From devices that pump insulin to treat diabetics to electrical stimulations to regulate the human heartbeat and other devices, advanced technology is increasingly vulnerable to hackers. Moreover, when hackers are able to compromise a device, they can lock down a hospital’s or other medical facility’s data and “hold” it for ransom – or even worse, threaten physical damage to the patient wearing the device.
How serious is the problem? According to a survey conducted by KPMG, 81% of health care organizations have had their data compromised over a two-year period, with nearly one-third of industry executives ranking medical device threats as a top information security issue. Furthermore, over one-third of organizations that operate or otherwise use IoT-connected medical devices have experienced a cyber security incident within the past 12 months, according to survey research from Deloitte. Add to this, the healthcare industry accounts for 88% of all ransomware attacks, according to research from NTT Security, and you have a recipe for continued cyber disaster.
Part of the challenges health care industry execs have in protecting medical devices include, according to the Deloitte survey:
- Identification and mitigation of the risks of fielded and legacy-connected devices
- The need to embed vulnerability management into the design phase of the devices
- Incident monitoring and response
- Lack of collaboration about threat management throughout the connected medical device supply chain
Moreover, even in the face of such high cyber incidents, the majority of healthcare providers still only spend on average less than 6% of their IT budget on security, or less than one-half of the 12–15% that the finance/banking sector and federal government spends, according to research from the Healthcare Information and Management Systems Society (HIMSS) Analytics and Symantec.
Mitigating cyber risk
In an effort to help the health care industry mitigate cyber risks, the FDA recently issued cyber security guidance for medical devices, including the following:
- Limit access to devices through the authentication of users
- Use automatic timed methods to terminate sessions where appropriate
- Where appropriate, differentiate privileges based on the user role
- Strengthen password protection by avoiding hardcoded passwords
- Where appropriate, provide physical locks on devices
- Require user authentication before permitting software or firmware updates
Also, for network-connected devices, consider implementing comprehensive network segmentation architecture that is solely designated for medical devices. By so doing, there is no connection to non-device related data. If attackers compromise a device, there’s only so much harm they can do, because the device is “walled off” from everything else within the enterprise. Also, implement a segmented network for wireless devices, which operates like the non-wireless device segmented network. Such a segmented environment must incorporate the highest level of encryption.