Column – The Evolution of Cybersecurity Threats to Medical Devices in the Wake of COVID-19
Cyberattacks on healthcare facilities were a concern before COVID-19. The frequency and severity of threats have evolved in this wake. As the attack surface expands into healthcare systems, cybercriminals are increasingly looking for vulnerabilities. Cyberattacks take a toll on a hospital’s reputation and bottom line, but patient care is of course the top priority.
A growing concern in this environment is the security of medical devices, which are growing in number and complexity and are increasingly networked. The pandemic has further exposed the risk and underscored the need to help protect your organization.
How COVID has increased cybersecurity risks for medical devices
The COVID-19 pandemic has heightened the threat facing hospital systems in several notable ways.
One is the most obvious: hospitals are concerned about a health crisis the scale and gravity of which have never been known in the world. Providers work long days under stressful conditions. A mental typing error on a phishing email is understandable after hours on the processing floor trying to save lives. Mental fatigue, cybercriminals know, is a vulnerability.
Other heightened concerns relate to the evolution of care amid the pandemic. To limit contact between providers and patients, hospitals have increasingly embraced the use of remote technology. But as a health care watchdog ECRI warned last yearthe rapid adoption of telehealth and the remote operation of devices designed for bedside use have increased the risk of cybersecurity breaches and tampering.
Likewise, providers have increased the use of kiosks and tablets so that patients can enter patient data themselves. While both convenient and socially distant, the practice adds even more entry points into a hospital network.
High risks further highlight the stakes.
The Imminent Threat to Hospital Cybersecurity
Hospitals are prime targets for cybercriminals. Healthcare systems have vast amounts of capital, troves of patient health data, and countless potential access points among the amount of IT assets found on every floor, office, and patient room. Healthcare industry incurred 10th consecutive year of highest breach costs, more than $7 million on average, according to IBM Security 2020″Cost of a data breach report”.
Headlines for ransomware attacks continued to arrive in 2021. Attacks crippled the IT systems of the Irish Health Serviceput five New Zealand hospital computer systems offlineand stolen patient records to nearly 150,000 people from San Diego’s second largest medical provider.
Meanwhile, the potential danger is only accelerating. Medical devices are increasingly connected to hospital networks. More than two-thirds of devices expected to be connected by 2025, Deloitte report on how medical devices are transforming healthcare.
Last year, the FDA’s acting director of medical device security warned that cyber threats targeting the medical device industry were becoming increasingly sophisticated. Increased use of cloud technology for real-time functions adds to the peril. “They’re actually financially motivated intruders who prey on low-hanging fruits,” Kevin Fu said during the Food & Drug Law Institute Annual Conference in May. “Healthcare happens to be a fairly easy fruit to grab when it comes to cybersecurity.”
Although medical devices are an entry point into a network, the overriding threat is for cybercriminals to find a way to disable or take control of a medical device, like an insulin pump. Another concern is that a cyber actor is using a compromised medical device to infiltrate other devices on a hospital network.
Simply put, there are many more devices going online, and as Fu told industry watchers, any connected device poses risks.
Where health systems can start
The cyber risks of medical devices are clear, especially during the pandemic. There are also a handful of simple steps you can take to protect your organization.
Follow the NIST Cybersecurity Framework heart. It outlines five basic functions for organizing your medical device cybersecurity efforts:
- Identify. Do you have an accurate inventory of all software, devices and systems? Are supply chain risk management processes established?
- Protect. Is physical and remote access to clinical assets protected? Are access permissions reviewed and managed? Do privileged users understand their responsibilities?
- Detect. Are clinical assets monitored to identify cybersecurity events? Is staff activity monitored? Are the processes continuously improved?
- To respond. Are response plans created, communicated, executed and maintained? Are incidents reported according to consistent established criteria?
- To recover. Do CE and IT teams undergo recovery planning, training, and testing? Is there also a plan to repair the reputation of the hospital?
Audit your network segmentations and test segmentations, a key step in our increasingly cloud-based world. Network segmentation helps prevent unauthorized users from accessing valuable assets such as patient data and financial records.
Align your clinical engineering and IT teams to share responsibility for cybersecurity. Who is responsible for medical device safety can be a gray area. For years, clinical engineering managed medical equipment and IT managed the hospital network. But when we connected medical devices to the health system network, the lines blurred. Adding to the uncertainty about monitoring is precisely what constitutes a medical device. Is a refrigerator that stores COVID-19 vaccines a medical device? Hospitals need clarity and consistency in how they assign responsibility for device management.
Onboarding a comprehensive medical device cybersecurity solution and accurate inventory management is essential, not only to identify where a device is, but also whether it is up to date with software updates and validated patches by OEMs. Real-time monitoring and threat detection are also essential. Another consideration is whether your solution offers on-site support with staff trained in medical device cybersecurity to augment your organization’s efforts.
Develop a game plan to execute your strategy. Outline a framework on how to start. Make sure your core CE team is adequately staffed and equipped, especially with a reliable inventory of assets. Don’t neglect the details of your execution. Medical devices are not like typical computer terminals (or IoT devices) such as laptops. All device fixes or fixes must be validated by the OEM prior to implementation.
Cyberattacks on hospitals can be life-threatening and costly. Actively protecting medical device cybersecurity must be part of your organization’s defense, especially in this time of a pandemic. Although the steps aren’t simple, it’s getting started.