By Phil Englert
Healthcare technology is evolving at a furious pace and the benefits for clinical care are nothing short of amazing. From wearable glucose monitoring systems to water vapor cancer ablation and many other technologies, todays’ patient care technologies are less invasive and provide better outcomes with lower risks.
Increasingly, medical devices are interfaced with the outside world to either take in treatment plans or report out physiological parameters such as blood glucose levels, heart rate, oxygen levels and others. Interoperability – the ability to interact with different devoices, applications or products to exchange data and instructions in a coordinated way – is the great enabler of technology but is not without risks. Each communication boundary presents a risk for the data and the instructions that cross them. Cyber actors can cause medical device failures in several ways.
Cyber actors can exploit vulnerabilities in medical devices or the software and networks that support them. These vulnerabilities may allow cyber actors to gain unauthorized access, steal sensitive information or cause damage to the devices or systems. Stolen data is commonly ransomed and may invoke regulatory penalties. Threat actors can launch denial of service (DoS) attacks against medical devices or networks. These attacks overload the devices or networks with traffic, causing them to fail or become inaccessible. Patients and caregivers are more reliant than ever on health care systems to interact with each other. System outages are not only frustrating but may result in delayed treatment.
Cyber actors can distribute malware or viruses that infect medical devices and cause them to fail or become compromised. These attacks may result in the theft of sensitive data, the destruction of critical systems, or the disruption of business operations. Cyber actors may use social engineering techniques to trick users into revealing sensitive information or clicking on malicious links, which can result in medical device failures or compromise. Cyber actors may physically tamper with or damage medical devices to cause failures or compromise their security. Access to medical devices varies greatly within health care settings and should be considered during risk assessments and deployment. Devices may be found in access-controlled spaces and actively monitored or they may be found stored in hallways or other public spaces. Employees or other insiders with access to medical devices or systems may intentionally or unintentionally cause failures by misconfiguring devices or systems, stealing data or introducing malware.
Cyber actors have several methods and tools they use to gain access to medical devices. In the patient care environment, cyberactivity can have disastrous outcomes. Cyber is another mode of failure which needs to be considered in maintenance operations planning. Healthcare technology management (HTM) staff are playing a growing role in the management of cyber threats in the patient care environment. They are uniquely qualified to understand the technology, the patient care environments and the clinical workflows. To prevent these types of attacks, it is important for biomedical technicians (HTM staff) to play a larger role to implement strong security measures, such as regular software updates, network security controls, access controls and user education and training. Additionally, organizations should regularly monitor medical devices and networks for signs of suspicious activity and have incident response plans in place to quickly respond to and mitigate any attacks.
Cyber maintenance activities should be added to maintenance routines and performed regularly to ensure the security of medical devices. Keep medical devices up to date with the latest software releases, including firmware and security patches, to ensure they are protected against known vulnerabilities. Not all medical devices are supported the same way so working with the manufacturer to learn release schedules and delivery methods is essential for HTM to manage these processes efficiently. Wherever possible, use strong and unique passwords for medical devices, and change them regularly. Avoid using default passwords, which are commonly known within the HTM service community. Work with your network architecture team to secure the network that the medical devices are connected to with firewalls, intrusion detection and prevention systems, and other security measures to prevent unauthorized access. Employ encryption techniques for data transmitted between medical device and the cloud or other systems to prevent interception and theft.
Move patient data off medical devices and into data centers where it can be better monitored and protected when it is no longer needed on the device. Educate users on the need for and best practices for medical device security, such as not clicking on suspicious links and avoid using the public guest Wi-Fi network with medical devices. Implement strong authentication mechanisms to prevent unauthorized access to medical devices, such as two-factor authentication. Work with clinicians to find the best balance of security controls and workflows. Extend the HTM mantra of “trust but verify” for patient safety to medical device security. Regularly inspect the configuration settings of devices. Monitor medical device communications with passive monitoring tools. Test the more robust medical devices for vulnerabilities and weaknesses using tools like vulnerability scanners. Regularly back up important data and configurations to prevent data loss in case of an attack or system failure.
Cyber-attacks can impact medical devices in many ways. Cyber actors who only access and steal data may be very hard to detect. Cyber actors can also make the data unavailable through encryption, rendering the device inoperable and impacting patient care. In some cases, this delay may cause patients to lose trust in the health care system or the delay may prolong diagnosis and treatment. In the worst-case scenario, cyber actors may be able to alter the delivery of therapy causing direct physical harm. Cyber is a way for the medical device to not function as expected or even at all. Cyber is just another failure mode. HTM staff are responsible for keeping medical devices available and functioning correctly. By getting involved in the management and maintenance of cyber controls and regularly performing these maintenance activities, HTM staff can help their organization mitigate the risk of cyber-attacks on medical devices and ensure the security and reliability of healthcare technology systems.
Phil Englert is the director of medical device security for Health-ISAC.
