By Oliver Noble
Despite the complexity of health care, there are many measures to mitigate the risks of cyberattacks on medical equipment.
A hospital bed, on average, has up to 20 medical devices connected to it. Each of those devices has a digital component that transmits patient data to a hospital’s computer network. This means there’s always a risk of a compromised system, as all it takes is one vulnerable endpoint.
“Like other industries, health care is undergoing digital transformation. Medical technology is evolving, so more and more computerized devices get installed and connected to a health care facility’s network. The downside of this improvement is that it might become easier for hackers to intercept the system because unprotected devices accelerate vulnerabilities.
A health care organization’s network is a very complex environment to control as it consists of a massive variety of equipment, databases and systems that often include connections to external sources and third-party providers. On top of that, there are personal devices, like smartphones and laptops, brought in and used by the staff and patients.
“Health care providers have a large attack surface, and the complexity of the industry makes it extremely difficult for them to come up with effective defensive mechanisms, cybersecurity policies and procedures.
Outdated systems and practices are one part of the problem. Underinvestment in cybersecurity, which leads to the inability of health care practitioners to identify and deal with persistent cyber threats, is another big issue.
“Add a vast array of substantial medical records a hospital stores, and we have a ticking bomb. Deliberately tampering with stolen patient data could facilitate identity theft, extortion or even put human lives in danger.
Even though vendors providing hospitals with medical equipment and services have to comply with various standards and regulations, the staff can also contribute to making sure the technologies are used securely. Everything starts from breaking cybersecurity down into smaller parts and taking it one step at a time.
Potential measures to mitigate the risks of cyberattacks on medical devices include:
- Training employees on what information is collected on what devices and how it’s stored, and what the risks and threats are.
- Enabling encryption between picture archiving and communications system (PACS) and the hosts in the hospital’s radiology network.
- Installing digital signatures to sign every critical action with a secure mark of authenticity.
- Putting the right protection around each device individually, as different devices have different configurations.
- Creating a centralized view of all devices connected to a network to monitor their expected behavior and look for red flags if any of the activities deviate from the norm.
- Using a custodial provider to protect medical records. This means that an agency safeguards the data and third parties, like clinics, need to request temporary access.
- Storing data backups in an encrypted cloud in case a ransomware hits. This ensures the data doesn’t get leaked and access to it isn’t lost.
- Controlling access to information. Employees should be able to access only the information necessary to do their jobs. Limiting personal devices connected to the network should be considered too.
- Investing in multi-layer detection and recovery systems. Installing such a system helps to identify and prevent malware installation.
- • Halt the use of File Transfer Protocol (FTP) servers operating in anonymous mode. Malicious actors can use the anonymous flaw in such servers to steal sensitive information or launch a targeted cyberattack.
- • Adding security requirements to purchase agreements with vendors. The latter should make sure the firmware is up to date and keep hospitals notified of the ways their equipment could be exploited.
- • Adding strong firewalls and using a virtual private network (VPN) can offset some of the risks that come with additional connected devices.
There’s a great need for reform within the health care industry as it is still lacking the initiative to prioritize cybersecurity. However, a lot can be done, starting from within an organization. As a part of risk management, contingency plans for different scenarios should be set up in advance.
Oliver Noble is a cybersecurity expert at NordLocker, an encryption-powered data protection solution.