Medical device usage is on the rise, and that reality potentially puts people at risk if those gadgets have security flaws. It’s crucial for device manufacturers, industry regulators and health practitioners to work together to ensure safety are paramount as adoption rises.
Internal health devices are particularly at risk, especially since patients and providers may not immediately notice issues. The people who use or prescribe them assume they’ll work as expected and typically don’t have ways to make sure that’s true. As such, they only become aware of issues once obvious problems begin, or after they read statements alerting them about known issues.
As a case in point, a recent discovery showed vulnerabilities in implantable cardioverter defibrillators (ICDs) made by Medtronic. Those devices help correct dangerously fast or irregular heartbeats in patients. This issue also extends to some pacemakers that deliver small electrical charges to the heart when needed.
Federal Authorities Issue a Statement
In late March 2019, the Department of Homeland Security (DHS) published a statement to alert the public about the affected devices and describe the identified issues. The content confirmed that a nearby hacker with short-range access could intercept, modify or generate the radio frequencies associated with the devices. Successful infiltration could interfere with the way the ICD functions.
Usually, the radio frequency component provides convenience by allowing patients to monitor their conditions or making it so doctors can make changes to device settings without invasive procedures. Fortunately, there are no known cases where hackers successfully exploited the flaw.
The current advice is to keep using the affected devices while the manufacturer creates a fix. The benefits reportedly outweigh the risks.
Although the federal statement said low-skilled cybercriminals could carry out such attacks, it’s important to realize that the radio frequencies associated with these devices are short range. A person trying to manipulate them would need to be in the same room as a patient or otherwise within a couple of dozen feet.
More Medical Devices Are at Risk
The Medtronic issue detailed above is undoubtedly concerning, but it’s necessary to also take a broader look at other devices and the dangers they pose. There are more than 190,000 medical devices in the U.S. market, and a relatively small group of devices is most often associated with medical injuries. Defibrillators are on that list, along with items including spinal stimulators, prosthetic hips and insulin pumps with sensors.
“Networked medical devices are susceptible to ransomware similar to many other computing end-points, such as laptops, workstations, and servers,” says Clyde Hewitt, Executive Advisor for CynergisTek. “While the functions performed by medical devices vary widely, many are still designed with commercially available central processing units (CPUs) and run common operating systems such as Microsoft Windows or Linux.”
“Unfortunately,” Hewitt says, “computer hackers, including ransomware authors, also target security vulnerabilities within these same operating systems to ensure they can gain the maximum coverage. Since medical devices have the same operating systems, they too can get infected with ransomware.”
Cyberattacks alone do not account for all medical injuries associated with these devices and others. But, healthcare facilities are attractive targets for ransomware — threats that restrict access to a device or files until victims pay the ransom, and sometimes not even then.
A ransomware attack could make medical equipment or entire networks non-operational. Some incidents are so severe they force hospitals to route patients elsewhere. In one recent case, a Michigan medical practice closed after a ransomware attack.
“There is ample evidence that ransomware can be very disruptive to clinicians who are treating patients,” says Hewitt. “When ransomware attacks electronic health record servers and workstations, it will adversely impact the availability of the patient’s health information including treatment history which could potentially harm a patient when critical data is not available to the medical professional. This same ransomware can attack medical devices used in the delivery of care, but rather than just block critical information, it could potentially cause malfunctions that could adversely impact the delivery of drugs or cause the medical device to fail completely.”
Fixing ransomware issues can cost hundreds of thousands of dollars. Additionally, the high stakes within the medical device market, such as the access to valuable patient data and the broad reach of health systems, make the medical sector attractive to hackers.
Attacks Can be Carried Out Through Provider Networks
“We have seen evidence that when a healthcare provider is infected with ransomware, it generally starts with a workstation connected to the Internet,” Hewitt explains. “From this launch point, the infected workstation searches the local network for any other devices that have a similar security vulnerability and then spreads malware to those devices. Medical devices with the same security vulnerabilities that can be reached through the same network are likely to be infected.
“Many medical devices can be connected to the providers network so that information can be shared with the electronic health record or communicated back to a central monitoring station,” he says.
“This connection is typically shared with other non-medical devices, such as workstations and servers. Larger modalities, including imaging devices such as CT and MR imaging systems, rely on direct network connections to function properly.”
This is the most troubling aspect of these attacks. If ransomware infects one workstation, it has the potential to spread to all other devices that communicate with that workstation.
Some Problems Happen Due to User Mistakes
Making a hospital’s network more secure against bad actors is a worthwhile preventative measure. However, a 2018 threat report from Zingbox found that user practice issues and outdated operating systems or software caused the most security issues.
For example, browser malware or rogue applications could help launch attacks when patients or providers use them. They may use apps and browsers in their usual ways and not notice that hackers compromised them. If patients are not tech-savvy or hospital workers aren’t on networks where the IT departments automatically update software and operating systems, they may not know where to start to keep their systems current.
How Can the Medical Sector Mitigate Ransomware Risks?
No single strategy exists to help hospitals take care of all ransomware attacks. Healthcare’s cybersecurity shortcomings are getting more problematic. There’s frequently a disconnect between the providers who focus on patient care first and foremost and the IT professionals tasked with implementing cybersecurity strategies. However, there are some starting points for thwarting ransomware.
“To start, medical professionals need to recognize and address the security risks of medical devices,” Hewitt says. “The first step is to classify medical devices as computing end-points and require that your organization’s security and compliance leaders assess the security risks and develop a plan to reduce those risks to an acceptable level.”
“Operationally, your security official should be providing regular updates on the vulnerabilities and controls for each device as these change over time,” he says. “Since many devices can’t be patched or have end-point-protection installed, healthcare organizations should consider micro-segmentation of the internal networks to isolate medical devices from all other network devices except what is necessary to perform the intended function.”
“As hackers continually improving their skills, healthcare security teams should be performing periodic scans of their networks to identify new medical devices and also identify and quantify new risks.”
In light of this information, including more cybersecurity training for people in the field, including those in non-caregiving roles, would be a smart move. Getting certified in a cybersecurity topic relevant to the health sector creates a win-win situation by making employees more marketable to their current or future employers while helping to protect patients and network devices.
When doctors decide to prescribe medical devices for their patients, they should take the time to teach individuals how to use them. It’s also essential to instruct patients to immediately report any strange functionality shown by the devices. Then, when patients get assessed during follow-up visits, physicians should check their medical devices and update them.
Fighting ransomware also means ensuring that a healthcare facility’s cybersecurity staff receive news about the latest threats and have the resources to safeguard against them. Tech leaders should plan periodic, facility-wide security audits that identify risks including ransomware, then take decisive action based on the audit results.
Healthcare facilities should pledge to only work with manufacturers that show an ongoing commitment to device security too. Not long ago, Medtronic joined several other device manufacturers and agreed to work with cybersecurity researchers to keep devices safer. That’s important considering the issue mentioned above is not the first time Medtronic experienced a security-related device flaw with a cardiac device.
The Health Sector Must Conquer Security Threats
“Ransomware is not the only risk to medical devices,” Hewitt points out. “Many of these devices also create, store, or access patient data, so providers are responsible for providing physical and technical controls to prevent the loss or unauthorized access to this data. Historically, medical devices are not managed as closely as other workstations, so executives may not even be alerted when HIPAA breaches happen.”
Medical devices could be life-saving for many of the patients who use them. But, security risks could cause harm instead of helping. All-encompassing strategies, such as those suggested above, make issues less likely to happen.
A proactive and preventative mindset equips people in the healthcare industry to remain aware of problems and how to solve them, whether the issues relate to devices or entire hospital networks.