Protecting patients with cybersecurity

In 2018, there is no shortage of content that’s been published on the Internet of Things and how IoT has sparked a major transformation of nearly every industry in our lives. This revolution has also revamped how hospitals are managed, how patient data is gathered and how patients are treated. Yet the increasingly connected medical environment has exposed hospitals and clinical networks to unprecedented risks.

Below, readers will find a situation analysis focusing on the pending threats medical device vulnerabilities present, and what steps hospitals need to take in order to protect not only their facilities, but also their patients.

Some facts to start:

As defined by the FDA, a medical device “ranges from simple tongue depressors and bedpans to complex programmable pacemakers with micro-chip technology and laser surgical devices. In addition, medical devices include in vitro diagnostic products, such as general purpose lab equipment, reagents, and test kits, which may include monoclonal antibody technology.”

A connected medical device is a medical device that communicates via a private network, public Internet, or point-to-point connection (wired or wireless) or can be accessed in standalone mode via a user or machine interface.  

These entirely new ecosystems sprouted in hospitals to help improve the efficiency of patient care. The estimated number of connected devices is expected to increase from 10bn to 25bn over the next decade, according to the IBM Institute for Business Value. Some are calling this IoMT (The Internet of Medical Things). Yes as medical device technology advances, the number of devices exposed to malicious threats simultaneously increases.

Who are the bad guys?

The list of adversaries who hack into medical devices ranges greatly and illustrates just how expansive the issue is. The first group attacking critical medical devices is rogue nation states. Their motive for hacking is typically technology-driven to steal intellectual protocol, cause harm, and instill fear or blackmail.

The second group is comprised of attackers, hacktivists and criminals. This group attacks for several different reasons including thrill seeking, money, the challenge to disrupt, or for a criminal agenda. The last group that causes concern for hospitals are terrorists. They seek to disrupt, destroy, or exploit critical infrastructures. Unfortunately, in all of the above scenarios, patient data, well-being, and sometimes lives are affected.

What are hospitals facing today? Cybersecurity issues & incident results: Life threatening, financial losses and brand-name damage

Now that we’ve established who perpetrates the attacks, it’s important to understand what the actual risks are that hospitals face from an attack on their medical devices.

The risks are wide reaching:

• Big data leaks that include patient data
• Ransomware
• Regulatory infractions
• Third party access
• Patient care compromised
• Hospital shutdown
• Fear

With these risks in mind, there are also several ways that hackers are physically breaching hospitals.

See also

• Why investing in the healthcare sector means investing in AI
• Securing medical IoT layer by layer
• Merger Boom: What to expect from M&A and healthcare costs

Malware on Connected Medical Devices

Malicious software introduced onto device or system, potentially infiltrating the hospital’s entire network

Denial of Control

The device operation is disrupted, altered, delayed, or blocked. The flow of information can be changed, denying device availability or entry into the network can be used to control the device or system.

Device, application, configuration, or software manipulation

Device, software, or configuring settings modified producing unpredictable and unwanted results

Spoofed device/system status information

False information sent to operators either to disguise unauthorised changes or to initiate inappropriate actions by medical staff

Device functionality manipulation

Unauthorised changes made to embedded software, instructions on medical devices, alarm thresholds, or unauthorised commands issued to devices. This can result in a shutdown of devices or disabling of medical equipment

Safety functionality modified

Safety-related functionality manipulated so a device doesn’t operate when needed, or it run incorrect control actions, potentially leading to patient harm or damage to medical equipment

Next Step? Build a multi-layered defense against cyber threats

The pressure on HIT professionals to rapidly deliver security solutions that support hospitals’ business needs has never been greater than it is today. Hospitals are under tremendous pressure to adopt the latest technologies to stay competitive, improve efficiencies, drive down costs while continuing to provide patient care and protect patient safety. While these goals are certainly relevant, global companies that have amassed a disparate, geographically distributed and often siloed IT system landscape can attest to the fact that these objectives are not so easy to achieve.

Hospitals must deploy technology that not only identifies a security problem, but also effectively solves it – from discovery and detection, to risk assessment and prevention.  This is the only way they can continue fulfilling their mission of providing care and ensuring patient safety.

Written by CyberMDX