Cyberattacks on healthcare facilities were a concern before COVID-19. The frequency and severity of threats have evolved in the wake of it. As the attack surface expands across health systems, cybercriminals are increasingly probing for vulnerabilities. Cyberattacks are costly to a hospital’s reputation and its bottom line, but patient care of course is the top priority.
A growing concern amid this environment is the security of medical devices, which are growing in number and complexity and are increasingly being connected to a network. The pandemic has further exposed the risk and underscored the need to help protect your organization.
How COVID Escalated Cybersecurity Risks for Medical Devices
The COVID-19 pandemic has raised the threat hospital systems face in a handful of notable ways.
One is the most obvious: Hospitals are preoccupied with a healthcare crisis whose scale and severity the world has never known. Providers are working long days under stressful conditions. A mental slip-up at the keyboard on a phishing email is understandable after hours spent on the treatment floor trying to save lives. Mental fatigue, cybercriminals know, is a vulnerability.
Other heightened worries involve the evolution of care amid the pandemic. To limit contact between providers and patients, hospitals further embraced the use of remote technology. But as healthcare watchdog ECRI warned last year, the rapid adoption of telehealth and remote operation of devices designed for bedside use increased the risk of cybersecurity breaches and tampering.
Similarly, providers increased the use of kiosks and tablet computers so patients could enter patient data themselves. While both convenient and socially distant, the practice adds yet more entry points into a hospital network.
The elevated risks further underscore what’s at stake.
The Imminent Threat for Hospital Cybersecurity
Hospitals are prime targets for cybercriminals. Healthcare systems have large amounts of capital, troves of patient health data and countless potential access points amid the amount of IT assets found on every floor, office and patient room. The healthcare industry for the 10th consecutive year incurred the highest breach costs, more than $7 million on average, according to IBM Security’s 2020 “Cost of a Data Breach Report”.
The ransomware attack headlines kept coming in 2021. Attacks crippled Ireland’s health service’s IT systems, put five New Zealand hospital IT systems offline, and stole patient records from nearly 150,000 individuals from San Diego’s second-largest medical provider.
Meanwhile, the potential danger is only accelerating. Medical devices are increasingly being connected to hospital networks. More than two-thirds of devices are expected to be connected before 2025, according to a Deloitte report on how medical devices are transforming healthcare.
Last year the FDA acting director of medical device security warned that cyber threats to the medical device industry are growing in sophistication. The increased use of cloud technology for real-time functions adds to the peril. “These are actually financially motivated intruders who are going after the low-hanging fruit,” Kevin Fu stated during the Food & Drug Law Institute annual conference in May. “Healthcare happens to be fairly low-hanging fruit when it comes to cybersecurity.”
Although medical devices are an entry point into a network, the prevailing threat is cybercriminals finding a way to disable or take control of a medical device, such as an insulin pump. Another concern is that a cyber actor will use a compromised medical device to infiltrate other devices on a hospital network.
Simply put, many more devices are going online, and as Fu told industry observers, any connected device presents risks.
Where Health Systems Can Start
The medical device cyber risks are clear, particularly during the pandemic. So, too, are a handful of straightforward steps to take to protect your organization.
Follow the NIST Cybersecurity Framework core. It outlines five basic functions to organize your medical device cybersecurity efforts:
- Identify. Do you have an accurate inventory of all software, devices and systems? Are supply chain risk management processes established?
- Protect. Is physical and remote access to clinical assets protected? Are access permissions reviewed and managed? Do privileged users understand their responsibilities?
- Detect. Are clinical assets monitored to identify cybersecurity events? Is personnel activity monitored? Are processes continually improved?
- Respond. Are response plans created, communicated, executed and maintained? Are incidents reported with consistent established criteria?
- Recover. Do CE and IT teams undergo recovery planning, training and testing? Is there a plan to repair the reputation of the hospital, as well?
Audit your network segmentations and test the segmentations, a key step in our increasingly cloud-based world. Network segmentation helps prevent unauthorized users from gaining access to valuable assets such as patient data and financial records.
Align your clinical engineering and IT teams to share responsibility for cybersecurity. Who has responsibility for medical device security can be a gray area. For years, clinical engineering managed medical equipment and IT managed the hospital’s network. But when we connected medical devices to the health system’s network the lines blurred. Adding to the uncertainty regarding oversight is just what constitutes a medical device. Is a refrigerator that stores COVID-19 vaccines a medical device? Hospitals need clarity and consistency in how they assign responsibility to device management.
Incorporating a comprehensive medical device cybersecurity solution and precise inventory management are key, not only to identify where a device is but also whether it is current with software updates and OEM-validated patches. Real-time monitoring and threat detection also is a must. Another consideration is whether your solution offers on-site assistance with staff trained in medical device cybersecurity to augment your organization’s own efforts.
Develop a game plan to execute your strategy. Outline a framework on how to get started. Ensure your core CE team is adequately staffed and equipped, particularly with a reliable inventory of assets. Don’t overlook the details in your execution. Medical devices are not like typical IT endpoints (or IoT devices) such as laptops. All device patches or remediations should be validated by the OEM prior to implementation.
Cyberattacks on hospitals can endanger lives and prove costly. Active medical device cybersecurity protection must be a part of your organization’s defense, particularly now during the pandemic. Although the steps aren’t simple, it is to get started.