[BreachExchange] Protecting Medical Device Security in the Age of Ransomware

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jun 26 19:06:08 EDT 2018


https://hitconsultant.net/2018/06/25/medical-device-ransomeware/

>From medication pumps to pacemakers, people depend on lifesaving devices to
live their healthiest possible lives and manage chronic ailments. Many of
those patients likely hear about cybercriminals orchestrating massive data
breaches, and might get concerned about one of those incidents compromising
their information.

However, they probably haven’t considered the hackers might target the
devices in their bodies or the ones they otherwise use for better
well-being.

Hospitals Must Pay Attention to Device Monitoring and Security Strategies

Today’s healthcare facilities are becoming increasingly connected.
Statistics indicate that for every bed in a United States-based hospital,
there is an average of 10 to 15 connected devices. Although those aren’t
usually inside patients’ bodies, they continually collect sensitive
information and transmit it to staff members.

It’s critical for hospital management teams to weigh the clinical benefits
against the possible risks of using those devices. Then, they must devise
and implement methods to monitor those devices and keep them secured.

Device Testing Is Essential

A 2017 study by the Ponemon Institute found most health organizations and
device manufacturers polled believed a device they used or manufactured
would be attacked within the next year. However, 53 percent of healthcare
facilities and 43 percent of manufacturers do not carry out any tests on
these devices.

Regular and methodical testing of medical devices helps people spot issues
before they become significant problems. Having a proactive attitude about
tests could help prevent product recalls or patient complications.

Experts in the field of healthcare device security found most hospitals
could not tell when simulated attacks occurred on medical pumps.

Health facilities must not merely trust that the devices they use for
patients are safe and uncompromised. Ongoing testing gives them the
evidence needed to feel confident for a good reason, instead of making
assumptions based on implicit trust.

Hospitals Could Show Preference to Cybersecurity-Minded Manufacturers

The Food and Drug Administration issued content calling upon
manufacturersto consider cybersecurity threats when designing medical
devices. That’s a step in the right direction, but it’s important to
realize the FDA material is only comprised of guidelines.

That means manufacturers have no legal obligation to implement them. Some
analysts say the guidelines may at least give device makers a framework.
However, only 51 percent of device makers abide by the FDA guidelines.

When choosing which manufacturers to work with when taking care of supply
needs or experimenting with new devices, hospital administrators can show
an intention to purchase medical devices responsibly by explicitly asking
manufacturing representatives whether they are committed to cybersecurity.
People at a healthcare organization responsible for medical device
purchases show preferences in other ways, such as by insisting on
electroplated or gold-plated items that offer advantages such as corrosion
resistance and electrical conductivity.

If they also begin making it clear they only want to enter into supply
contracts with manufacturers that prioritize cybersecurity, that decision
could have a ripple effect that sets a good example.

Critical Thinking and Updated Knowledge Are Critical Cybersecurity Aspects

The likelihood of medical devices being affected by ransomware or other
attacks doesn’t seem to be on the radar of many healthcare professionals.
However, researchers who conducted extensive research in the United States
and India about what could happen if medical devices get compromised
reached sobering conclusions.

For example, they say a hacker could infiltrate a medical device that
dispenses medication inside a patient and make it give a fatal dosage. In
other cases, a hacked device could provide physicians with the wrong
information, such as by directing them to use an AED on a patient with a
normal heart rhythm.

Forward-thinking health practitioners who work with medical devices should
take it upon themselves to think outside the box when pondering potential
cybersecurity risks with the equipment. It’s also useful for them to
consciously look for current news about cybersecurity threats in the health
sector and remain aware of them.

Traditional Cybersecurity Approaches Are Not Sufficient

Internet-connected devices at hospitals around the world require a
dedicated and unique approach to cybersecurity. In other words, the IT
professionals working at those facilities cannot necessarily use the same
general strategies for securing those devices as they do when locking down
their networks.

Unfortunately, though, many are doing just that. Statistics published in a
2017 survey by ZingBox revealed more than 70 percent of IT decision-makers
in healthcare who responded believed they could use traditional security
strategies to secure connected medical devices.

Granted, there are substantial challenges to keeping some medical devices
locked down, but they are not impossible to tackle. Taking medical device
security seriously means understanding what’s required to achieve that
goal. One obstacle to overcome is the fact that the area of medical device
security is still emerging, and there is not always a consensus for how to
address it.

Machine learning platforms that use automation to spot security issues are
available, but they haven’t become widespread in the health field yet.

Better Security for Medical Devices Is a Collective Effort

Besides remaining aware of these tips, healthcare professionals must
realize improving security of medical devices is everyone’s responsibility
— not something hospitals or manufacturers must deal with alone.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180626/08d69857/attachment.html>


More information about the BreachExchange mailing list