In August, a security researcher with McAfee shared details of a successful effort to hack into a medical monitoring device and alter a patient’s vital signs. In a post to the company’s website, Douglas McKee, who also spoke at the hacker convention Def Con 26 in Las Vegas, walks readers through the steps he took to emulate a patient monitor and falsify its information.
It’s a terrifying scenario for clinicians and patients to think about, and one that underscores the importance of a robust cybersecurity setup for provider organizations.
“Vital signs are integral to clinical decision making,” Dr. Shaun Nordeck, a Dallas-based surgeon, told McKee and his team. “Fictitious cardiac rhythms, even intermittent, could lead to extended hospitalization, additional testing and side effects from medications prescribed to control heart rhythm and/or prevent clots.”
Furthermore, Nordeck said, such an attack could cause the hospital to suffer unnecessary resource consumption.
Flexibility and Layering Prove Key in Device Security
Many experts believe segmentation should be a bedrock of healthcare organizations’ cybersecurity strategies. However, such efforts must ensure devices with similar trust levels are segmented together to avoid situations in which a low-trust device compromises a high-trust device.
What’s more, such a strategy must be flexible, allowing for the addition of new personnel, new devices or updates to old solutions.
Layering is critical in order to ensure security on multiple fronts. After all, hackers are adept at finding and exploiting holes in an organization’s protection. For instance, two years ago a hacker breached Phoenix-based Banner Health through unauthorized access to systems that process payment information at food service distribution outlets, according to azcentral.com.
At the HIMSS 2018 conference earlier this year, CDW’s Mark Lachniet said that detailed firewall logging and patch management should be part of such a strategy. Patch management can reduce exposure and cut down on the volume of security incidents significantly, he said.
Security Efforts Should Prioritize Patient Safety
According to the “2018 HIMSS Cybersecurity Survey” report, patient safety is the top medical device security concern.
Still, security researcher Billy Rios worries that some medical device manufacturers are avoiding fixing flaws in their legacy devices. In an interview with Information Security Media Group, he said that some vendors instead are focusing their efforts on shoring up security for newer technologies, as opposed to older solutions.
Provider organizations must take it upon themselves ensure the security of devices and networks in their facilities. Patient lives are at stake.