By Leon Lerman, CEO and founder, Cynerio.
Data driven medical care with connected devices is now the norm. Patient monitors, IV pumps, MRI machines, and infusions pumps all behave like computers with the ability to monitor patient conditions in real time, share data and even automatically adjust dosages. Although all of these innovations are improving in-patient care, their ability to communicate over internal computer networks has introduced new vulnerabilities to cyber attacks.
The health risks are high. Hackers can infiltrate devices and tamper with doses or even make devices show false data, leading doctors to the wrong diagnosis. Attackers can also hold electronic medical records ransom, causing delays in procedures required to treat patients.
The invisible threat
The biggest obstacle to securing medical devices is the simple fact that many of them are hidden. Hospitals often don’t have full visibility into which medical devices they have, so they aren’t aware of all the vulnerabilities. You can’t tell if your MRI is insecure if you don’t keep a full inventory of all the medical devices and all information necessary to assess the relative security risk.
Some hospitals rely on manual methods such as Excel spreadsheets to maintain an inventory of medical equipment. However, electronic files maintained by humans can’t keep pace with the growing number of the devices, and all the changes and updates that occur on an ongoing basis.
Often medical devices are added to the network without notifying security professionals and going through the necessary cautionary procedures. Many departments add equipment with the noble aim of improving patient care without notifying IT, since they are simply following the doctor’s orders and doctors are king. Something as simple as browsing for a local restaurant at a nurse’s station can put the hospital at risk if the computer isn’t adequately secured.
Biomedical engineers have been responsible for maintaining the inventory of connected medical devices but many of them are not trained in cybersecurity, and typically aren’t instructed to coordinate their activities with the IT department. In addition, many hospitals expand their IoMT ecosystem into other clinics and hospital because of M&A, and rely on third parties without documenting the new equipment.
Even if all the medical devices are identified and documented, information that is needed to assess their possible vulnerabilities may be missing. General IT cybersecurity systems that are used to protect email servers, databases, laptops and mobile devices were not built to protect medical devices and will have difficulty monitoring how medical devices operate. Knowing if device readings are necessary for surgical procedures, if the device is critical for patient care, if information is automatically shared with vendors for preventive maintenance, and whether or not patient data is stored on the device are all examples of information that is often overlooked by traditional IT systems.
This information enables security professionals to understand the relative importance of each device, the impact of a cyberattack so that they prioritize security procedures and respond accordingly to ensure patient safety, business continuity and data confidentiality.
Steps for prevention
Specialized software that can identify the unique fingerprints of medical devices can be used to scan networks and take a complete inventory. Only an automated system can continuously track new added devices and any deltas, including devices which have changed their position or have gone offline. Keeping a physical inventory isn’t a one-time activity but something that needs to be done on an ongoing basis as devices are moved, retired or added to the network.
These systems should also be used to document the medical context of the device including all the communication flows so that an attack’s impact on medical treatments or diagnosis can be fully understood. Only with the clinical context can all of the risks be assessed and prioritized, and the appropriate remediation steps can be taken.
Immediate actions to secure vulnerable medical devices can include ensuring that the latest software updates are installed including security patches. Medical devices that are highly vulnerable – like devices that are running an older operating system that is no longer supported, such as Windows XP, should be segmented off the main network to limit potential damage of data theft and risk to patient safety in the event the equipment is compromised.
Cybersecurity issues can directly impact patient safety and, in severe cases, even have life-threatening repercussions. Having visibility into all the connected medical equipment in healthcare facilities is an essential first step. You can’t secure what you can’t see, and automating discovery of medical devices with the appropriate clinical context provides the full picture needed to protect patient safety and data.