Cyberattacks: Don’t Overlook Medical Devices

By Christophe Dore, Senior Product Manager, Capsule Technologies
Twitter: @capsule_tech

Healthcare is digitalizing more information and connecting more information systems than ever before to enhance patient care and operational efficiency, with the expectation the synergies between these systems will create additional value. At the same time, new applications, such as patient surveillance, are being made possible through this next-generation, wholly integrated infrastructure. Unfortunately, the hyper-connectivity comes with an increased porosity between these systems, making them more vulnerable to malware and other forms of cyberattack.

A healthcare organization’s electronic health record (EHR) system is a typical target in such attacks, but any networked medical device can also potentially be compromised and controlled by the hacker. If a cyberattack on a networked medical device seems far-fetched, consider that 82% of 232 security decision-makers in healthcare organizations have experienced an Internet of Things-focused attack in the past year. Of the organizations affected, 30% report experiencing compromised end-user safety while 43% of these cybersecurity events caused operational downtime, which also risks patient safety if care comes to a standstill.

Establishing a cybersecurity plan
Healthcare organizations, however, are not powerless to stop cyberattacks. Rather, they must establish best practices to identify risks and implement steps to protect their clinical systems and integrated medical devices. After all, the benefits of a fully integrated and networked environment, while a risk, yields numerous patient care quality and safety benefits. For example, utilizing automated technology that monitors patients’ vital signs and sends validated vital signs to the EHR from the bedside can give nurses more time for direct caregiving and reduce errors through real-time data capture. Integrating data from ventilators, infusion pumps and other devices at the bedside also can help build a comprehensive patient record and feed patient surveillance systems where algorithms trigger intelligent alarms for proactive interventions.

One of the first steps in forming a cybersecurity plan is to recognize that many of these legacy standalone systems were developed before such safeguards had any consideration and deployed without proper protections in place. Most provider organizations understand the risk that these unsecured medical devices pose to patient safety, as well as their financial health and reputation—but fewer have a steady plan in place to identify and mitigate this potential peril. In fact, a recent survey of C-level healthcare executives found one-third consider medical device security one of the top five risks facing healthcare, but most reported they lack an effective strategy to assess vulnerabilities and more than a quarter said they have no process at all.

The good news for healthcare organizations is they do not need to create anything from scratch because the ways to identify security risks and optimize the risk mitigations to protect against cyberattacks have been well established for years. By following best security practices laid out by others, healthcare organizations can leverage the latest integrated medical device technologies with good control over cyber risks. The other good news is security technologies do not need to be invented either, but rather have been already implemented in leading organizations.

What hospitals can do to protect themselves
Healthcare organizations have to focus and invest more in cybersecurity to protect their connected systems and devices proactively and pervasively, detect issues early, respond to threats quickly and efficiently, and recover from attacks easily and inexpensively.

When integrating medical devices with clinical systems, hospitals must seek integration solutions and deployment architecture designed with security in mind. Ensuring availability and integrity to data insights will largely depend on a cybersecurity strategy that enables better protection and monitoring of these assets.

The following are three other suggestions hospitals and health systems should consider to improve their cybersecurity position:

  1. Train and monitor staff. Phishing emails are one of a long line of “social engineering” cyberattacks that use psychological manipulation to lure recipients into taking actions or divulging information. It accounts for 80% of the reported incidents. Hospitals should train and test staff on best security practices, but also monitor the activity of insiders, such as hospital visitors, employees, consultants and business associates, to detect anomalous activity. Establishing a team dedicated to studying the current state of the organization’s cybersecurity, establishing improvement procedures, and actively working to reduce vulnerabilities also are recommended.
  2. Utilize advanced solutions. A major challenge and source of stress for healthcare organizations are that medical devices are often essentially “closed boxes” that give them no control over security, yet hospitals and health systems need to deploy these devices on their networks. For instance:
    • a. Several advanced solutions are available to help healthcare organizations understand their security exposure, then organize and optimize associated safeguards. They can deliver an inventory of all the medical devices in use, match these devices with vulnerabilities that are known to exist, detect abnormal network behaviors, alert users to the potential risks that each device brings, and recommend corrective actions.
    • b. Using a medical device integration solution which brings security to the connected devices – for instance, by isolating them from the network with edge computing – can make securing such integration easier, safer, and more cost-effective. If it can encrypt data in transit, for instance, this is one less major concern to worry about.
  3. Prioritize device security. Hospital leadership now understands that medical devices and information systems are like people: None is perfect, and all have flaws. By recognizing and taking seriously this organizational exposure, they can take steps toward assessing and, if necessary, mitigating the vulnerabilities before they get exploited and become a direct threat. It starts by prioritizing device security and developing a strategy to overcome potential threats. Over the next few years, hospitals will need to leverage technology to understand and monitor their exposure to security risks, as well as detect any system misbehaviors. Hospitals should be able to perform a risk-benefit analysis for any new devices and systems that are under consideration for implementation.

A catalyst for change
If history is any indicator, cyberattacks are likely to increase. In a report this year, ransomware attacks between 2016 and 2019 on healthcare facilities increased 35%, with hospitals and health systems as the main targets in more than half of incidents.

By recognizing and taking seriously this organizational risk, by measuring effectively its potential impact on the patients and the organization, including its ability to survive, hospitals and health systems can take steps toward mitigating security issues before they do arise. That starts by prioritizing device security and developing a strategy to overcome potential threats so healthcare organizations, and more importantly, patient safety, are protected.