Securing Medical Technology in the Age of COVID-19

Consider the miracle of a pacemaker that promotes heartbeat regularity or an insulin pump that ensures a diabetic’s pancreatic function – both are devices operated by a distant network. Now, imagine if those networks were to fail.
Particularly in the age of COVID-19, technology experts are feeling the pressure to develop new strategies to tackle healthcare challenges. Cyber threats in the field of medical technology range from hacking of IoT medical devices, such as insulin pumps and pacemakers, to the PHI of cardiac arrest patients being locked by ransomware attackers, thus preventing timely treatment of patients in critical condition due to heart attack.

While thousands of patients utilize such medical devices, the security of these systems lies with the networks remotely powering the device. Moreover, nanomedicine – or the use of nantotechnology for healthcare purposes such as eradication of cancer cells – also relies on such distant networks. Like any computer network, SCADA systems face risks from a variety of cyber-attacks.

Recently, Dr. Gregory Carpenter, a Cyber Epidemiologist at KnowledgeBridge International Inc., has revealed his team’s investigation results, including the discovery that 23 of the 25 bio-nano carrier networks tested were vulnerable to basic DDoS attacks, as well as other legacy threats such as outdated and unpatched systems exposed to zero-day attacks. 

The operational nature of SCADA – especially in healthcare – remains highly collaborative, with medical staff sharing data amongst themselves as well as hospital IT teams sharing information with cloud brokers and providers. Indeed, as more medical organizations migrate to the cloud, such data sharing coupled with the lack of visibility inherent to the cloud environment poses many risks. 

As the attack surface increases l with both medical IoT and PHI’s exposure to the cloud, hospitals and medical device providers could benefit from ensuring that patient information is encrypted and their cloud providers have secure defenses in place against denial of service attacks.

In the area of cloud security, healthcare organizations should e bear in mind that while their cloud service providers control the physical security of the servers in their data centers, as cloud customers, the organizations themselves hold responsibility for encrypting data in transit. Therefore, all data – whether PHI or related to the operations of medical technology – should remain top priority for in-transit security.

In-transit encryption best practices involve the key elements of defining data protection requirements, implementing secure certificate and stored key management, automating data leak detection and authenticating network communications via IPSec or TLS protocols. Such steps to enforcement will help assure that data moving between the cloud provider and healthcare entity endpoint remains secure.

A helpful starting point might entail configuring load balancers to only interact with HTTPS traffic in order to promote encrypted movement of data between the host organization and cloud service provider. Another solution to in-transit security lies in the use of VPN between the cloud provider and healthcare customer. Additionally, both provider and customer must maintain cognizance surrounding faults in availability, in terms of impact to quality of care as well as implications regarding the potential underlying context of such events.

In particular, phishing campaigns have often worked in parallel to larger-scale attacks such as DDoS, in an attempt to infiltrate the target network while security teams focus on the availability-based incident. Therefore, healthcare senior management and IT personnel who observe compromise attempts via network intrusion detection data can help safeguard against a breach by warning all employees to remain vigilant regarding potential phishing emails.

As email-based attacks have especially targeted the healthcare industry amidst the recent COVID-19 crisis, medical professionals and their patients stand to gain the most from hospital management and practitioners learning how to avoid such correlated threats.

To this effect, security awareness training provides an optimal defense against the possibility for data compromise by human error. With fewer physicians and hospital administrators falling victim to scareware and other malicious email-based activity, the attack vector shrinks for cyber-criminals looking to capitalize on the panic over the current global pandemic. 

Furthermore, network administrators in the healthcare space can do their part by tightly monitoring infrastructure for any penetration attempt. A place to begin might be examining signs of botnet activity and other availability-based attacks with phishing attempts that occur within a similar timeframe of around 24 hours or fewer. As soon as a security team detects a compromise, all associated medical devices must be immediately remotely deactivated. 

Perhaps most importantly, providers of biotechnology as well as hospital services must maintain transparency with all customers and patients regarding any suspected or successful breaches. After all, the individuals receiving treatment in these instances face the highest risk, as any successful attacker holds the power to not only access PHI, but potentially also to hack into a medical device on which a human life might depend.

Sarah Katz is an author working in information security at NASA. Since graduating from UC Berkeley, she has published various pieces in research and science fiction, primarily surrounding the intersection of medicine and technology. Most recently, she has founded Cysec Health, a nonprofit group of cybersecurity volunteers supporting women's health organizations amid the COVID-19 pandemic.

What’s Hot on Infosecurity Magazine?