Here's how to protect connected medical devices in the age of healthcare IoT.
- The healthcare industry is very vulnerable to cyberattack.
- The most common types of threats are ransomware, malware, data breaches, DDoS and cryptojacking.
- Patient care and safety, data loss, and damage to a healthcare provider's reputation are among the consequences of networks being attacked.
- To stop cyberattacks on medical devices, you need to monitor and segment devices, keep software updated, and implement a response plan to an attack.
The internet of things – the ever-growing network of connected devices used throughout the world today – is especially prominent in modern businesses. From manufacturers to retailers, companies everywhere are implementing connected devices to capture more data across more business processes.
In few industries is the growth of connected devices so rapid and widespread as it is in the healthcare industry. Today, the average hospital room contains 15 to 20 connected medical devices. In some hospitals, connected medical devices outnumber mobile devices, such as laptops and smartphones, 4 to 1. A large hospital could be home to as many as 85,000 connected devices. While each of these devices has a significant role in the delivery of care and operational efficiency, each connected device also opens the door to a malicious cyberattack.
"Lots of IoT devices, coupled with the free flow of patient data in the network, create massive internal blind spots about what's happening," said Chris Morales, head of security analytics at Vectra. "The biggest threat is in the network, where perimeter security is blind."
So, how can healthcare providers possibly leverage the benefits of connected devices while also protecting their networks – and the sensitive patient data stored on them – from would-be attackers?
Editor's note: Looking for an electronic medical records (EMR) system for your practice's data? Fill out the questionnaire below and our vendor partners will contact you about your needs.
Cybersecurity threats facing healthcare organizations
The healthcare industry is particularly vulnerable to cyberattacks. Hackers are well aware of the value of protected health information and are willing to deploy a variety of methods to compromise healthcare organizations' networks.
"From a threat perspective, healthcare is often seen as a large, soft target," said William Peteroy, security CTO at Gigamon. "There are increasing interdependencies between technology and providing quality care, which means that we're seeing more technology in healthcare than ever before, but we don't see a strong and consistent focus on information security to go along with that."
These are some of the most common attacks and threats facing healthcare organizations:
Ransomware attacks: One of the most common threats is ransomware. These threats compromise data and lock users out of their own system, demanding a ransom in return for restored access. If that ransom isn't paid in time, the data is typically deleted automatically. Ransomware represents a massive threat to healthcare organizations, which maintain a wide range of sensitive patient records and are subject to HIPAA compliance standards.
Malware: Malware is software designed to disrupt or damage a computer or device, as well as provide unauthorized access to the hackers who deployed it. Malware is another prevalent threat in the healthcare industry; in fact, 78% of healthcare providers reported being targeted by malware, ransomware or both in the past 12 months.
Data breaches: Data breaches occur anytime sensitive information is released to an unauthorized individual. In the case of healthcare organizations, data breaches often capture patient records that are subject to HIPAA regulations for protected health information.
DDoS attacks: A distributed denial-of-service attack occurs when a hacker leverages a large network of bots to flood an organization's servers with traffic, ultimately bringing down its system. In a hospital environment, a significant interruption of service from a DDoS attack could result in harm to patients or even loss of life.
- Cryptojacking: Cryptojacking is a new type of cybersecurity threat that leverages the processing power of a compromised device to mine cryptocurrency on behalf of the hacker. Cryptojacking can negatively impact the functionality of a compromised device and reduce its overall lifetime. In a healthcare environment, where many medical devices are used for patient care, cryptojacking could put patient safety at risk.
Defending against these threats and others requires a constantly evolving cybersecurity plan that includes visibility into all connected medical devices, proper network segmentation, and regular patches and updates to prevent vulnerabilities from being easily exploited. Otherwise, the consequences could be quite steep.
Consequences of cyberattacks
On average, cyberattacks against healthcare organizations cost $1.4 million in recovery alone, according to a report from Radware. Moreover, patient safety relies on the security of a hospital's network, making cybersecurity a larger consideration than just lost revenue and new expenses. Therefore, healthcare cybersecurity is especially critical.
