Here's how to protect against cyberattacks on medical devices in the age of healthcare IoT.
- The healthcare industry is vulnerable to cyberattacks, including ransomware, malware, data breaches, DDoS and cryptojacking.
- Patient care and safety, data loss, and damage to a healthcare provider's reputation are among the consequences of networks being breached.
- To stop cyberattacks on medical devices, you need to monitor and segment devices, keep software updated, and implement a response plan to an attack.
- This article is for medical practices, hospitals, and other healthcare organizations interested in better protecting patient data and their networks by securing connected medical devices.
The internet of things – the ever-growing network of connected devices used throughout the world today – is especially prominent in modern businesses. From manufacturers to retailers, companies everywhere are implementing connected devices to capture more data across more business processes, and medical practices are no different.
In few industries is the growth of connected devices so rapid and widespread as it is in the healthcare industry. Today, the average hospital room contains 15 to 20 connected medical devices. In some hospitals, connected medical devices outnumber mobile devices, such as laptops and smartphones, 4 to 1. A large hospital could be home to as many as 85,000 connected devices. While each of these devices has a significant role in the delivery of care and operational efficiency, each connected device can also open the door to a malicious cyberattack.
"Lots of IoT devices, coupled with the free flow of patient data in the network, create massive internal blind spots about what's happening," said Chris Morales, head of security analytics at Vectra. "The biggest threat is in the network, where perimeter security is blind."
5 reasons the healthcare industry is a target for cyberattacks in 2021
Healthcare organizations are a prominent target of hackers for several reasons. Here are the five biggest ones.
1. Patient data is valuable.
Healthcare organizations create, receive, maintain and transmit vast amounts of confidential patient data, making their networks and connected devices prime targets for cyberattacks. While the average cost of a data breach in 2020 was $3.86 million across all global industries, healthcare has the highest industry-average cost of $7.13 million, according to IBM Security's annual report.
Healthcare providers can greatly mitigate their risks of breaches, ransomware, and costly noncompliance fines from HIPAA and the European Union's General Data Protection Regulation by investing in security orchestration, automation, and response (SOAR) – a system designed to increase detection rates and reduce the response and containment time.
2. Medical devices are easy to hack.
The vast number of connected medical devices of varying specifications and from different manufacturers makes security upkeep especially challenging for healthcare IT professionals. While medical devices don't always store significant amounts of patient data, they can be vulnerable entry points for attackers to access data-rich servers. Keeping these entry points updated and secure must remain a priority for the healthcare industry to reduce the costs and damage of unauthorized access.
3. Healthcare staff are not adequately educated on data security risks.
Cyberattacks on medical devices can be dangerous, even life-threatening. A hospital in Germany suffered a ransomware attack in September 2020, stopping the intake of new patients and forcing reroutes for emergency patients. One patient died while the hospital struggled to restore services. With access to connected devices and networks storing sensitive patient data, everyone working in your healthcare organization is a member of your security team. That's why it's critical for you and your staff to embrace a zero-trust security model to prevent unauthorized access to confidential data.
4. Patient data is shared remotely with numerous healthcare providers.
The emergence of telemedicine and collaboration between medical providers greatly increases the patient's chance to receive the best care possible. Protecting patient data in a remote environment is increasingly challenging, however. Many organizations are implementing multifactor and risk-based authentication methods to identify and grant access to authorized individuals across devices and locations. IT administrators can establish increasing stringency on the authentication process based on unusual activity.
5. Smaller healthcare organizations are easier targets.
Large healthcare organizations store the most patient data, making them the most valuable targets for malicious threats. However, hackers know smaller businesses have fewer resources to dedicate to cybersecurity, making them much easier targets. If your practice is a small healthcare provider, with limited resources at your disposal, you should focus your cybersecurity efforts on governance, risk management and compliance programs. You can protect your patients' data in cloud environments, greatly minimizing the complexity of IT and security your busines is responsible for, as cloud software providers often handle the upgrades and security maintenance of the system. This includes endpoint management as well as identity and access management to monitor and protect medical devices and ensure secure remote access.
Healthcare organizations are especially valuable targets for hackers, who know that smaller practices tend to be the most vulnerable.
Editor's note: Looking for an electronic medical records (EMR) system for your practice's data? Fill out the questionnaire below and our vendor partners will contact you about your needs.
Cybersecurity threats facing healthcare organizations
As you can see, the healthcare industry is particularly vulnerable to cyberattacks. Hackers are well aware of the value of protected health information and willing to deploy various attack methods to compromise healthcare organizations' networks.
"From a threat perspective, healthcare is often seen as a large, soft target," said William Peteroy, security CTO at Gigamon. "There are increasing interdependencies between technology and providing quality care, which means that we're seeing more technology in healthcare than ever before, but we don't see a strong and consistent focus on information security to go along with that."
These are some of the most common attacks and threats facing healthcare organizations:
Ransomware attacks: One of the most common threats is ransomware. These threats compromise data and lock users out of their own system, demanding a ransom in return for restored access. If that ransom isn't paid in time, the data is typically deleted automatically. Ransomware is a massive threat to healthcare organizations, which maintain a wide range of sensitive patient records and are subject to HIPAA compliance standards.
Malware: Malware is software designed to disrupt or damage a computer or device, and provide unauthorized access to the hackers who deployed it. Malware is another prevalent threat in the healthcare industry; in a survey conducted by HIMSS Analytics, 78% of healthcare providers reported being targeted by malware, ransomware or both in the past 12 months.
