The healthcare industry is victim to more cybersecurity attacks than any other sector. DJ Singh explains why medical devices need a strong dose of security
Healthcare cybersecurity incidents have included ransomware infections, data breaches, medical device security issues and hefty regulatory fines.
Technical innovations in the industry – the increasing adoption of electronic health records combined with an ever-increasing network of medical devices, healthcare apps and wearables –open up even more avenues for cyber-criminals to gain unauthorized access to sensitive data.
The biggest danger? The same thing that is being heralded as the future of healthcare innovation: the rapidly expanding ‘Medical Internet of Things’ and its associated complexity of embedded software security.
A recent security alert urged patients and healthcare providers to discontinue the use of a series of infusion pumps due to a flaw that could potentially allow an unauthorized remote user to alter the dose the devices deliver. While such safety-critical issues aren’t uncommon, most healthcare IoT security incidents are malware infections on network-connected medical devices and computers used to access patient data.
Many large healthcare entities have a huge and highly diverse inventory of medical devices, some of which are decades-old legacy products not designed to handle modern security systems.
The challenges involved with tracking and managing this massive array of devices contributes to the security risks posed by these products and their ancient operating systems.
With a primary focus on quality of care and patient safety, healthcare organizations are more focused on ‘checking off compliance boxes’ and may lack the specific expertise to identify security risks.
Unlike IT systems, medical devices are highly diverse and, at times, without a common interoperable tool set, making even basic tasks such as scanning the network for an inventory of devices challenging. Furthermore, a vast majority of older devices have default, hard-coded passwords often used by service technicians – providing further ease of access to criminals.
Given the long product development lifecycles involving complex regulatory approvals, medical devices are expected to be used for several years. To remain compliant to regulations, some devices are designed not to be altered in any way – including software updates. This makes it harder for device manufacturers to release security fixes to keep up with newer threats.
A Reasonable & Risk-based Approach
Device manufacturers and healthcare providers should consider:
- Limiting device access to trusted users via authentication
- Ensuring secure data transfer to and from the device
- Implementing alerts and logging features for security compromises
- Maintaining vigilance in responding to security issues
- Submitting cybersecurity risk assessments for both new products and legacy devices
Medical device cybersecurity risks must be viewed as a public health and patient safety issue that requires a trusted information-sharing environment. To enable a coordinated response to cybersecurity vulnerabilities, industry bodies – including device manufacturers and healthcare providers, as well as regulators – are working to create an environment that fosters collaboration and communication.
This will encourage stakeholders to share actionable information and best practices related to the safety, integrity and security of the medical devices and healthcare IT infrastructure.
The healthcare industry also needs to prioritize managing the emerging ‘Medical IoT.’ By carefully considering possible cybersecurity risks while designing medical devices, and having a plan to manage system or software updates, manufacturers can reduce the vulnerability in their medical devices. Protecting devices requires not only addressing technical issues but healthcare delivery and business issues as well.