Medical Device Cybersecurity

The cyber-attack on Target in 2014 highlighted weaknesses in network cybersecurity. The hackers compromised an HVAC system and used it to enter the company’s network to gather credit card information. Retailers, as well as private and government institutions are all at risk. Once the hackers break in, they have access to personal information of clients and employees; intellectual property; protocols of the institution; and the company’s financial information.

What are the hackers after?

A cyber-attack on a retailer will give access to credit card numbers that eventually expire, change or can be cancelled by the consumers. However, a cyber breach of a hospital network will gather enough information to establish false accounts by using Social Security numbers, birthdays, and places of residence. Furthermore, the illegally gained personal information can be used for blackmail or ransom. On the black market, medical profiles have a higher sale value than credit card numbers.

Networked Medical Devices

Today’s medical devices are integrated into the institution’s network; many run on standard operating systems and transmit data using the Internet. These devices are capable of communicating with servers directly, or through remote access. Health Care Facilities and Providers must be aware of the cyber dangers and vulnerabilities to their network in the form of connected medical equipment such as infusion pumps (IV), EKG machines, patient monitors, MRI machines and more. Many of these medical devices are defenseless against new and emerging cyber threats due to outdated operating systems, generic preset passwords, open or vulnerable network connectivity and software that doesn’t gets updated often or at all.

Medjacking – Medical Device Cybersecurity

The implementation of networked medical devices in patient care has many positives; however, it has also created greater risk to medical networks. Hackers can now hack into a vulnerable medical device and through it enter the network, gaining access to Protected Health Information (PHI) and other valuable data.  By using the external medical devices as a backdoor, the thieves can manipulate or shut down the device or worse – jeopardizing patient safety. Although hospital computers use anti-virus and other network security software and protocols to protect against intrusion, many external medical devices are running old unsupported operating systems such as Windows XP and are vulnerable to viruses, malware and hacking.

FDA 2014

In 2014, the FDA released guidance documentation on how medical device manufacturers can improve cybersecurity.  Manufacturers have to understand the threats and vulnerabilities to their devices; they must assess how possible intrusion can affect the safety of their devices and implement strategies to identify and protect against these threats.

Protecting Patient Safety

Raised awareness on cybersecurity must lead to the development and implementation of tighter security measures to protect medical network integrity. Facilities should consider replacing aged and vulnerable medical devices and demand that manufacturers upgrade the security features of their devices. Manufacturers should include these security features in the initial device development plan and not as add on features or an afterthought.

It’s not just the medical equipment manufacturer that is responsible for medical device cybersecurity. Health Care Facilities and Providers must constantly evaluate their network security; restrict unauthorized access to their networks, ensure that anti-virus and firewall protection are enabled and up to date, and when purchasing new devices – only purchase devices and equipment that have integrated cybersecurity features.

Facilities should implement a Medical Equipment Cybersecurity Plan for all networked medical devices and should include: permissions limiting access to trusted users, determine trusted content, recovery features, and network surveillance. Institutions should include Medical Device Cybersecurity as part of their routine medical equipment inspections involving independent IT, cybersecurity staff, clinical engineering, and BioMed Service staff.

Contact us today at 718-414-5555 or visit us online at www.healtheng.com to learn more about Medical Device Cybersecurity and how Health Eng can assist in helping you and your facility promote patient safety through Biomedical Engineering Patient Safety and Preventive Maintenance Inspection Service of your medical equipment and devices.