When attacking a healthcare provider, hackers typically focus on the weakest link, which is often the organization’s medical devices. Attack surfaces have rapidly expanded as the number of medical devices connected to the internet has proliferated.
“A single hospital bed alone may have a dozen connected devices,” says Balaji Venkataraman, The HCI Group’s cyber security leader. “If a person can hack a medical device, they are playing with the life of the patient who is associated with that bed,” he says.
A compromised medical device can also give a hacker entry into the broader IT environment. “Network access also lets them access other systems that are vulnerable,” Balaji Venkataraman said.
Cyber-attacks like those that target medical devices are one of the primary targets for the surge in healthcare data breaches. In 2020, hacking and IT incidents accounted for 67.3% of the industry’s 599 breaches, according to the 2021 Healthcare Breach Report from Bitglass.“Since 2018, the number of hacking and IT incidents has increased each year, meaning that IT resources are increasingly used by organizations and targeted by malicious actors,” researchers stated.
Risking patient safety
More alarmingly, the 2020 HIMSS Cybersecurity Survey showed that significant security incidents affecting both systems and devices can impact patient safety. “There is usually a direct impact on a patient’s health or well-being when medical devices are compromised. These devices are often life-sustaining or life-saving,” researchers wrote.
A HealthITSecurity article about top healthcare cybersecurity threats coming in 2022 noted, “As the healthcare industry continues to advance its technological capabilities and improve medical devices from a patient care perspective, some fail to recognize that innovation and cybersecurity risks are a package deal.” For example, hospitals often struggle to track all of the devices on their networks because many devices are portable or implanted in patients.
In a recent speech, Kevin Fu, acting director of cybersecurity at the FDA's Center for Devices and Radiological Health, said that ransomware attacks on healthcare organizations’ networks are causing medical device "outages" that put patient lives at risk, MedTech Dive reported. “You can't have a safe and effective medical device if it's unavailable," Fu said, according to a
MedTech Dive article about ransomware attacks putting availability of medical devices at risk.
Indeed, almost one in four healthcare providers have reported an increase in mortality rate due to ransomware, according to a Ponemon Institute research into ransomware attacks on healthcare delivery organizations.
Addressing medical device security
Hackers often target medical devices due to their vulnerability. “Threats and vulnerabilities cannot be eliminated and reducing cybersecurity risks is especially challenging,” the U.S. Food & Drug Administration’s Digital Health Center of Excellence says in addressing cybersecurity and medical devices. “The health care environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks.”
Healthcare providers must overcome technical challenges such as unsecured devices connected to the Internet of Mobile Things (IoMT) as well as organizational issues such as shared responsibility for Internet of Hospital Things (IoHT) security between departments like Information Technology, Information Security, and Clinical Engineering (CE). The combined impact of technical and organizational challenges results in risks such as huge un-owned attack surfaces in hospitals, in the case of IoMT connectivity and IoHT security.
An effective medical device security program addresses four critical risk categories, according to a Healthcare IT News article about how to make the case for medical device security.
Cyber hygiene is paramount to medical device security, and Balaji Venkataraman recommends a four-step approach.
- Inventory - Discover and identify all connected devices.
- Correlate - Relate vulnerabilities to discovered attributes.
- Assess - Estimate risk based on correlated vulnerabilities, network posture, and clinical severity attributes.
- Evaluate - Monitor ongoing risks.
Balaji Venkataraman also suggests adopting a clinical zero trust strategy in which every device is verified before it accesses the network — every time. “If you don’t have zero trust, then these small vulnerabilities will become big data breaches within the organization,” he said.
Whether it is breached data or compromised patient safety, the risks that medical devices pose as weak links have caught the attention of healthcare organizations — and demand that they act.