Connected medical devices at high risk

The prediction that healthcare data would be aggressively targeted by ransomware attacks in 2017 has proven to be true.

The malicious WannaCry ransomware attack spread to over 150 countries and impacted over 300,000 devices in May. The world experienced another massive cyber-attack in June, Petya, which forced one hospital to rebuild all their hard drives as they were unable to access data and they needed to provide clean access to their electronic medical record (EMR).

Cybersecurity risks don’t stop with ransom attacks or traditional IT devices. A malicious actor could make their way into a pacemaker or insulin pump, potentially causing a lot more damage to a patient than an attack on a computer or server. The impact of an attack on connected medical devices and IoT pose a real patient safety risk. According to one poll, twenty-three percent of healthcare organizations stated that lax security on devices is their biggest concern which ranked second only to mobile device hacking which twenty-nine percent cited as their highest priority for 2017. Overall, fifty-eight percent of healthcare organizations ranked Internet of Things (IoT) device security, which includes connected medical devices, a high priority for 2017.

Most hospitals have hundreds to thousands of medical devices in use providing a variety of functions. Furthermore, healthcare IT environments have shifted from a homogenous makeup consisting of primarily a single OS, monolithic structure, reactive security approach and signature-based security tools/technologies to a more heterogeneous makeup with a variety of operating systems, different types of devices (including IoT devices), cloud-based applications and services and behavioral-based security tools/technologies. This causes medical IT networks to be complicated and potentially the most vulnerable access point in a medical facility’s infrastructure.

Why is healthcare data under attack?

More and more healthcare providers are digitized thanks to the 2009 HITECH Act and the speedy transition to electronic medical records (EMR). Most hospital IT departments’ have been focused on implementing EMRs without making advancements in their security program potentially putting patient data at risk. For a hacker, healthcare data is a gold mine of personal information that may be used for many fraudulent purposes, providing medical insurance numbers, credit card numbers, home addresses and other personal information. In fact, every year since 2009, healthcare provider entities have represented the largest percentage of reported breaches and that percentage has grown every year since 2014.

For connected medical devices, it’s very alarming that a 2015 report* by Raytheon & Websense suggests that “up to seventy-five percent of hospital network traffic goes unmonitored by security solutions out of fear that improperly configured security measures or alarming false positives could dramatically increase the risk to patient health or well-being.” Even if that number is on the smaller side, like twenty-five percent, the industry’s security technologies would be missing a considerable amount of data. Are we capturing the necessary data to gain the insight of where our medical devices are and more importantly – what behavior are they demonstrating? Is it normal?

Who owns the problem?

With an increasing number of connected medical devices, medical IT networks are becoming more complicated. Typically, neither the IT department nor the Clinical Engineering (CE) teams within a healthcare organization have the necessary visibility and risk assessment tools, making unmonitored medical devices one of the most vulnerable areas in a medical facility’s infrastructure. The lack of clear definition surrounding who owns the problem (CE vs. IT) has produced a situation where one of two things happens:

1. One party assumes that another party is addressing medical device security.

2. Both parties are working in parallel without any cross-communication which results in wasted effort and possibly one party’s efforts counteracting the others’.

What can we do to address the problem?

First, a healthcare organization must gain visibility and situational awareness to address these security-related issues for connected medical devices.

1. Determine what devices are operating within your environment. This is by far the most difficult to overcome. Our experience has shown that we typically can’t get two people in the same organization to agree on how many devices are connected in their environment. What makes it so hard is the dynamic nature in which devices are introduced and removed from the environment. It is imperative that organizations develop processes to gain the required visibility in order to gather actionable intelligence based on the associated risk.

2. Acquire the situational awareness into what vulnerabilities each unique device presents to the operational environment. Much like gaining the insight into which devices are on your network, organizations need to develop and implement processes to discover and validate vulnerabilities to their medical devices. Unfortunately, it doesn’t stop there. Once validated vulnerabilities are identified, the organization must evaluate the associated risk. Only then can decisions be made about the appropriate actions to address the risk.

Second, healthcare organizations must establish clear lines of ownership and communication. As previously mentioned, responsibility for medical devices security seems to live between the IT department and Clinical Engineering. To best address the security of these devices, the management/ownership needs to fall squarely on one department’s shoulders with the latter acting in a supporting role. Unfortunately, we can’t tell you which department should own security because every health system is unique in its allocation of resources (people, time, funding). In turn, the organization needs to make that decision based on their individual circumstances but it is critical that the decision is made and it is clear.

Third, healthcare organizations should consider how they will address medical device security via compensating controls. Since many manufacturers are still playing catch-up with addressing the security portion of their devices it is critical that healthcare organizations institute compensating controls to reduce the identified risk or close the known vulnerabilities of medical devices. This could come in the form of a logical network separation or security technologies with unique controls that harden the environment in which the medical devices operate.

And finally, healthcare organizations should leverage technologies where appropriate to automate the management of medical devices. Thankfully, the industry is now starting to see technologies come to market that can accomplish the work outlined above in a more efficient and automated fashion. Investment in a connected medical device program that encompasses people, process and technology can gain an organization visibility into the devices on their network and their associated vulnerabilities (where risk can be ascertained) as well as assist in remediation. A well-designed security program will provide tremendous value in closing the security gaps and vulnerabilities surrounding connected medical devices.

Patients’ lives are at risk from cybersecurity attacks

Healthcare providers continue to be the biggest target and experience more cybersecurity breaches than health plans and business associates combined. Steps must be taken to protect patients, whether from ransomware or connected medical devices attacks, the stakes are simply too high.

For more information and tips for preventing cyber attacks, read Fortified Health Security’s Mid-Year Horizon Report: The State of Cybersecurity in Healthcare.

About the Author

Dan L. Dodson is President of Fortified Health Security where he brings over 10 years’ experience in the healthcare and insurance industries — serving as both an operational leader and sales leader. Dan’s specific focus has been in aligning organizational strengths with client needs through the execution of relevant go-to-market strategies and solution development. . He currently serves on the Southern Methodist University Cyber Security Advisory Board. Dan holds an M.B.A. in Health Organization Management and a B.S. in Accounting and Finance from Texas Tech University.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2017. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months