When medical devices entered the new realm of being connected, the industry had a new set of risks. Innovation has delivered many benefits to patients and providers through this new era of medical devices. Unfortunately, it’s not all good news. Medical device cybersecurity threats are only growing, creating a lot of concern for stakeholders.
There are both emerging and known threats. As a result, medical device cybersecurity must be flexible, adaptable, and proactive. Of course, to do this, you need to know what you’re up against and how to combat attacks and strengthen vulnerabilities.
Let’s review the history of cyber threats for medical devices and the new challenges on the horizon.
The History of Connected Medical Devices
Medical devices have been part of the healthcare technology realm for decades. Initially, software or firmware lived inside these components. As software evolved, it became an installed application plugged into it.
Everything changed with the internet, enabling a greater sophistication to connect these devices to health system networks. The subsequent iterations involved cloud computing, AI, and the Internet of Things (IoT).
These connected devices help patients with many health issues, from pacemakers to drug infusion devices to blood glucose monitoring devices. With these advancements, patients can better manage chronic diseases, and clinicians have more tools available. Both consumers and their physicians realize the value of connected medical devices. They also recognize the risk because, in today’s world, you don’t need to be a cybersecurity professional to know that hacks and breaches happen all the time.
So, what are the biggest threats to the security of medical devices? There are many that are the same for many other IoT or mobile devices.
Medical Device Cybersecurity Threats: What We Know
In looking at the threat landscape for anything, there are things we know and things that are coming into the picture. We’ll start with the risks and vulnerabilities that are already a priority.
Health IoT Devices: Upgrades, Legacy Systems, and More Strain on IT
Many health IoT devices have very narrow design parameters. In turn, it means they often lack the capacity to run on newer operating systems. Additionally, they may not have the storage to support patched applications when an upgrade increases the size of the application’s footprint.
It continues to be an issue because manufacturers aren’t willing to invest in developing and testing patches or security fixes. These long-term costs were absent from their initial business models. Instead, they’d rather users purchase a new device with greater security. The current device works fine for the patient but is inherently less secure.
So, that means hospital cybersecurity teams have to consider the early sunsetting of devices, which could cost millions of dollars. The other option is to do patching on their own, which is not really feasible, or create some supplementary security controls. It’s another “legacy” system they must take ownership of, amongst so many more within their health system. It creates more strain on teams that have historically been understaffed and overwhelmed.
Lack of Standardization
Even though the FDA (Food and Drug Administration) oversees medical device approval, there isn’t standardization around specifications or security. Hospital IT professionals deal with devices of varying designs. It’s hard to manage, patch, update, analyze, and secure them. In addition, there are numerous entry points to protect, as they are a new favorite way for hackers to gain access to a network.
Connected Medical Devices Offer Cybercriminals a New Way In
Health systems and hospitals have always been lucrative targets for hackers. According to a study, the attacks on the industry doubled from 2016 to 2021. Of these incidents, 44.4% disrupted the delivery of care. Looking back at how medical devices connect to these numbers, they offer a new avenue for cybercriminals to get into a network.
Large organizations could have tens of thousands of these devices on their networks. In fact, a hospital room can contain as many as 20 per patient. That number will only grow, as will risk. As noted above, many don’t get patches or fixes for vulnerabilities. They can be a much easier way to infiltrate a system and access PHI (personal health information) or launch a ransomware attack. These could be the weak link and compound an already hard to navigate cyber ecosystem.
However, the industry itself (manufacturers) must follow new guidelines for devices seeking approval from the FDA after 2023. New products must have higher levels of security and patient data as part of the 2022 PATCH Act. Additionally, manufacturers will be responsible for continuously performing a risk analysis of their systems, releasing patches when they discover vulnerabilities, and sharing a Software Bill of Materials (SBoM) with providers.
Secure by design will be the norm and standard, but legacy systems will still have the same issues. The legislation does improve future devices, although the gap between identifying a vulnerability and patching it could be exploitable. In the workflow, there must be testing to ensure the patch works; implementing these can take a lot of time. Another patching concern is that most devices run 24/7, and to execute a patch, you often must take the system down and offline.
So the onus goes back to the healthcare organization, requiring additional security strategies outside of what the manufacturer provides. It may involve the need to segment at-risk devices as well as a complete understanding of how each device connects and its protocols.
Identity and Access Management Needs to Be More Rigorous
The FBI, in its 2022 report on medical device cybersecurity, called out identity and access management (IAM) as a risk. Ideally, you should always change default passwords, have rules about passwords, and limit the number of login attempts per user. Those components are essential, but healthcare has unique IAM considerations.
The perimeter of a hospital network is now very blurred, with more connected devices implanted into patients. There’s more to security than just the four walls of the facilities. Access to these devices happens within the hospital and outside and by different users—doctors, patients, IT, etc. As a result, there are a lot of considerations for cybersecurity leaders and how they leverage IAM. It can be a vital part of protection against unauthorized access if you can scale, monitor, and continuously improve it.
That’s a review of what we know and what’s a current priority. So, what’s on the horizon?
Medical Device Cybersecurity Threats: What’s Coming
In looking at the next generation of medical devices, we know they’ll be more secure by design. That doesn’t fix everything. The emerging threats call back to the current landscape and more advanced technology.
Connected Medical Devices and AI
Adding AI as part of medical devices has its benefits. When devices are “smarter” and able to learn from models, they can be a proactive tool for care delivery. AI in this realm of healthcare is advancing just as much as it is elsewhere. The FDA authorized 91 AI-enabled devices in 2022.
With opportunity, however, there is also risk. By adding AI to the mix, cybersecurity risk increases. How do you secure these devices? What are the complications? Well, it’s the technology, really. The same AI that’s integrated into a medical device to improve its performance could also be used by hackers to attack it. A study revealed this real possibility, demonstrating how someone could leverage AI to manipulate things like CT and MRI results.
A cybercriminal doesn’t need much to do this, just an emulator and some code. Combatting these attempts requires more access control layers, anomaly detection tools, and other security practices.
Supply Chain Security Concerns
Supply chain security is another emerging threat. Many data breaches are the result of a compromised third-party vendor. There are implications for medical devices around this threat. We already know that bugs and vulnerabilities are a big issue for the software provided by manufacturers. Additional programs may also be associated with devices, making them messy. Healthcare IT teams have to add this to their long list of threats to monitor, knowing that the software is only secure as the updates and patches are delivered.
With existing and emerging threats, you’ll need a robust plan for medical device cybersecurity.
Making a Plan for Medical Device Cybersecurity
Your organization can’t control medical device manufacturers, but you’ll get some relief with the new rules. There’s still a lot to mitigate. To do this, you’ll need a plan that includes:
- Performing risk assessments for all connected devices
- Creating a system for patching and updating
- Monitoring endpoints
- Engaging hospital staff and patients with security education to prevent human error
- Developing contingency plans if an attack occurs that compromises the devices
- Conducting penetration tests with ethical hackers
- Implementing mitigation strategies for findings from assessments and pen tests
Medical device cybersecurity threats are a unique element of healthcare. Having a separate policy and strategy for this is necessary, but you can engage experts to help. We offer medical device penetration tests and assessments to ease the burden. Get in touch with our team today to schedule a discovery session.
