Not so long ago, medical devices required only physical security considerations—only those who had access to the device could access the device’s data. However, through the Internet of Things (IoT), medical devices’ connectivity to the cloud has put them in the cross-hairs of cyber attackers.
Medical Device Cyber Threats
Medical devices, from heart valves and MRIs to closed loop drug delivery systems and surgical planning tools, are obviously critical to diagnosing and treating health issues. However, these lifesaving devices also pose major risks. Healthcare IT security experts warn that Internet-connected devices and equipment are prime targets for hackers. These attackers user backdoor hacks—like last year’s Kwampirs from cybercriminal group Orangeworm, who focused 39% of their attacks on medical devices—to compromise x-ray equipment, patient consent form apps, and MRIs with the motive of stealing healthcare data, using computer resources, or setting up a ransomware attack. The problem has become widespread for many reasons.
Sitting Duck Devices
A few conditions are contributing to the vulnerability and cyberattack appeal of medical devices. First, as stated earlier, is the fact that devices are now Internet-connected. Another major problem is the lack of collaboration among providers, suppliers, and manufacturers. According to a Deloitte poll of professionals in the IoT medical device industry, almost 20% cite collaboration challenges throughout the IoT medical device supply chain. A third contributing factor is the lack of cybersecurity experience, knowledge, and awareness among those in the industry. An unnerving study of hospital security revealed that medical staff and even hospital IT employees earned failing grades at basic cybersecurity practices. So what can be done to protect patients and devices?
Boosting Medical Device Security
In response to the growing cyberthreat to medical devices, the Federal Drug Administration (FDA) recently released the Medical Device Safety Action Plan: Protecting Patients, Promoting Public Health report, which focuses on the development of a patient safety net for medical devices, creation of regulations to expedite and improve the quality of post-market device risk mitigation, promotion of safer medical device innovation, and overall improvement of medical device cybersecurity. In addition, all healthcare organizations can develop secure practices and solutions across processes, people, and technology through ongoing cybersecurity training, third-party penetration testing, and investment in cybersecurity expertise either through hiring or partnering with third-party security experts.