State of Medical Device Security: Cyber Risks and Solutions
- January 2, 2024
- 5:24 am
New developments in healthcare open up new ways to treat patients, but as more medical devices are added to the ecosystems of healthcare delivery organizations (HDOs) every day, the question of how to keep our world safe from cyberattacks continues. This KPMG report on medical devices says that the business will make almost $800 billion a year by 2030. These predictions come from the fact that people want new and different tools and services more and more as lifestyle diseases become more common and emerging market economies grow. There is no doubt that these instruments and gadgets will bring a great revolution in the way patients are treated, but along with it comes new security and safety threats as well.
What is Medical Device Cybersecurity?
When healthcare organizations (HDOs) connect their Internet of Medical Things (IoMT) and other medical devices and software, they do things to keep them safe from hackers who might access them without permission, steal private data, hurt patients, or stop important services. It is called medical device cybersecurity. There are so many medical and healthcare devices, like implantables, diagnostic tools, and hospital information systems, that are directly or indirectly connected to the internet.
It makes them open to cyberattacks. Monitoring and preparation for healthcare cybersecurity is very important because attacks on medical devices can not only lead to the loss of protected health information (PHI) but also put patients at risk by creating barriers to righteous treatment. Cyberattacks have been aimed at the healthcare industry for a long time because they store a lot of private health data. Now, the addition of medical devices that are highly connected has made it easier for cybercriminals to disrupt patient care to demand a higher ransom.
Why is Cyber Security Important for Medical Devices?
All across the hospitals of the United States, there are more than thousands of life-sustaining or life-supporting medical devices. These include patient monitors, infusion pumps, ventilators, and imaging tools. Many of these devices can be accessed wirelessly. Digital transformation and the rise of connection brought about by these devices have changed healthcare in big ways, but they have also made HDOs vulnerable to hacking. Patients could be seriously hurt by an attack on a medical device that succeeds. It could include unauthorized access to their protected health information (PHI), changes to their care plans, or even physical harm. The Ponemon study on cyber risk in healthcare, which shows the costs and effects on patient safety and care, adds to the evidence that this is a growing problem. It says, “Fifty percent of respondents say their companies were attacked in their supply chains.” 70% of answers said it made it difficult to care for patients.
The effects included delaying treatments and tests, which led to bad results, like making an illness worse (54%). A longer length of time was another effect (51%), and 23% of those who answered said there was an increase in the death rate. The old practices of Cyberattack measurements were based on how much financial disruption it caused. However, this study shows that loss of money is no longer the only effect of these targeted attacks. Healthcare organizations need to pay more attention to online patient safety as well as protecting and monitoring the privacy, integrity, and availability of patient data.
Rules and guidelines for cybersecurity are also needed to keep medical equipment safe. It has been noticed that medical devices are very important in the healthcare business and can sometimes save patients’ lives. HDOs and medical device makers can make sure patients get care without interruptions by following the rules and regulations of their business.
Here are a few of the most important medical device regulations and standards in the industry:
HHS Section 405(d):
The Department of Health and Human Services has released a Cybersecurity Framework Implementation Guide to set up a risk-based framework for a systematic approach to risk reduction. 405(d) adds more things to think about regarding medical device cybersecurity on top of the current focus on guidelines, best practices, methodologies, procedures, and processes that are led by the industry and based on consensus to lower cybersecurity risk in healthcare settings.
The Health Insurance Portability and Accountability Act (HIPAA) is a government law in the United States that makes sure that patient health information (PHI) is kept safe and private. HIPAA doesn’t specifically address medical device security, but it does touch all medical devices that handle or send PHI. Putting in place the necessary administrative, physical, and technical safeguards to keep data saved or processed on medical devices safe.
In the European Union (EU), the General Data Security Regulation (GDPR) is a privacy and data security law that covers a lot of ground, like HIPAA. The rules in this law have a big effect on how medical devices that handle personal data are protected and kept private. Following the rules set by GDPR helps protect patients’ information, encourages openness, and boosts safety.
The Network and Information Security Directive (NIS) set up NIS2 compliance to fix the problems with NIS1. NIS2 provides legal steps to make businesses in the EU more cyber-resilient and better able to handle incidents. Medical device makers are affected by NIS2 because it requires them to set up a way to handle cybersecurity risks, a way to report problems, and a way to share information to improve their overall security.
