A U.S. government official is sounding the alarm about a threat that’s invading hospitals and endangering patients’ lives—and it’s not COVID-19.
The threat, he told a recent healthcare conference, comes from cyberattacks on hospital IT systems via ransomware and, increasingly, connected medical devices.
“We have been so afraid to admit that cyberattacks and IT failures can impact patient care and patient safety that if we continue in denial mode, we will go back to business as usual,” warned Joshua Corman, chief strategist of the COVID-19 task force at the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Corman is making a brutal point that healthcare cyber breaches don’t just put patients’ privacy and data at risk—they put people’s lives at risk. Two tragic incidents have vaulted the issue into the headlines:
- Parents of a newborn who died in 2019 are now suing an Alabama hospital; they allege their baby died because a ransomware attack at the hospital impaired the connected system that remotely monitored the fetal heartbeat before and during childbirth.
- A 78-year-old woman in Germany died from an aortic aneurysm in 2020 when a ransomware attack at the nearest hospital forced her ambulance to go to another hospital an hour away; police conducted a homicide investigation but did not lay charges.
- 53% of IoMT and IoT devices in hospitals contain at least one known “critical” cyber vulnerability
- 73% of IV pumps (which comprise 38% of the total IoT footprint in hospitals) “have a vulnerability that would jeopardize safety, data confidentiality or service availability” if exploited by hackers
- one-third of bedside healthcare IoT devices in hospitals contain an identified critical cyber risk
- ransomware attacks cost hospitals around the world a combined US$21 billion last year
Medtech’s unique risks
Addressing cyber risk in connected medical devices isn’t as simple as running security software throughout each hospital. As the Cynerio report explains, IoMT devices at hospitals are almost constantly in use, leaving little downtime to patch or update them. Unlike smartphones and other mobile devices, IoMT devices involve dozens of operating systems and hundreds of different vendors, making it tough to deploy cybersecurity solutions. Many IoMT devices run on versions of Windows that are so outdated, they’re no longer secured or supported. (According to Cynerio data, that includes 53 per cent of devices used in oncology departments and 25 per cent of devices used in surgical units.)What can be done
Cynerio researchers offer hospitals some strategies (other than the traditional patch-and-update model) to combat cyber threats to connected devices:- Make it a priority to identify and address the risks of vastly outdated Windows deployments
- Use network segmentation (Cynerio estimates splitting hospital networks into operational “slivers” would address more than 90% of critical IoMT risks)
- Deploy security at the device level versus the OS level
- Implement an IT quarantine system to contain damage during cyber incidents
Baking it in
In April 2020, Dan Bardenstein joined the U.S. government’s Defense Digital Service (DDS), an elite cyber squad that proudly calls itself the Pentagon’s SWAT team of nerds. One of DDS’s biggest missions to date is safeguarding Operation Warp Speed, America’s COVID-19 vaccine program. “We worked closely with a lot of other cybersecurity agencies around the government to protect the entire end-to-end process of the vaccine, from the research and development (to) the clinical trials, the distribution and manufacturing,” Bardenstein told the Federal News Network. Operation Warp Speed opened Bardenstein’s eyes to the enormous challenges of protecting biotech and medtech from hackers.Read more:
How technology could ‘humanize’ healthcare How to reduce the damage of ransomware attacks IoT cyber attacks escalate during pandemic Now Bardenstein has a new job (working alongside Corman) as technology and cyber strategy lead at CISA. And he’s calling for new rules to protect medical devices at the source: the manufacturing level. “The FDA should establish a clear list of minimum cyber protections that medical devices must possess in order to receive FDA approval,” Bardenstein argued in a position paper released earlier this month. “The FDA’s current approach to cybersecurity standards is to provide ‘non-binding recommendations’ to device manufacturers,” he continued. “As a result, many device manufacturers still do not implement basic protections sufficiently, if at all, nor comply with FDA recommendations.” Under Bardenstein’s proposal, manufacturers of connected medical devices would have to meet standards for:- password requirements
- data encryption
- patching-and-updating procedures
- user guidance on securing and configuring devices
- timely disclosure of security vulnerabilities
- embedding automatic checks for software and security updates into device systems
The post Protecting Connected Medical Devices from cyberattacks appeared first on expertIP.