will help improve education on relevant security risks and hold organizations accountable for their shortcomings.
Cybercrime is concerning in any industry, but in health care, poor cybersecurity practices can endanger lives. Given these risks and rising attack trends, medical device security must make broad, substantial improvements.
Fortunately, the technology and practices necessary to protect connected devices are available. With better education and collaboration, healthcare organizations can use these devices to their full potential without compromising patient privacy and safety.