by Travis Horstman – oneSOURCE’s Biomedical Account & Safety Manager
When you consider that connected* (wireless) medical devices are essentially small computers on a network, it’s not surprising that hackers and other malicious actors would try to compromise them for any number of reasons.
More and more medical devices are wirelessly connected to the Internet and also to healthcare facility networks and their respective sensitive devices. The proliferation of these devices is truly remarkable and a testament to the manufacturers of these pumps, monitor, diagnostic, imaging and other portable or nonportable devices and equipment. There is no doubt their healthcare technology breakthroughs significantly improve hospital efficiency and levels of care.
Connected medical device technology provides significant advantages. In the hospital, it allows for more patient mobility, improves information sharing and enables centralized station monitoring. Outside the hospital, wearable or implantable connected devices allow for proactive or reactive healthcare monitoring. This can minimize the need for office visits while technicians maintain a finger on the pulse of the health of their patients (nearly literally!) and the performance of life-sustaining devices. This kind of hardware, however, comes with the inevitable risk of security breaches.
That’s why during 2019, both the Department of Homeland Security (DHS) and the Food and Drug Administration (FDA) issued advisories and warnings about vulnerabilities in medical devices that make them susceptible to service disruption and cyberattacks.
Why would someone try to access connected medical devices and disrupt patient care or access hospital care systems? It almost seems silly to ask that question. Hackers do it for the same reasons they target corporations or troll every person who accesses the Internet through their personal devices – from computers to Siri to doorbells:
- to demand ransom
- to deny service
- to steal trade secrets
- to gain entry to a larger system
- to access confidential information
- to commit an act of terrorism
- just to see if they can
Attackers may attempt to take healthcare networks hostage, demanding large ransoms (paid in cryptocurrency) before they relinquish control. Other threat actors may simply be interested in copying outpatient information and selling it on the Dark Web. Such activities are commonplace in the corporate world, but the healthcare industry is even more critical – people rely on it for their very lives. Nation-state actors in the future may trick a pharmacy database into discretely changing a prescription dosage, prevent an alarm state on a patient’s vitals monitor or alter a medical diagnostics report.
Such attacks, as of this writing, are unheard of, but they’re not very far away. The healthcare industry is responding to these threats by creating new healthcare cybersecurity certifications for security professionals in the healthcare industry, implementing minimum technical safeguards for patient data and working with government experts to manage risk and report problems that do exist.
Wireless devices aren’t going away. Society and the FDA have made it clear that their benefits outweigh the risks, including healthcare cybersecurity risks. That means manufacturers and caregivers both have a role to play in reducing healthcare cybersecurity risks to protect patients and the IT systems in and outside of the healthcare facility. It’s great to see how both parties are clearly embracing that critical obligation.
More than ever, manufacturers are taking responsibility for their products throughout their lifecycle – not just in the development/design phase (where they integrate state-of-the-art cybersecurity features and minimize the use of off-the-shelf software), but also in post-market management of their devices as they deliver system patches and updates (for years and even decades) that anticipate or react to cybersecurity vulnerabilities. (The update process comes with its own set of risks, however, as this article points out.)
Similarly, healthcare facilities are increasingly vigilant to incorporate manufacturers’ upgrades and instructions, maintain high levels of network security, pay close attention to advisories from manufacturers and government regulators and maintain risk management plans.
Both do a remarkable job, and while it will never be possible to reduce the level of connected device cybersecurity risk to zero, everyone has a vested interest in staying one step ahead of the cybercriminals.
* “connected” refers to connection to a system through wireless technology. Physical proximity to the connected device is not needed in order to access (or tamper) with it.
Travis Horstman is oneSOURCE’s Biomedical Account & Safety Manager, providing operational support and specialized assistance to the Biomedical database team. Before joining oneSOURCE, Travis served as a biomedical equipment engineer in the U.S. Air Force. Travis is an Air Force reservist, serving as a Cyber Operations Specialist. In the past he maintained an AAMI CBET Certification and he currently holds a CompTIA + Security Certification. Travis would like to acknowledge the input to and review of this article by Gregory A. Rivas, a fellow cyber operations specialist.
