Sunday, November 6, 2022

(Belated) Cybersecurity Awareness Month – Medical Devices

 


Introduction

Last month, October, was Cybersecurity Awareness Month.  I realize I am about a week late, but here is a blog that I had wanted to post then.  Here we go! It’s about Medical Device Cybersecurity.

Why Is It So Important?

Probably many, many years ago, nobody ever thought that an implanted pacemaker could be the target for a Cyberattack.  But fast forward to now, and unfortunately this is now the new reality.  One of the main reasons why this is so because medical devices have pretty much become interconnected with everything else in our lives.  This has become popularly known as the “Internet of Things”, or the “IoT” for short.

With this vast expanse, the Cyberattacker has a lot more fertile territory in which they can penetrate into.  Thus, healthcare practitioners of all types now have to be careful when they are working with your implanted device.  For example, your kidney dialysis machine, or even your pacemaker could be at grave risk.  As horrible as this sounds, a Cyberattacker can now easily tamper with the settings of an internal pacemaker, and literally make the patient have a heart and possibly even lose their own life.

Just How Serious Is It?

While the example illustrated is a bit extreme (but still quite possible), the following statistics just underscore how Medical Device Cybersecurity has become:

Ø  On average, the healthcare industry has suffered at least 3X more Cyberattacks than any other industry;

 

Ø  Healthcare data breaches have increased by almost 200%, with Texas being the main target;

 

Ø  Over 41 million patient records have been hacked into;

 

Ø  The theft patient data is quite lucrative, especially on the Dark Web.  For example, each record can sell as much as $60, and the information that is contained within them can be used to build an entirely new patient profile.  This can then be used to launch subsequent Cyberattacks;

 

Ø  Although 2021 has been known as the year for Ransomware attacks, it is expected to grow at least 5X as much in the coming year, and once again, Healthcare will be one of the heaviest hit;

 

Ø  Quite surprisingly, almost 60% of attacks, including those against medical devices, are considered to be “Insider Jobs”.  This simply means that from within the confines of the Healthcare Organizations, Cyberattackers are still hiding in the IT and Network Infrastructures, ready to pounce once the moment strikes;

 

Ø  Medical Devices that are used by patients are at least 20+ years old.  Thus, there is no way to apply the needed software patches or upgrades, because they will not even work on these legacy devices;

 

Ø  The average hospital room contains at least 15-20 interconnected medical devices;

 

Ø  It is predicted that by 2028, there will be at least 50 billion Medical Devices that will be connected amongst one another in the US Healthcare Industry;

 

Ø  At least 98% of the Medical Devices that are used at the present time remain unencrypted and unsecured, thus leaving them open wide to large scale Cyberattacks such as Ransomware;

 

Ø  It is the implanted Medical Devices that are at most risk.  These include the following:

 

o   Cardiac Defibrillators;

o   Cardiac Pacemakers;

o   Insulin Pumps;

o   Equipment that is used for Neurostimulation;

o   Ear Tubes;

o   Any many more.

(SOURCE:  1).

How To Protect Yourself From A Cyberattack

Truthfully, there is really no way that an individual patient can protect themselves from being hacked.  The primary reason for this is that as stated previously, the bulk of these devices are located internally from within a patient, and thus, they are highly dependent upon both the medical practitioners and the Healthcare Industry to take some bold steps.

Here are some recommended tips:

1)     Understand how the device has been built:

Remember, a medical device is no longer just a hardware component.  It also has a huge software part of it also, so the Healthcare Provider that is considering procuring a new lot of medical devices for their patients need to understand this was developed.  In this regard, the Provider should ask the manufacturer if the source code that was compiled to create the medical device was actually tested, and if any flaws or vulnerabilities were discovered, and mitigated.  Obviously, they will not come out and reveal the actual code, but they should at least answer this question with no hesitation whatsoever.  Anything else, that should be a huge red flag.

2)     The move to the Cloud:

Primarily fueled by the COVID19 pandemic and the bear 99% Remote Workforce, many businesses in Corporate America, and even many of the Healthcare Organizations have opted to move entirely to the Cloud.  While this does offer a greater expanse of Cybersecurity, the Cloud too is still at risk.  Therefore, if you are planning this kind of migration, it is most prudent if you go with a well-known Cloud Provider, such as that of the AWS or Microsoft Azure.  They have the security tools on hand that can be deployed in a matter of a few minutes not only to protect your patient’s medical information and data, but also even protect the network lines of communications to the medical devices.  Also, another key advantage with using this kind of approach is that the Cloud environments that are available from these providers are already compliant with the myriad of data privacy laws, which includes the likes of HIPAA, GDPR, CCPPA, etc.

3)     Never use the vendor settings:

When the time comes that you have actually procured the needed medical devices for your patients, it is very important to keep in mind that you do not use the default security settings set by the vendor.  The reason for this is that these only offer the most minimal levels of security, therefore, you need to set them to what is required and mandated by your Security Policy.  Also, make sure that you are on a regular schedule of applying the needed software patches and upgrades.  Your vendor should be able to work with you on this critical aspect.

Conclusions

Remember, it takes an entire ecosystem of individuals to help guarantee some reasonable level of medical device Cybersecurity, all the way from the vendor to the parts supplier, and even the doctors and nurses that are using them for their patients.

A future article will take look at yet another angle that is being used to help safeguard the medical devices of today – the public and private security frameworks.

Sources

1)     https://cybersecurityventures.com/15-cybersecurity-statistics-to-diagnose-the-ailing-healthcare-industry/

2)     https://www.synopsys.com/blogs/software-security/medical-device-security-best-practices/

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...