As the number of connected medical devices grows and the use of telemedicine gains wider acceptance among patients, practitioners and insurers, there’s an urgent need for a stronger, more comprehensive healthcare cybersecurity approach that includes the internet of medical things (IoMT). In this post, we’ll look at the scope of the challenges to medical device security and discuss the device and network security metrics that can help you track your organization’s progress toward a stronger security posture.
Concerns about cyberattacks on medical devices are part of a larger problem with other attacks on hospital networks. The pandemic accelerated phishing and ransomware attacks in this industry, with 1/3 of healthcare organizations hit by ransomware in 2020. There were more data exposure incidents, too. The 2020 Verizon Data Breach Investigations Report found that “confirmed data breaches in the healthcare industry increased by 58%” last year.
In the U.S., the largest healthcare system data breach of 2020 exposed information on more than 3.3 million patients and donors. Connected but inadequately secured medical devices are just one of many ways that attackers can compromise a healthcare network. However, because of the unique role these devices play in patient care and potential risks to patient safety, new federal medical device security standards may be on the way.
A June 2021 report by the U.S. Department of Health and Human Services Office of the Inspector General “recommend[s] that CMS identify and implement an appropriate way to address cybersecurity of networked medical devices in its quality oversight of hospitals in consultation with HHS partners and others.”
The report also notes that “hospitals have an opportunity to elevate networked device cybersecurity as part of their all-hazards risk planning.”
What are the specific risks that poorly secured medical devices can pose?
Medical devices that are set up with default or weak passwords, unpatched software and outdated firmware issues offer attackers intrusion vectors into a healthcare system’s network. From there, they may be able to launch attacks, exfiltrate data or potentially interfere with operations.
Ransomware attacks are already a serious problem for healthcare organizations and hospitals worldwide. In May 2021, Ireland’s public healthcare system was shut down by a ransomware attack that has delayed thousands of surgeries and COVID-19 vaccinations while providers had to switch to entirely paper recordkeeping. Analysts say it could be months before the system is fully restored, and the price tag for those restoration efforts could reach $600 million.
For five days in August 2021, all locations in the Indianapolis-based Eskenazi Health network had to divert incoming ambulances to other hospitals because of a ransomware attack, resulting in delays to elective surgeries. The organization has announced that some patient, employee and vendor records may have been exposed in the attack, and the investigation is ongoing.
Remediation is costly, too. One report found that in 2019 in the U.K. alone, healthcare organizations lost $4 billion to ransomware attacks and data breaches.
There are also risks for patients when devices aren’t properly secured. The most frequent impact is violations of patient privacy through the exposure of their personal information, which can lead to payment and insurance fraud and identity theft.
It’s already a huge problem: From 2009 through 2020, more than 3,700 reported healthcare data breaches have exposed more than 268 million healthcare records, according to federal health and human services data analyzed by HIPAA Journal.
In addition to personal data leaks, there are also risks to patient care, such as malfunction of an implanted device like a pacemaker or modification of workflow in an infusion pump causing erroneous medication delivery. Every breach and IoT security incident has the potential to erode patient trust in healthcare providers.
With so much at stake for providers and patients, why aren’t connected medical devices already secured? There are several reasons.
Indiana University Health CISO Mitch Parker broke down the economics of why some medical device manufacturers never publish updates or patches after their products ship: It’s often too expensive for them to do so, especially for small device makers who aren’t manufacturing at scale. When a critical vulnerability is discovered in these devices, the options are often to rely on open-source patches or take the devices out of use.
Like many organizations, healthcare providers often schedule their patches and updates to minimize interference with operations. However, in the case of an urgent patch alert, like the HHS emergency directive to patch Windows 10 in January 2020, organizations must be ready to balance urgency with availability, application dependencies and resourcing for support to make the appropriate changes.
As of early 2020, some 83% of hospital-based, internet-connected CAT scanners, MRI scanners, X-ray machines and mammography equipment were running on old versions of Windows that are no longer supported by Microsoft. That means there are no OEM patches available even when documented threats emerge.
However, diagnostic machines like these are too valuable to take offline, so hospital IT teams need to consider other ways to manage risk, such as:
Phishing remains an issue—43% of email recipients fell for one study’s targeted phishing attempts at least once, and 11.9% more than once—and is still one of the leading causes of security incidents leading to ransomware that impacts data and clinical operations.
As ransomware spreads within a network, it has the potential to infect network-connected scanning devices like MRI machines and CAT scanners, putting the data on those devices at risk of loss, corruption or exposure.
The HHS OIG report notes that big healthcare centers can have some 85,000 networked devices, and though these devices may not share the same network as the hospital’s electronic health records, those networks could be linked in a way that attackers can exploit to access patient data.
Tracking information security key risk indicators related to cybersecurity challenges in healthcare can help CISOs and IT leaders build a plan to identify and address weaknesses in their medical device security posture.
Because any device or email account in an organization can be a point of entry for attackers, and because those attacks can quickly spread to other devices on the network, healthcare security teams need to bolster their security operations workflows to include prioritized response as well as integrating best practices from continuous monitoring based approaches. Some KPI’s to measure success here can include:
Over time, these metrics can reveal strengths as well as areas where your team may need additional security resource training to respond as quickly and effectively as possible.
Because many people fall for targeted phishing attempts that can spread malware to connected medical devices and interfere with their data, some hospitals are adding email security solutions that filter out phishing messages. This technology can protect your employees and executives from messages that purport to be from trusted organizations and help with business email compromise.
The ability to identify every device in a healthcare environment, from MRI machines and pharmacy machines to smart TVs and staffers’ laptops is a critical element in creating realistic risk and threat models. With a passive, agentless platform like Armis, security teams can instantly see what’s operating on the network, who made those devices, what software they’re running, what known vulnerabilities they have and their risk rating. Comprehensive medical device visibility also shows how those devices are communicating with each other and with devices on external networks.
With this information visible in a unified dashboard, risk management and clinical operations teams can quickly identify devices that are unsupported and those that have patches available for known vulnerabilities, leading to automated patching for supported devices, as well as prioritizing the devices that need to be updated, segmented, temporarily disabled or replaced.
Every health system will have its own specific priorities for metrics. In addition to the KPIs mentioned above, other metrics that your healthcare organization may want to monitor include.
By creating a security-focused culture and deploying technology to protect patients and staff as well as the technology that enables safe and efficient care, healthcare organizations can improve their cyber resiliency while reducing the attack surface thereby improving patient safety.
Learn how Armis can help your healthcare organization with medical device cybersecurity, threat detection and response.
Sign up to receive the latest news