How to Protect Medical Devices from Ransomware
Cyberattacks on hospitals are rising, and patients are worried. Is my personal data at risk? Could ransomware or hackers effectively shut down the ER near me?
Consider these findings from a March 2021 report by cybersecurity provider Morphisec:
- About one in five Americans said their health care was affected by cyberattacks last year.
- Nearly two-thirds of consumers said they are more worried this year than last year about ransomware taking their health care provider offline and affecting their care.
- Nearly a third said if their health care provider were attacked and their health care record were breached, they would switch providers.
Cybersecurity technology can help protect against threats that target laptops, desktops and the like, but what’s protecting a hospital’s medical devices, which are increasingly connected to a health system’s network? Some medical devices are a gateway into patient data, while others have been shown, in chilling detail, to have vulnerabilities that, when exploited, put patient welfare at risk.
Cyberattack prevention must extend to a hospital’s clinical devices such as insulin pumps and MRI machines. A comprehensive approach includes detection and protection, but just as important is a team always on the lookout for the next threat.
Maintaining a Comprehensive Medical Device Inventory
The first step toward preventing ransomware attacks is to identify a device breach quickly. To do that, a hospital system or other health care delivery organization (HDO) must have a complete picture of just how many connected devices it has. Its clinical asset management solution plays a vital role.
“A foundational preparedness principle is knowing what systems are connected to the HDO’s network. By maintaining a centrally managed, baseline set of information about each medical device, an HDO will be better situated to account for and manage medical devices before, during, and after a cybersecurity incident,” the nonprofit research organization MITRE says in its medical device security playbook.
A comprehensive connected medical device inventory would include such physical attributes as make, model, equipment description, modality, serial number, department, room and scheduled maintenance cycles, information typically maintained by the clinical engineering department in its computerized maintenance management system (CMMS).
But the inventory now also must include the equipment’s digital persona, a model control profile and data security fields such as Bluetooth connectivity, USB interfaces and, in particular, electronic protected health information (ePHI) creation, storage and transmission.
Although instances of cybercriminals obtaining ePHI data are not grabbing headlines, the potential for them to do so exists. So, it is critical to know which devices transmit and store ePHI data.
The more prominent threat to medical devices is when cybercriminals literally take control of medical devices, either shutting them down or causing them to function at risk to life.
Flagging OEMs when a Medical Device Update is Needed
Unlike with a laptop, security patches do not automatically download and install on medical devices. What’s more, clinical engineering (CE) teams need to be actively monitoring for risks and for when patches are available from the original equipment manufacturers, a task too demanding for hospitals—with thousands of medical devices—without a robust clinical asset management solution.
A robust solution would include a comprehensive inventory, a team of professionals with expertise in medical device cybersecurity, continuous monitoring for threats and vulnerabilities and a relationship with OEMs to acquire software patches or effective workarounds. In fact, FDA-regulated devices demand manufacturer-validated security patches and remediation solutions to retain their FDA-approved status.
Other issues also might require manufacturer-led repairs to software or hardware issues. Although “right to repair” legislation has surfaced in some areas of the country that could change this dynamic, for the moment, patient welfare is best served when a CE team can quickly point out a needed repair to a manufacturer through an established working relationship.
Medical devices cannot be treated like other IT endpoints or internet of things (IoT) devices. All patches, updates and other endpoint security solutions need to have been validated by the OEM before they are installed.
Keeping Tabs on Access—both Physical and Remote
As the need for timely updates and patches shows, a vigilant cyberdefense hinges on the ability to continuously assess medical devices for potential vulnerabilities. This includes both physical and remote device access.
Access permissions and authorizations should be regularly reviewed and managed. Clinical assets should be formally managed through installation, maintenance, transfers and disposition, particularly to safeguard against leaks of ePHI data, which hackers could leverage for ransom.
Hackers are shrewd, ruthless and opportunistic. Cybersecurity provider Emisoft reported that 560 health care facilities were targeted in attacks last year. The need for medical equipment safeguards has never been stronger. Cybersecurity solutions can identify holes in medical device security and alert clinical engineering teams, flag available patches from OEMs and protect against unwanted physical and remote device access.
