In an era where unprecedented data breaches are affecting corporate and government entities, the devices used in hospitals and other medical settings represent an often overlooked, yet vital source of vulnerability. For years, security researchers have cautioned the healthcare industry about their exposed medical devices.
Too often these devices are internet-capable or networked internally without encryption technology, cloud computing safeguards, or even password protection. This makes them an easy target for hackers who have the ability to steal data, disable medical devices responsible for providing life-saving care, or launch a widespread cyber attack that can affect every device on a particular network.
The Food and Drug Administration issued new guidelines in 2014 covering medical devices in the market. These guidelines stated that all such devices should be secure, be able to easily update to correct any flaws, and have safeguards in place to protect care in the event the device is hacked or otherwise compromised. The guidelines also mandated that, ideally, medical devices should include the ability to be updated and be accompanied by a list of software components that would allow hospitals to check the device for any vulnerabilities.
A Constant Threat
Infusion pumps make up almost half of all medical devices, according to the Zingbox 2018 Threat Report, making them the largest potential source of attack for cyber-related threats. Currently the industry standard is to segment these types of devices, which limits any potential cyber intrusions to an individual device. Yet, this practice also makes it more difficult to provide widespread automatic security updates to such devices.
The individual operators and medical personnel themselves leave another unyielding source of vulnerability. The above study discovered that the most common security risks originated from user practice issues, which included using web browsers on medical workstations for personal online browsing, chatting, and downloading content.
The Way Forward
The FDA offers a series of recommendations to prevent and otherwise fortify medical devices against the life threatening and/or privacy violating compromises that can result from a targeted attack. These include preemptive mitigation of cybersecurity risks early before they can be taken advantage of by hackers, as well as adopting a coordinated vulnerability disclosure policy and practice. They also encourage healthcare providers to put policies and procedures in place that will enable them to understand and evaluate risks, and discover any vulnerabilities in equipment or software.
According to the guidelines, healthcare providers must also have a plan in place to not only mitigate threats, but to respond and recover quickly and efficiently to limit patient risk. IT personnel in healthcare must be empowered to locate and neutralize cybersecurity threats, which means they must have established procedures in place for discovery and elimination of vulnerabilities.
Finally, it is always incumbent upon those managing healthcare IT systems to apply the five core principles put forth in the 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity:
Cybersecurity for IoT and Beyond
The burden on the industry to protect medical devices is great. Those who produce and utilize medical devices need IoT development partners who will work with them through the life of their devices, rather than supplying a basic framework before abandoning them to configure and manage the updates and security threats or breaches that occur on their own.
Contact Dedicated Computing today to learn more about the cloud computing solutions that will keep your systems current and free of vulnerabilities to threats.