5 risks in protecting medical devices and how to meet them

5 medical device security risks and how to beat them

The increasing use of connected medical devices that link up or integrate with other systems, devices, tools, networks or services offers much promise in improving care, but also represents significant risk to network security—and most healthcare organizations are poorly protected. According to new research from Booz Allen Hamilton and eHealth Initiative, these innovations pose security risks hackers can attack connected medical devices, making it easier to disrupt their operations.

Risk 1: Physical proximity is not necessary for compromise

To an attacker, connected devices are just computers on the network, and they are vulnerable to the same types of cyberattacks that threaten every digital device. A July advisory from the Department of Homeland Security warned of a set of vulnerabilities called URGENT/11 that is present in 200 million devices worldwide. The vulnerabilities could enable anyone to remotely take control of a device and change its function or cause a denial of service, or cause leaks or logic flaws, which may prevent device function.

Risk 2: Devices extend the roles of some organizations

Healthcare organizations now are significantly involved in the process of developing these devices—in fact, they’re information technology partners with medical device manufacturers. These manufacturers continue to be involved over time, because they typically have a direct role in the post-market phase, after regulators have approved a device for use. This unstructured relationship boosts the security risks for healthcare delivery organizations, because they must learn to mitigate risks inherent in connected health devices that rely on third-party, off-premises technology to work properly.

Risk 3: Connected medical device vulnerabilities never expire

Sometimes, even “secure” systems have latent vulnerabilities—these can go from “undisclosed” to “easily exploited” in a manner of days. Because hackers don’t have to be physically attached to the device, threat actors can get access easily by finding and working to exploit undisclosed vulnerabilities.

Risk 4: Not enough adoption of a threat-centric mindset

To secure the connected health ecosystem, those tasked with protecting it need a threat-centric mindset. Defining policies and assessing compliance are not sufficient to prevent compromise of devices, the network and healthcare information databases. Even the most compliant organizations fall victim to sophisticated threats, with 77 percent of successful attacks exploitng pre-existing vulnerabilities. Threats and exploits must be continually assessed throughout the lifecycle.

Risk 5: Connected devices face a variety of diverse risks

Patients and providers must be able to rely on the confidentiality, integrity and availability of connected devices and the data they create, and the devices must be always connected and available. But there are many potential risks that have the potential to erode this trust—from supply chain issues to privacy concerns. No single security approach is sufficient as many complementary solutions are necessary.

What follows are suggestions from Booz Allen Hamilton and eHealth Initiative to address these challenges.

The status quo is not sufficient

Securing the connected health ecosystem is an ongoing and persistent challenge that has the potential to disrupt the entire industry if vulnerabilities are not identified, alerted and dealt with quickly.

Everyone plays a role

Potential solutions to threats emerging to connected medical devices require coordinated and diverse activities, working in concert to adaquately address all threats and risks.

Important work already is underway

The health industry has already created significant resources, such as the Joint Security Plan, as a starting point. Much remains to be done, but many of the important issues are currently being discussed.

Keep an eye to the future

The solutions required to fix today’s vulnerable devices are not the same as those required to prevent future devices from being vulnerable. However, the needs for protection from future vulnerabilities must be designed into emerging connected devices while still addressing today’s needs.

More engagement is needed

Attending events by the Health Sector Coordinating Council (HSCC) and the Health Information Sharing and Analysis Center (H-ISAC) are a good way to engage stakeholders in productive dialogues that can benefit everyone.

Important resources for further study

Here are some important resources for further study.

The Medical Device and Health IT Joint Security Plan

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, from the Health Sector Coordinating Council

Department of Health and Human Services cyber security guidance materials

Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency