Medical devices offer new risks for network access
Hospitals typically have hundreds of medical devices; many may be quite old and unsecure, and IT departments may not remember that they still are computers linked to the corporate network, just like any other computer.
They also represent an easy gateway for hackers.
Newer medical devices may be more robust in the types and amounts of data they collect, and they may connect not only to the core network but also through Wi-Fi networks.
David Mertz, a director at the consulting firm Security Risk Advisors, advocates that facilities use “network segmentation,” so that devices work on a separate network and are not accessible otherwise.
He acknowledges segmentation is expensive to implement, difficult to maintain and requires multiple firewall rules, but in the cyber risk environment that currently exists, organizations will increasingly recognize the need.
More attention also needs to be paid to new medical devices, Mertz contends. Newer devices offer better data protection, as they generally have embedded encryption, says Mertz. There’s just one big problem: “Turning encryption on requires awareness and a little bit of effort.”
Physicians routinely balk at the use of encryption within electronic health records systems because they don’t want to jump through a couple more hoops to get to the data they want every time they access the EHR, and they often have the clout to not use encryption. That leaves EHRs vulnerable to attack.
But medical devices with password protection could make a hospital vulnerable to hacking, Mertz notes. Devices often are configured with default passwords that can easily be discovered by a hacker.
Further, medical devices often are installed in hospitals without the IT department being notified, so even when IT is tasked with protecting devices, they may not know that new ones have come in. Mertz advises creation of an device acquisition process so that new devices have to first go through IT’s risk assessment security checks.