As the number of medical devices surges, so does the number of vulnerabilities
Over the past few weeks, there have been multiple stories related to cybersecurity vulnerabilities found in connected medical devices. Although until now there have been no reports of attacks, privacy breaches or cases of patient harm associated with these specific vulnerabilities, these examples provide a taste of the Internet of Medical Things (IoMT) cybersecurity challenges that the healthcare industry and its vendors are facing when it comes to securing end-point devices.
Earlier this month, Medtronic issued a set of patches for vulnerabilities found in its CareLink programmers and certain implanted devices. The vulnerabilities were disclosed as early as 2018, with alerts coming from the DHS and the FDA as thousands of the vendor’s cardio defibrillators were found to have critical vulnerabilities that could allow hackers to remotely control the implanted devices.
The DHS and the FDA also recently notified healthcare providers about patches that GE Healthcare would be issuing for critical vulnerabilities which could allow attackers to remotely take control of some of their clinical information central stations and telemetry servers. According to the DHS, "successful exploitation of these vulnerabilities could occur when an attacker gains access to the mission critical and/or information exchange networks due to improper configuration or physical access to devices."
As for healthcare providers, they are eagerly leaping on the IoMT bandwagon. Stanford Hospital just declared that they are 'an Internet of things hospital of the first order'; a few examples include biomedical devices with sensors connected to a real-time location system, nurses getting phone notifications instead of alarms going off in patients' rooms, and robotic machines selecting and preparing medications.
While these developments provide great benefits to patients, caregivers and care providers alike, the question of how to secure all these IoMT devices across their entire life cycle tends to be overlooked. This issue may never be mentioned in celebratory articles, but it is definitely one that is starting to keep hospital security teams awake at night.
Being the most targeted market for cybersecurity attacks comes at a steep price
Attacks on healthcare providers can be initiated through any connected medical device, whether stationary, ambient, wearable or implanted, using multiple attack vectors. As a result, they do not just compromise highly sensitive customer data, they also pose risks with increasing severity, from stolen IP and credentials, to financial and reputational damage, and all the way to physical safety due to operational downtime and, at worst, patient health. Taken together, all these come at a high price for medical organizations.
Here are some more stats for you to think about:
- Healthcare providers are the most targeted organizations for industry cybersecurity breaches with nearly 4 out of 5 breaches.
- 82% of healthcare organizations have experienced IoT-focused cyberattacks with 30% of these attacks compromising end-user safety.
- More than 50% of healthcare leaders say they were most concerned about IoT issues compared to other emerging threat areas.
- Healthcare data breaches cost $6.45 million on average which is the highest cost across multiple industries, more than 60% higher than the cross-industry average.
- 82% of medical device manufacturers are concerned that IoMT devices are not adequately secured from a cyberattack.
Considering these alarming statistics and the rapid growth in the number of connected medical devices, it is no surprise that ensuring the security of medical devices is quickly becoming a critical issue for both IoMT device manufacturers and healthcare providers. They key problem here is that medical devices are generally not designed with security in mind, despite the direct impact that attacks and exploits can have on patients’ lives. So why aren’t healthcare leaders insisting that security features be integrated into medical devices across their entire lifecycle?
Waiting is no longer an option for medical device manufacturers, vendors or users
While network security has been a top priority for healthcare organizations for quite some time, it is no longer enough. The time has arrived for device-level security to move into the spotlight if the healthcare market wants to preemptively prevent the significant damage that IoT-focused attacks can (and will) create.
To solve this urgent problem, both medical device manufacturers and healthcare organizations need to implement robust end-to-end cybersecurity strategies - improve awareness of security issues, understand their implications and figure out how to fix them. Then they must work together to make sure all security gaps are bridged in order to mitigate the ever-growing cybersecurity risks looming ahead of them.
Manufacturers must make cybersecurity part of the core infrastructure of each and every connected medical device starting with the design stage using the Security by Design methodology, while healthcare organizations must make sure that security best practices were properly implemented by the vendors before they start using (and handing out) the devices. Whether attacks are based on default credentials, exploit unsecured APIs, leverage faulty communication protocols, overwrite firmware, or employ brute-force methods - all can be significantly weakened by implementing the appropriate security measures from design to deployment.
Make sure that security is addressed early and often across the device lifecycle
Adding security to a connected medical device retrospectively is challenging and often done in response to a specific threat. It is far better to do it proactively using the Security by Design methodology which ensures that devices are built with optimized security based on secure defaults, coding best practices, authentication protections and continuous testing. Embedding the right security building blocks from the start, dramatically decreases their attack surface, covering most IoT threats and making it very hard to exploit cybersecurity vulnerabilities even if they exist.
Because of the many variables involved in IoT cybersecurity, connected medical device manufacturers need to start integrating Security by Design early in their development process. They have to focus on automating the risk analysis, recommendation and mitigation processes to make sure that these can be scaled rapidly across all the devices and updates they are developing.
At the same time, healthcare organizations also bear the responsibility of making sure that security was implemented across all the IoMT devices they are using. They must do this in order to minimize the safety and monetary risks that can – and do - result from poor implementations that do not provide comprehensive security measures.
To back this up, here’s what the director of the office of strategic partnerships and technology innovation at the FDA has to say about this issue: "The healthcare environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks. For example, medical device manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their medical devices, (while) health care delivery organizations should evaluate their network security and protect their hospital systems. Both are responsible for putting appropriate mitigations in place to address patient safety risks and ensure proper device performance.”