Cybersecurity is now an omnipresent concern, with criminals finding ever-more-lucrative opportunities to breach organizations across a number of industries. Healthcare presents an especially pronounced risk-factor, and today, bad actors often target unsecured medical devices to gain access to an entire health system’s or hospital network’s data. Current FDA guidance places the onus on manufacturers to secure their devices; however, many of these devices are constructed on legacy operating systems, which no longer receive software patches. Absent regular security patches and with a diversity of users—from doctors to nurses to PAs—devices are uniquely at risk to be compromised by a bad actor.
Dangerous and worrisome for any business, hacking attempts targeting medical devices can have dire consequences. A successful breach can put lives at risk while imperiling a provider’s entire data infrastructure. Ransomware schemes are particularly successful in hospitals because medical facilities need to recapture control as quickly as possible to save the lives of their patients.
Small practice owners in particular often face pronounced risk because cyber criminals may see them as easier, more penetrable targets. Indeed, it’s a misnomer that smaller practices are somehow unknown to potential bad actors. We’ve found that bad actors are often size-agnostic, targeting whomever they can hack. With that in mind, healthcare devices are at-risk regardless of whether they’re in big hospitals or in small practices – and sometimes it’s the smaller providers that are most vulnerable.
With that in mind, there are three precautions healthcare providers must take to more effectively protect their medical devices from potential cyberattacks.
Taking Stock (…of your inventory)
Hospitals and healthcare providers utilize myriad devices to monitor, diagnose, and evaluate their patients. Devices are replaced when needed, upgraded when possible, and purchased when available. With such frequent changes, and due to the sheer number of devices providers utilize, they frequently lack a comprehensive register that includes all of them.
This is made more complicated by the fact that providers often maintain inventory in several physical locations, all of which utilize the same network.
If, because of these issues, a provider lacks a complete inventory, its devices are particularly vulnerable. In that case, a hacker need only access a single, unsecured device to gain control of the entire data infrastructure. And, without an inventory, a hospital may not even notice the breach.
It is therefore essential that hospitals take and maintain a complete and accurate inventory of all their devices. Doing so will help them better track and monitor their devices and thereby better secure them.
Healthcare providers, under the visage of efficiency, frequently aggregate their administrative and medical devices in one network. On the surface, doing so makes sense—both device archetypes require powerful networks, and using the same one for both is organizationally simpler. In smaller practices, it’s often more cost-efficient as well.
However, such a tactic may enable a simple phishing scam, targeted at a single employee working on the network, to bring the entire hospital to its knees.
For this reason, healthcare providers should utilize a hidden network exclusively for their medical devices. This accomplishes several goals. It:
• Makes the device network harder to find and access
• Insulates sensitive patient data
• Ensures that hacking efforts targeted at the administrative side do not interfere with device functionality
With a hidden network powering medical devices, and medical devices only, a network engineer can write specific rules to limit access to each of its composite segments, creating additional layers of security that protect the hospital and the patients it serves.
In the pre-ransomware era, hospitals were content with periodic cybersecurity audits during which they’d review their cyber risk, checking the all-important cybersecurity box. However, that orientation can no longer protect them from the lurking dangers.
Hospitals can now be hacked through devices as small as an insulin pump. As their risk profile dramatically increases, they require constant, vigilant system monitoring, during which a provider surveys their systems, patches their vulnerabilities, and secures their data.
With effective monitoring and regular threat-profile updates, hospitals can preempt a looming cyberattack instead of suffering at the hands of one.
Healthcare providers are, increasingly, cyber targets. The spate of recent ransomware demonstrates that they are facing heightened risk from hackers who grow more confident and powerful, and who see their disorganized and unprotected networks as an opportunity to score a significant payout.
Though it’s impossible to entirely eliminate cybersecurity risk, accurate inventory, hidden device networks, and regular monitoring are ways in which hospitals can meaningfully improve their protection, shield their devices, and, most importantly, secure their patients.
Ray Hillen is Managing Director of Cybersecurity at Agio, a hybrid managed IT and cybersecurity services provider.