Introduction
Last month, October, was Cybersecurity Awareness Month. I realize I am about a week late, but here is
a blog that I had wanted to post then.
Here we go! It’s about Medical Device Cybersecurity.
Why Is It So
Important?
Probably many, many years ago, nobody ever thought that an
implanted pacemaker could be the target for a Cyberattack. But fast forward to now, and unfortunately
this is now the new reality. One of the
main reasons why this is so because medical devices have pretty much become
interconnected with everything else in our lives. This has become popularly known as the
“Internet of Things”, or the “IoT” for short.
With this vast expanse, the Cyberattacker has a lot more
fertile territory in which they can penetrate into. Thus, healthcare practitioners of all types now
have to be careful when they are working with your implanted device. For example, your kidney dialysis machine, or
even your pacemaker could be at grave risk.
As horrible as this sounds, a Cyberattacker can now easily tamper with
the settings of an internal pacemaker, and literally make the patient have a
heart and possibly even lose their own life.
Just How
Serious Is It?
While the example illustrated is a bit extreme (but still
quite possible), the following statistics just underscore how Medical Device
Cybersecurity has become:
Ø
On average, the healthcare industry has suffered
at least 3X more Cyberattacks than any other industry;
Ø
Healthcare data breaches have increased by
almost 200%, with Texas being the main target;
Ø
Over 41 million patient records have been hacked
into;
Ø
The theft patient data is quite lucrative,
especially on the Dark Web. For example,
each record can sell as much as $60, and the information that is contained
within them can be used to build an entirely new patient profile. This can then be used to launch subsequent
Cyberattacks;
Ø
Although 2021 has been known as the year for
Ransomware attacks, it is expected to grow at least 5X as much in the coming
year, and once again, Healthcare will be one of the heaviest hit;
Ø
Quite surprisingly, almost 60% of attacks,
including those against medical devices, are considered to be “Insider
Jobs”. This simply means that from
within the confines of the Healthcare Organizations, Cyberattackers are still
hiding in the IT and Network Infrastructures, ready to pounce once the moment
strikes;
Ø
Medical Devices that are used by patients are at
least 20+ years old. Thus, there is no
way to apply the needed software patches or upgrades, because they will not
even work on these legacy devices;
Ø
The average hospital room contains at
least 15-20 interconnected medical devices;
Ø
It is predicted that by 2028, there will be at
least 50 billion Medical Devices that will be connected amongst one another in
the US Healthcare Industry;
Ø
At least 98% of the Medical Devices
that are used at the present time remain unencrypted and unsecured,
thus leaving them open wide to large scale Cyberattacks such as Ransomware;
Ø
It is the implanted Medical Devices that are at
most risk. These include the following:
o
Cardiac Defibrillators;
o
Cardiac Pacemakers;
o
Insulin Pumps;
o
Equipment that is used for Neurostimulation;
o
Ear Tubes;
o
Any many more.
(SOURCE: 1).
How To Protect
Yourself From A Cyberattack
Truthfully, there is really no way that an individual
patient can protect themselves from being hacked. The primary reason for this is that as stated
previously, the bulk of these devices are located internally from within a
patient, and thus, they are highly dependent upon both the medical practitioners
and the Healthcare Industry to take some bold steps.
Here are some recommended tips:
1)
Understand how the device has been built:
Remember, a medical device is no
longer just a hardware component. It
also has a huge software part of it also, so the Healthcare Provider that is
considering procuring a new lot of medical devices for their patients need to
understand this was developed. In this
regard, the Provider should ask the manufacturer if the source code that was compiled
to create the medical device was actually tested, and if any flaws or
vulnerabilities were discovered, and mitigated.
Obviously, they will not come out and reveal the actual code, but they
should at least answer this question with no hesitation whatsoever. Anything else, that should be a huge red
flag.
2)
The move to the Cloud:
Primarily fueled by the COVID19
pandemic and the bear 99% Remote Workforce, many businesses in Corporate
America, and even many of the Healthcare Organizations have opted to move
entirely to the Cloud. While this does
offer a greater expanse of Cybersecurity, the Cloud too is still at risk. Therefore, if you are planning this kind of
migration, it is most prudent if you go with a well-known Cloud Provider, such
as that of the AWS or Microsoft Azure.
They have the security tools on hand that can be deployed in a matter of
a few minutes not only to protect your patient’s medical information and data,
but also even protect the network lines of communications to the medical
devices. Also, another key advantage
with using this kind of approach is that the Cloud environments that are
available from these providers are already compliant with the myriad of data
privacy laws, which includes the likes of HIPAA, GDPR, CCPPA, etc.
3)
Never use the vendor settings:
When the time comes that you have
actually procured the needed medical devices for your patients, it is very
important to keep in mind that you do not use the default security
settings set by the vendor.
The reason for this is that these only offer the most minimal levels of
security, therefore, you need to set them to what is required and mandated by
your Security Policy. Also, make sure
that you are on a regular schedule of applying the needed software patches and
upgrades. Your vendor should be able to
work with you on this critical aspect.
Conclusions
Remember, it takes an entire ecosystem of individuals to
help guarantee some reasonable level of medical device Cybersecurity, all the
way from the vendor to the parts supplier, and even the doctors and nurses that
are using them for their patients.
A future article will take look at yet another angle that is
being used to help safeguard the medical devices of today – the public and
private security frameworks.
Sources
2)
https://www.synopsys.com/blogs/software-security/medical-device-security-best-practices/
No comments:
Post a Comment