Articles focused on cybersecurity threats facing the connected medical device market often cite a well-worn statistic: the average hospital bed in the United States has 10 to 15 internet-enabled devices that collect and transmit data.
While this number is important, it only tells part of the larger story.
For example, the type of data those devices collect continues to increase in importance and sensitivity. Yes, tools capture heart rate and blood pressure readings, but connected medical devices today also capture everything including a patient’s personally identifiable information.
According to the 2022 State of Healthcare IoT Device Security Report (PDF) from Cynerio, over half of the internet-connected medical devices analyzed were found to have a known vulnerability. If these medical devices were to be compromised by hackers, it would significantly impact service availability, patient confidentiality, and even patient safety.
As IoT adoption increases within the healthcare industry, healthcare organizations and device manufacturers will need to prioritize the security of connected medical devices to keep their patient’s data private and ensure the safety of the patient.
An Increased Attack Surface
Each of these devices provides a potential entry point for hackers to jeopardize patient safety or compromise a healthcare organization’s back-end networks. Hackers can use these network connections to gain unauthorized access to the devices themselves, device monitoring systems and patient data. Other types of attacks include:
• Denial-of-service attacks
• Malware that infects, reprograms, or alters the settings of the individual device
• Electromagnetic interference
• The loss or even theft of portable or external networked medical devices
In some ransomware cases concerning a connected medical device, the personal privacy of patients may be compromised. For example, in 2017 the U.S. Food and Drug Administrations (FDA) announced that more than 465,000 implantable pacemaker devices by manufacturer St. Jude Medical were vulnerable to hacking. While there were no known hacks, a hacker could have gained access to these devices to carry out potentially harmful attacks to patients or could have stolen personal information.
Some hackers can use a device’s connections to not only prevent the device from operating properly, but as an entry point to infiltrate a hospital’s wider technology system. By compromising a single device, hackers can then move laterally through the network — escalating privileges, gaining access to closely-guarded systems and information, and even holding the network at ransom. In the US, healthcare providers have seen a continued increase in ransomware cases each year, with 82 reported in 2021 by the H3C security program from the US Department of Health and Human Services. The consequences of ransomware attacks in healthcare can range from inaccessible data, reverting to paper records, closing down of services, and diverting patients to other facilities, or in a worst case scenario, failure to provide services leading to poor patient outcomes.
Improving Device Security Requires All Stakeholders
The scale and scope of connected medical devices make them difficult to defend. Creating better overall cybersecurity around these devices requires buy-in from medical device manufacturers, regulators, and healthcare facilities themselves. While there is no silver bullet solution, these three groups working in harmony can improve the overall security.
Regulators: Policymakers have started to take an active role in the process by establishing regulations to guide manufacturers. In the US, the FDA has made an effort to provide guidance to stakeholders regarding the security of medical devices. For example, the FDA recommends specific device design, labeling and documentation be included in premarket submissions for devices with potential cybersecurity risks. The FDA continues to refine their guidelines and best practices to help medical device manufacturers and the healthcare community navigate through cybersecurity and safety issues.
Device Manufacturers: Manufacturers can limit risk through enhanced controls and effective cybersecurity testing of the device and its components. Overall, though, the devices themselves need a more robust cyberinfrastructure that expands through a product’s life cycle. Medical device security should be baked into the device’s design at a subcomponent level. For example, Bluetooth system-on-a-chip sets can ship from third parties with vulnerabilities already baked in. These are difficult to detect, and leave devices vulnerable. That’s why device manufacturers need to enhance their protocol fuzzing capabilities as part of their standard quality control processes and increase collaboration with suppliers to ensure potential issues are swiftly identified and mitigated. In addition, they need to work to provide a way to ensure security for the lifetime of the device by providing an effective process to patch vulnerabilities via firmware updates.
Medical Providers: As a part of their cyber hygiene, healthcare organizations have to stay current with the cybersecurity of all connected devices, hardware, software and networks. With the growth of connected devices, they need to keep an up-to-date inventory of these devices so that they can monitor for vulnerabilities and mitigate with firmware or software upgrades from the manufacturer or password changes. They must develop best practices for selecting medical devices which include cybersecurity as a criteria. Healthcare organizations need to also invest in proactive cybersecurity testing such as vulnerability detection and response while investing in training staff in best practices for cyber hygiene. Finally, the healthcare organization must have resilience measures in place in case of cyberattack.
The Path Forward
According to a Mordor Intelligence study, the medical device market is expected to grow more than 19 percent each year for the next five years. As the number of connected medical devices grows, healthcare organizations and device manufacturers must work together to ensure the safety of patients and overall healthcare landscape. Connected medical devices have great potential to provide patients with tremendous benefits, but only if secure.