With the Cybersecurity world focused on Phishing, attacks to Critical Infrastructure, and Ransomware, there is one area that is just as vulnerable, perhaps more: the medical devices implanted in, or connected to, patients. This area of Cybersecurity risk is just now starting to receive serious attention.
Why are medical devices so vulnerable?
It is fair to say that many Americans have experienced a serious medical setback or diagnosis which has required hospitalization. This, of course, has been greatly exacerbated by the COVID-19 pandemic. Many patients, while in the hospital and after they are discharged, are hooked up to some sort of machine or have a medical device implanted in them. Typical examples of this include insulin pumps, kidney dialysis machines, and cardiac pacemakers.
It is not the devices themselves that are unsafe. Rather, given the recent advancements in medical technology, it is the connections from these devices to an external environment that creates risk. This has been fueled primarily by the boom of the Internet of Things (IoT), where the objects that we interact with daily, both in the physical and virtual worlds, are interconnected.
It is these myriad interconnections which pose a Cybersecurity risk. For instance, when everything is interconnected in this way, the attack surface for the Cyberattacker is greatly expanded. There are many backdoors that become open for Cyberattackers to penetrate and then move laterally in a covert fashion. Worse yet, many of the interconnections just described are not secure, and are not even encrypted.
All information and data that is transmitted from a patient to his or her healthcare provider (and vice versa) are sent in what is known as “cleartext” format. This means that if this sensitive date is intercepted, it can very easily be deciphered by the Cyberattacker, especially when it comes to the username/password combination, and any form of verification-based credentials.
A recent survey conducted by Fierce Healthcare1 has further substantiated this risk. This is what their research found:
- 80% percent of all healthcare organizations have experienced some sort of IoT related Cyberattack.
- 30% of these attacks involved medical devices.
- There are an astonishing 10-15 million medical devices in the United States alone.
- There is an average of 10-15 medical devices connected to each hospital bed (thus making them an extremely easy Cyber-based target).
- 42% of respondents blame the IoT for the Cyberattacks on medical devices.
- 50% of respondents blamed the unpatched and outdated Network Infrastructure of their respective healthcare organization for the Cyberattacks on the medical devices.
- A shocking 82% of IoT vendors have strong concerns about the level of security that is deployed into their medical devices.
- An overwhelming 70% of healthcare organizations are using an unsupported version of the Windows OS , such as Windows 7, Windows 2008 and Windows Mobile.
The Solution: the Health IT Joint Security Plan Framework
In the world of Cybersecurity, many frameworks have been established to provide entities guidance regarding the implementation of controls. The healthcare industry is no exception; it is guided by the Health Insurance Portability and Accountability Act (HIPPA).
But as it relates to medical devices, one devoted framework was recently created: the Health IT Joint Security Plan2, or the “JSP” for short. It was formulated by the Healthcare Industry Cybersecurity Task Force which has its roots in the Department of Health and Human Services. The theoretical constructs of the JSP framework lie in the Cybersecurity Information Sharing Act of 2015.
The JSP encompasses:
- The Cybersecurity responsibilities of the vendors that create and manufacture medical devices.
- The establishment of specific Risk Assessment Methodologies.
- How vulnerabilities are to be reported to regulatory agencies.
- How the lines of communications from the medical device manufacturers to the healthcare providers (and vice versa) can be further improved.
The entire development and usage lifecycle of medical devices is also covered, including the following:
- The incorporation of best practices and standards in the inception of newer and upgraded medical devices.
- The implementation of controls after the device has been produced.
- The handling of any consumer complaints or concerns.
- Risk and vulnerability management of the medical devices after they have been deployed to the healthcare provider.
- How the medical device should be properly decommissioned after it has reached its so called “End Of Life”.
For more detailed information about the JSP framework see this infographic.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.