"The healthcare industry houses some of the most personal and sensitive data one can imagine," said Stephen Cox, chief security architect at SecureAuth. "Having this data be stolen by attackers and leaked to the dark web can be an absolute catastrophe for phishing campaigns. Having a device taken offline due to an incident could delay a patient from receiving a vital treatment."
Without a sufficient cybersecurity plan and the software to back it up, healthcare organizations risk potentially irreparable consequences, including the following:
- Loss of patient data: In the healthcare industry, patient records are highly sensitive. When a hacker gains access to a healthcare provider's network, patient data is at risk. Loss of that data could have legal consequences, like penalties and lawsuits, and can result in the violation of patient privacy.
- Damage to organizational reputation: Cyberattacks, especially those against large companies, tend to be high-profile affairs. When a healthcare organization suffers a cyberattack, the brand reputation is at risk. Patients everywhere will doubt whether their data is secure or their care is in good hands if the healthcare organization can't even protect its own network. Damage to brand reputation could have untold indirect costs for a long time.
- Impact to patient care and safety: Many connected medical devices play an instrumental role in care. For example, modern infusion pumps are often connected to a network. Certain cyberattacks could alter the way those pumps function, jeopardizing a patient's life. Cyberattacks could actually prove fatal, making healthcare cybersecurity more than just a business consideration.
Healthcare cybersecurity best practices for connected medical devices
Despite the cybersecurity threats associated with connected medical devices, medical IoT is an essential part of modern healthcare. Deploying, monitoring and updating connected medical devices in accordance with a wider cybersecurity plan is key to ensuring you can reap the benefits of connected medical devices without opening yourself up to unnecessary risks.
1. Identify and monitor all connected medical devices.
Every single connected medical device should be monitored in real time, allowing security teams to constantly probe for vulnerabilities or anomalous behavior that could signal the device has been compromised. In an environment with hundreds or thousands of connected devices, employing some type of intelligent cybersecurity solution is the only way to effectively manage the network.
"Tracking devices for visibility manually is indeed difficult, especially with a small security team," Morales said. "When you factor in the time it takes a lean security team to discover a data breach that comprises unknown connected devices, it is apparent the security team needs some level of augmentation of capabilities through intelligent technology."
2. Segment connected medical devices.
Properly segmenting connected medical devices based on vulnerability and risk profile can reduce hackers' penetration into your network in the event a cyberattack does occur.
"Hospitals can mitigate risks by creating an isolated network for connected devices, which is simple and can be done with VLANs and firewall technology that's been around for decades," Peteroy said.
3. Ensure software is regularly updated.
Regular software updates are critical to warding off what would otherwise be easily thwarted cyberattacks. The high-profile WannaCry ransomware attack, which affected large companies all over the world, exploited a vulnerability that was patched in a Windows update released months prior. As a result, the only organizations that were affected by WannaCry were those that had failed to update their software. Every connected medical device should be subject to regular software patching and firmware updates, prioritized by individual risk profile. This makes the device less ripe for exploitation.
4. Establish a cybersecurity framework and incident response plan.
Finally, while software solutions and regular updates are a great way to reduce the chances of a cyberattack, a smart security team knows it is a matter of time before their defenses are probed by a malicious actor. It's crucial for a comprehensive cybersecurity plan to include an incident response procedure that can be deployed at a moment's notice and includes all the major stakeholders across all departments within the organization.
Hospitals are vulnerable targets because of the value of their information and the sheer scale of their networks. However, leveraging connected medical devices and the many benefits they offer doesn't mean hospitals must fall victim to hackers and their cyberattacks. By implementing an intelligent cybersecurity solution that can identify and monitor all connected devices in real time, properly segmenting those devices, running regular software updates, and preparing a comprehensive incident response plan, security teams can be as prepared as possible to face ever-evolving cybersecurity threats.