Medical devices, which are manufactured with functionality in mind, are an underappreciated but important source of vulnerability to hacking. “In the emerging practice of medical hijacking, hackers and cyber adversaries have figured out those devices present an easy way into a provider’s network,” said Ori Bach, vice president of products at TrapX Security, a cybersecurity firm based in San Jose, California. “Lots of legacy medical devices still run on older systems, unlike modern operating systems which are harder to hack.”
Older software makes medical devices particularly susceptible to breaches. Although most hackers use them as an opening into a network to steal data, an attack can cause delays in medical care or even directly harm patients should the devices malfunction.
Where’s the exposure?
Any device that is connected to the internet is vulnerable. Such devices include implantable defibrillators, insulin pumps, and glucometers and wearable devices such as those that measure heart rate or manage pain by delivering transcutaneous electrical nerve stimulation. Dialysis machines, magnetic resonance imaging (MRI) units, and infusion pumps also are susceptible.
Amy Young, a marketing manager specializing in health care at Cisco Systems, Inc., headquartered in San Jose, California, said an average hospital can have up to 15 devices at each bedside that are networked and susceptible to hacking. When attackers break into a device, they may be aiming for data, but this attempt can have a cascading effect that can turn off or change device parameters, potentially leading to patient harm, Young said.
For instance, functionality of an MRI or dialysis machine can be locked out, go offline, or only be available sporadically. A diagnostic device might function, but return wrong data, which could cause a provider to alter treatment plans inappropriately. A breach could interfere with the dosage or mixture of medication directly provided to a patient by a device.
Preventing a breach
The longevity of medical devices is good for providers’ pocketbooks, but not for their security. Many older devices on the market were created with Windows 95 – easily hackable more than 2 decades after its release. Despite the vulnerability of medical devices to hackers, security still does not appear to be much of a concern for many of the manufacturers or providers using the technology. The FDA issued guidance for keeping medical devices safe in 2016. Young cited a recent survey by Synopsys, Inc., conducted by the Ponemon Institute, an IT security research organization, showing that only 51% of device makers and 44% of health care delivery organizations follow FDA’s mitigation advice.
Although there is no foolproof way to prevent every cyberattack, providers can take measures to mitigate problems. One strategy is to patch systems. Bach said providers should ensure they are using the latest software patches available for their operating systems and devices, if available. The notorious WannaCry virus that attacked Windows operating systems, for instance, gained entry through a vulnerability in May 2017. This occurred even though a patch that could have prevented it was available earlier that spring.
Health care providers should actively monitor their systems for issues, said Ramakrishnan Pillai, director of health care risk and compliance for Coalfire, a cybersecurity advising firm with headquarters in Westminster, Colorado. Providers should also perform regular risk assessments on all their devices. The devices should be categorized into high, medium and low risk with respect to hacking potential, with attention paid to those with the greatest potential for patient harm. Understand what is in the office, what is at risk, what software and hardware is being used, and the security controls in place, he urged.
Managing a breach
If a device appears to have been breached, what then? Should a provider just turn it off? Does it need to be replaced? Who should be contacted? As part of the risk management process, a plan needs to be created for each kind of device so, should a breach occur, staff will know where to check and how to address it. Some manufacturers will be able to offer security patches on newer devices, but many legacy devices will not have plans, Pillai said.
He recommends looking to vendors for aid. Any new contracts with a vendor should touch on device management and note who is responsible for cybersecurity incidents. Vendors should also be able to show they have tested devices for their security and have reports or other paperwork to document this. Providers can check to see if vendors have strong cybersecurity teams that can help respond to breaches and get a provider back on their feet quickly.
“This should all be part of the procurement process,” Pillai said. “Providers are spending thousands of dollars on equipment; they need to check it from a security perspective as well as a clinical one.”
Bach pointed out that health care providers can also look into deception technology to secure their organizations and gain full visibility into their health care networks. This strategy creates an identical but fictitious network that’s full of traps and when an attacker tries to attack the organization, he will be interacting with a fake network and all of his actions will be recorded. The organization will know where their weak point is in their security and their real assets will never be touched by attackers.