Security

Medical Device Vulnerabilities Continue to Plague the Industry

Ransomware and malware have begun finding their way into unpatched or unsecured medical devices.

Juliet is the senior web editor for BizTech and HealthTech magazines. In her six years as a journalist she has covered everything from aerospace to indie music reviews — but she is unfailingly partial to covering technology.

It’s no secret that medical devices pose security risks to healthcare organizations as networks, tools and devices themselves become ever more connected. Common and pervasive cyberthreats, such as ransomware and malware, are also finding their way onto machines. In fact, 18 percent of provider organizations in a recent survey by the College of Healthcare Information Management Executives (CHIME) reported that their medical devices were affected by malware or ransomware in the past 18 months.

While the survey notes that few of these instances resulted in compromised protected health information or an audit, the threats could affect continuity of care or PHI security.

“Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked,” said Russell Branzell, president and CEO of CHIME in a statement accompanying the release of the report. “In recent years, that risk has increased exponentially as devices in hospitals and health organizations have become more and more interconnected. Our members are looking for ways to safeguard these devices, but they need resources and support to be effective.”

Industry, Regulation Prove Key to Keeping Devices Secure

An overwhelming majority of providers (96 percent) point to the manufacturer as the cause of many of these device-related security issues, with out-of-date operating systems or the inability to patch devices seen as primary factors. But even where it’s possible to improve security internally, 76 percent of providers reported that their resources were “insufficient and too strained to adequately secure medical devices.”

“Safeguarding medical devices requires a joint effort from both provider organizations and device manufacturers,” said Adam Gale, president of KLAS Research, which helped conduct the report, in a statement following its release. “Many providers have the basic building blocks for a general security program in place and are making progress, although it is difficult and time consuming, toward developing a mature program. We also are seeing some manufacturers being more proactive and accountable.”

Government oversight will also play an important role in improving security, although many manufactures surveyed for the report noted that regulations from the Food and Drug Administration actually hinder security by preventing them from making certain changes.

The FDA is taking steps to improve the situation. Among other efforts, the agency announced in November a memorandum of agreement between the FDA and DHS that aims “to implement a new framework for enhanced coordination and information sharing about potential or confirmed medical device cybersecurity vulnerabilities and threats,” according to a recent blog post from Suzanne B. Schwartz, the FDA’s associate director for science and strategic partnerships, at the Center for Devices and Radiological Health.

“We are proactively addressing the risk to medical devices in the face of an evolving cyber threat landscape with the release of the premarket cybersecurity guidance update on October 18, 2018, to better protect devices from compromise; maintain device functionality in a safe mode even in the event of an attack; and reduce potential risks to patients — a priority identified in the April 2018 FDA Medical Device Safety Action Plan,” she writes.

Strong Security Strategies Can Help Prevent Device Breaches

While many issues with medical device security remain with industry, there are a few steps providers can take to help safeguard systems from vulnerable devices.

According to Dennis Morley, director of strategic healthcare sales at CDW, a flexible security strategy is key, “allowing for the addition of new personnel, new devices or updates to old solutions” where necessary, he writes in a recent blog post.

Moreover, layering security solutions can help protect systems even if hackers manage to exploit a vulnerability. And managing patches, where possible, can greatly cut down on vulnerabilities and the number of breaches.