Healthcare ransomware incidents seem to be dominating headlines, recently. As destructive as previous attacks may have been, it’s likely that the security landscape is only going to get worse as cyberattacks on Internet of Things devices are predicted to heat up. And soon, a new security battlefield will emerge: the Internet of Medical Things (IoMT).
Frost & Sullivan estimates that there were 4.5 billion IoMT devices in 2015, a number that they expect to increase to between 20 and 30 billion by 2020. Why does this spell potential disaster? Medical devices are moving away from the walls of the hospital and now include consumer devices. Into a coffee shop, into a home — these devices and their users come and go frequently from a secure healthcare network, creating increased security risks.
Moreover, as the number of connected devices continues to grow, so does the cybersecurity risk. There is no industry-standard operating system for medical products. Instead, according to the Food and Drug Administration, most medical devices use vulnerable off-the-shelf software.
5 Threats to Medical Device Security
This higher security risk is amplified by five environmental and market forces that are coming together to form an even more worrisome picture for medical device security in today’s mobile world:
The declining value of the medical record — Soon it will be cheaper to buy stolen medical records than to hack them, which will drive ‘threat actors’ to find more lucrative exploits (including hacking medical devices in order to control them).
Evolving cyberattack schemes — Consumer cybersecurity risks become healthcare cybersecurity risks when mobile medical devices are involved. Every medical device is a “back door” into a hospital’s IT network and attackers are now exploring a new strategy called “destruction of service,” or DeOS, which will completely incapacitate the network.
Easily compromised devices — Some medical devices were built 20 years ago but still work, believe it or not. Sadly, many of these tools are still being used by hospitals (often to save money). However, those medical devices, including pacemakers, X-ray machines and CT scanners, use outdated security software that isn’t automatically updated. This leaves hospitals and patients very vulnerable.
Clinicians prioritize patient care over cybersecurity — Clinicians are focused on patient care so, naturally, the prevention of cybersecurity hacks is not necessarily their No. 1 priority. With this in mind, it’s important that cybersecurity for medical devices be simple and easy to update. Otherwise some clinicians may go rogue and start using unsanctioned applications in order to keep up with their workflow.
FDA-issued security recommendations are not mandates — Quite simply, without a firm mandate to follow, manufacturers and healthcare organizations struggle to follow the FDA’s guidelines to reduce device security risks, especially if it costs more money and resources. According to a 2017 study conducted by the Ponemon Institute, only 51 percent of medical device manufacturers and 44 percent of healthcare organizations follow FDA guidelines.
Still not convinced? Consider the pacemaker recall by the FDA last year. At the end of August, the FDA recalled 465,000 pacemakers over fears that they could be hacked. The agency discovered cybersecurity vulnerabilities that could allow a hacker to take over the medical device that controls heart rhythm. The pacemakers were uploaded with new security software to fix the vulnerabilities. Luckily no pacemaker was actually hacked, but this security risk scenario is a real possibility.
3 Ways to Stay Ahead of Medical Device Vulnerabilities
Healthcare organizations these days have thousands of endpoints, all potentially vulnerable to a security breach, and without the right security technology, a security disruption could cause chaos. To keep threats at bay for all endpoints involved requires significant investment in cyberdefenses.
The bottom line is that as the number of medical devices continues to increase, the security automation process needs to evolve. Below are three ways in which healthcare organizations can create a holistic, effective device security strategy around software automation for IoMT devices:
Simplify the process — If clinicians have to manually update their devices, or are given a drawn-out security procedure to follow in order to use the device, they are going to look for alternatives, and most are likely not secure enough for the organization’s network. The security process needs to be compatible with the clinicians’ typical workflow.
Have a device security breach plan — If a device has a security issue while in use, is it turned off? Has it been swapped for another? Process and protocols must be predefined so both the clinician and IT professional can move forward together to address the security breach. Device assessment automation tools can help IT professionals determine where the breach came from and automatically alert the clinicians affected so the security risk is managed in real time.
Invest in technology defenses — Without a rock-solid digital technology foundation, it’s very hard to combat security risks within medical devices. A technology roadmap should be built that includes automation software to keep up with security patches, cloud-based security solutions and traffic analytics tools for better visibility across the network. In addition, companies should consider microsegmentation so devices are isolated from larger security risks and outsource certain tasks to security experts.
As the IoMT device landscape heats up and hospitals delve more into remote care, healthcare systems need to protect each and every endpoint device from potential cybersecurity risks. To do this, organizations should integrate the power of automation into a rock-solid digital technology foundation, making it easier for both the clinician and IT professional to stay on top of the security needed to protect both the organization and the patient.