When we think of cyber threats in Health IT security, we generally think of hackers going after computers and mobile devices to steal personal and financial information. But hackers have a new, even more potentially frightening target: medical equipment.
According to one survey, nearly 8 percent of patients had at least one implantable medical device for the control of a chronic condition, and every provider surveyed used the network-connected medical equipment. While these devices cannot necessarily be connected to the Internet themselves, they operate on networks where other devices can be – and usually are. An employee checking email, for example, could introduce malware to the network that then proceeds to attack medical equipment. The result could be catastrophic, ranging from stolen personal health information to patient deaths from malfunctioning devices.
This issue is considered important to the digital health industry since medical equipment connected to hospital networks and/or the Internet is a prime target for hackers (the security is often lax on these machines due to FDA guidelines and user practices). The potential for data breaches as well as tampering with implantable devices is great, and the results could be devastating if the security on these machines is not improved.
Where the Holes Are
A number of researchers, including a team from the Department of Homeland Security, have looked into the issue of unsecured medical equipment to identify potential security vulnerabilities. Their findings are broad in scope – and frightening.
The many potential security problems with medical equipment – which extend across vendors – include:
- Devices being shipped to providers with default usernames and passwords that cannot be changed
- Devices running without security patches
- Unencrypted communication among devices on the same network
Experts say that the lack of security in medical equipment stems in large part from the FDA, whose rules only allow for a very specific set of circumstances in which software upgrades – including security – patches can be issued. However, the guidance from the FDA on the issue of security often creates confusion as to whether the security patch needs to be approved or not.
Currently, FDA guidelines state that only those changes that modify the indications for use of the device and/or significantly alter its safety or effectiveness need approval. The FDA notes that most security patches do not need to be reported, since the security patch is designed to improve the security of the device and has no effect on its function or the health of the user.
On the surface, that appears to clear the way for manufacturers to develop and issue security updates, but the truth is that most do need to seek approval. In 2012, a report from researchers at the University of Michigan revealed that at one Boston hospital alone, nearly 700 different medical devices were running without the most up-to-date security measures. Not only could the hospital not update them, but the manufacturers weren’t issuing updates due to FDA regulations.
Reducing the Risk
Identifying the risk to medical equipment is only half the battle. While experts note that the danger of hackers going after medical equipment is comparatively low, and most of the identified risks have been discovered via tests and proof-of-concept exploits in controlled environments, there still have been cases in which medical equipment has been breached. For example, hackers invaded a hospital PACS system and began sending images and information to China. In another case, hackers installed malware on X-ray equipment that they then used to move throughout the hospital network.
In fact, while the risk to patients using implanted devices is real, most agree that the main danger now is the potential for hackers to use medical equipment as a means of entry to hospital networks. For that reason, until the FDA allows for more flexibility in mitigating security risks, it’s up to providers to find ways to secure their networks more effectively. More specifically, hospitals need to invest more in protection, including layered security featuring Azure Security, firewalls, encryption, more advanced threat and intrusion detection and prevention, and sandboxing of potentially malicious applications.
Better network policies and education are also an important part of improving security. Employees are still regarded as the top risk to enterprise security – the average hospital receives thousands of potentially harmful emails every week. So educating employees about the risks; implementing strict acceptable use, password, and reporting protocols; and limiting administrator privileges are all vital to securing the network.
Because hospital equipment is presenting such a significant risk to patient privacy, device manufacturers also need to work more closely with security vendors to develop stronger coding protocols and gain access to the most up-to-date security information. By doing so, the FDA can potentially ease some of the restrictions related to the security of equipment and allow for safer, more secure medical devices and a reduced risk of stolen information – or worse.
In order to avoid the issues mentioned in this article, these actions would be recommended:
- The FDA needs to change policies to allow for easier security updates to medical equipment.
- Hospital networks needs to be more secure.
- More training in security protocols needs to be provided.
In order to start implementing the recommendations above, an organization can start by doing the following:
- Implementing better acceptable-use protocols and stricter password policies.
- Providing more training on identifying phishing scams.
- Limiting administrator privileges on networks.
- Encrypting data.
- Implementing layered security solutions that include firewalls, intrusion prevention, and sandboxing to prevent harmful malware from accessing data.
Patrick Hubbard, Head Geek and technical product director in SolarWinds, mentions that due to increasing and developing threats to the enterprise, privacy remains a key concern for 2016. Expect that we are likely to see continued advanced persistent threats and even more targeted attacks—whether politically or criminally motivated. With significant efforts toward digitization of healthcare in 2015 and the growth of IoT in the public sector, hospitals are becoming increasingly connected, and therefore, increasingly at risk. There have already been high-profile hacks of US hospitals including UCLA, and reports that drug pumps used in the UK can be hacked and controlled. Hospital networks are increasingly relied upon to manage X-rays, Bluetooth-enabled defibrillators, and temperature settings on blood and drug storage units; therefore, opening themselves up for breaches with potentially severe consequences not found in other industries.
Healthcare records alone are a potential goldmine of data highly valuable to an attacker. Medical records and patient data are some of the worst protected personal information on file anywhere. As healthcare systems become digitized, they become the most vulnerable they have ever been. Worse, with actual theft from identity breaches in 2015 topping $100M, criminals have demonstrated the value of targeted attacks. Therefore, in 2016 it is extremely important that multi-discipline security and encryption remain a top priority for healthcare executives.