The Security of Critical Infrastructure (SOCI) Act sets rules for how Australia’s critical infrastructure areas will be regulated and kept safe. The goal is to make sure that HDOs and other vital infrastructure organizations look for, stop, and lessen risks from all hazards comprehensively and proactively. To protect Australia’s vital services from the recent rise in cyberattacks and to make sure that critical assets are registered, all cybersecurity incidents must be reported, and a risk management program must be put in place.
Industry rules and standards largely ensure the safety and security of medical equipment.
Lack of proper security measures makes organizations more open to attacks, unauthorized access, and data breaches, which could risk patient safety, cause privacy breaches, or even hurt people who depend on these devices for care. Even though rules and standards are often hard to understand and are updated often, they are necessary to make sure that medical gadgets are safe, secure, and operate properly.
What follows are some cases of how an attack could break into medical devices and cause the damage we talked about above. Additionally, these cases will show why HDOs need a strong medical device security plan and to follow all industry rules and standards to detect and deal with cybersecurity risks and protect patients and their PHI.
What are Examples of Cyber Attacks on Medical Devices?
2b innovation shows how to attack a healthcare tracking system in this video. Our experts show how a hacker could get into a patient monitor and fake vital signs during the presentation. They were able to change the vital signs readings on the device by directly accessing the patient monitor and adding code to the device’s logic. A doctor would not be able to identify and treat a patient as well after this kind of attack and change. Even though this attack was fake, it shows what can happen to an embedded device during a ransomware attack and how to fix the problem. The team stresses that healthcare is one of the most targeted areas of critical infrastructure. It is essential to have a strong medical device security plan in place to protect this infrastructure.
In Des Moines, Iowa, the MercyOne healthcare system was hit by a real-life situation that was a lot like how our team demonstrated. This ransomware attack shut down hospitals across several health systems. One of the most injured patients was a 3-year-old who was getting care after having surgery on his tonsils. This NBC story says that MercyOne’s computer system that automatically figured out medicine doses stopped working. As a result, the resident doctor gave the child five times the amount of pain medicine that was prescribed.
Thanks to good luck, the child fully recovered, but this attack should serve as a reminder to healthcare professionals how important it is to keep their medical gadgets safe. These examples show that the cyber risks to healthcare systems are getting a lot worse. To ensure patients’ safety and the appropriate functioning of the devices, the HDOs need to take the lead when it comes to healthcare cybersecurity.
How to Solve the Medical Device Security Challenge
Have you ever thought about how badly breaches in medical devices can impact the healthcare systems? Apart from threats, it can hurt people physically, create hindrances in medical care, and change how well their health turns out. Since safety and security issues are very important, the government has initiated some positive changes to the rules linked to the associated medical devices. Recently, in the Omnibus Appropriations Bill, new changes were added by the House and Senate Appropriations Committees. The new bill states that companies who want to sell medical devices to the Food and Drug Administration (FDA) must follow certain security rules. These rules compile strategies to fix security holes after the product has been sold for 90 days and fix major bugs before they are released to the public. This bill recognizes that the safety of patients may depend on the security of medical devices that are attached to them. It is a positive and helpful step toward resolving the medical device security problem.
To follow government rules and address the problem of medical device security even more, HDOs can work with a cyber-physical systems security vendor such as 2b innovation to see what’s going on in their IoMT ecosystem, evaluate and lower risks, find and deal with threats, and stop future breaches. Medigate by 2b innovation knows a lot about the different medical device manufacturers’ and models’ proprietary communication methods and clinical workflows. It gives HDOs a level of visibility that is unmatched. We also have clinical domain expertise that can find behavior that isn’t within the clinical scope of its intended workflow, send out non-generic alerts, and keep false positives to a minimum. HDOs know exactly what and with whom their devices can and cannot interact and under what circumstances because they have advanced detection tools. It takes the guesswork out of assessing risk. Lastly, Medigate improves HDOs’ medical device security strategy by adding prevention methods based on correct device identification and clinical context. It makes micro-segmentation, security rules, and VLAN assignments work better.
In the end, cyberattacks on medical systems have effects that are different from those seen in other fields. In healthcare, as we’ve learned from this piece, an attack has worse effects than a hit to the bottom line. Higher death rates, health problems, and a lower quality of life are increasingly measuring these effects. There is a good answer to the question of how to keep our world safe from cyberattacks as it becomes more linked: by being more careful about following the rules and laws that cover medical device security and by working with a company that focuses on healthcare cybersecurity and knows that medical device security needs clinical knowledge.