Data breaches: Data breaches occur anytime sensitive information is released to an unauthorized individual. In the case of healthcare organizations, data breaches often capture patient records that are subject to HIPAA regulations for protected health information.
DDoS attacks: A distributed denial-of-service attack is when a hacker leverages a large network of bots to flood an organization's servers with traffic, ultimately bringing down its system. In a hospital environment, a significant interruption of service from a DDoS attack could result in harm to patients or even loss of life.
- Cryptojacking: Cryptojacking is a new type of cybersecurity threat that leverages the processing power of a compromised device to mine cryptocurrency on the hacker's behalf. Cryptojacking can negatively impact the functionality of a compromised device and reduce its overall lifetime. In a healthcare environment, where many medical devices are used for patient care, cryptojacking could put patient safety at risk.
Defending against these threats and others requires a constantly evolving cybersecurity plan that includes visibility into all connected medical devices, proper network segmentation, and regular patches and updates to prevent exploitation of vulnerabilities. Otherwise, the consequences could be quite steep.
Hospitals and other medical practices must contend with various cyberthreats, such as data breaches, ransomware, malware and cryptojacking.
Consequences of cyberattacks
Cyberattacks can cost healthcare organizations more than $1 million in the recovery process, according to the IBM Security report. Moreover, patient safety relies on the security of a hospital's network, making cybersecurity a larger consideration than just lost revenue and new expenses for a medical practice.
"The healthcare industry houses some of the most personal and sensitive data one can imagine," said Stephen Cox, former vice president and chief security architect of SecureAuth. "Having this data be stolen by attackers and leaked to the dark web can be an absolute catastrophe for phishing campaigns. Having a device taken offline due to an incident could delay a patient from receiving a vital treatment."
Without a sufficient cybersecurity plan and the software to back it up, healthcare organizations risk potentially irreparable consequences, including the following:
Loss of patient data: Patients' health records are highly sensitive. When a hacker gains access to a healthcare provider's network, patient data is at risk. Loss of that data could have legal consequences, like penalties and lawsuits, and can result in the violation of patient privacy.
Damage to organizational reputation: Cyberattacks, especially those against large companies, tend to be high-profile affairs. When a healthcare organization suffers a cyberattack, its brand reputation is at risk. Patients everywhere will doubt whether their data is secure or their care is in good hands if a medical practice can't even protect its own network. Damage to your brand reputation could have untold indirect costs for a long time.
- Impact to patient care and safety: Many connected medical devices play an instrumental role in care. For example, modern infusion pumps are often connected to a network. Certain cyberattacks could alter the way those pumps function, jeopardizing a patient's life.
Cyberattacks are especially costly to healthcare organizations and, even more importantly, can put patients' health and safety at risk.
Healthcare cybersecurity best practices for connected medical devices
Despite the cybersecurity threats associated with connected medical devices, medical IoT is an essential part of modern healthcare. Deploying, monitoring, and updating your practice's connected medical devices in accordance with your wider cybersecurity plan is key to reap the benefits without opening up your practice to unnecessary risks.
1. Identify and monitor all connected medical devices.
Every single connected medical device your practice uses should be monitored in real time, allowing your security team to constantly probe for vulnerabilities or anomalous behavior that could signal the device has been compromised. In an environment with hundreds or thousands of connected devices, employing some type of intelligent cybersecurity solution is the only way to effectively manage the network.
"Tracking devices for visibility manually is indeed difficult, especially with a small security team," Morales said. "When you factor in the time it takes a lean security team to discover a data breach that comprises unknown connected devices, it is apparent the security team needs some level of augmentation of capabilities through intelligent technology."
2. Segment connected medical devices.
Properly segmenting connected medical devices based on their vulnerability and risk profile can reduce hackers' penetration of your network if a cyberattack does occur.
"Hospitals can mitigate risks by creating an isolated network for connected devices, which is simple and can be done with VLANs and firewall technology that's been around for decades," Peteroy said.
3. Ensure software is regularly updated.
Regular software updates are critical to ward off cyberattacks. The high-profile WannaCry ransomware attack, which affected large companies all over the world, exploited a vulnerability that was patched in a Windows update released months prior. As a result, the only organizations affected by WannaCry were those that had failed to update their software. Every connected medical device should be subject to regular software patching and firmware updates, prioritized by individual risk profile. This makes each device less ripe for exploitation.
4. Establish a cybersecurity framework and incident response plan.
While software solutions and regular updates are great ways to reduce the chances of a cyberattack, a smart security team knows it is a matter of time before their defenses are probed by a malicious actor. A comprehensive cybersecurity plan includes an incident response procedure that can be deployed at a moment's notice and involves the major stakeholders across all departments within the organization.
Hospitals and medical practices are vulnerable targets because of the value of their information and the sheer scale of their networks. However, leveraging connected medical devices and the many benefits they offer doesn't mean your practice must fall victim to hackers and cyberattacks. By implementing an intelligent cybersecurity solution that can identify and monitor all connected devices in real time, properly segmenting those devices' risk levels, regularly updating your software, and developing a comprehensive incident response plan, you and your security team will be as prepared as possible to face these ever-evolving cybersecurity threats.
You must secure, monitor, segment, and regularly update all your connected medical devices to prevent unauthorized access to your network and sensitive patient data.
Jeff Hale contributed to the writing and reporting in this article. Some source interviews were conducted for a previous version of this article.