How to Increase Your Medical Devices Cyber Security
How to Increase Your Medical Devices Cyber Security
With the modern IoT, medical devices play a prominent role in healthcare delivery. They improve the overall operations of medical practices and clinical decision-making. By collecting data and allowing for remote patient monitoring, they feed practitioners with real-life, up-to-date information necessary to deliver the highest quality of care. However, their interconnectedness makes them a perfect target for medjacking: hackers attack these devices to attain protected health information. That is why medical device cyber security should be the industry’s focus as we rely more on these devices and utilize them to a greater extent.
What Is a Medical Device?
According to the U.S. Food & Drug Administration, we classify a device as “medical” if it fits the following definition:
From there, we can further introduce the classification of these devices based on patient security risks and secure medical devices appropriately:
- Class I devices are low-risk such as bandages and handheld surgical instruments.
- Class II are intermediate-risk devices. They include X-rays or CT scanners.
- Class III are high-risk devices such as pacemakers.
With the rapid development of technology and more medical features devices can hold, we can also include health wearables into the mix: devices that patients wear to gather clinical data and improve their health. They became a new access point for hackers, making the security of medical devices a priority. We can make an example of the Apple Watch, which had to receive FDA clearance due to its electrocardiogram. With such a feature, it fits the definition of “intended use” according to the FDA and can be used to diagnose and treat patients based on the gathered data. In other words, we have reached a time where our aesthetic accessories have a higher purpose, and we are no longer sporting watches merely to check the time.
Can Medical Devices Be Hacked?
In a single word: yes. Medical device security has only become a hot topic, yet attackers have been targeting them for years. Insulin pumps or Implanted Cardioverter Defibrillators (ICDs) are some of the more commonly attacked devices. Even the former U.S. Vice President, Dick Chaney, feared a hacking attack, prompting alterations to his heart implant in 2013. A question that naturally arises is why these devices are such an attractive target.
FDA didn’t introduce medical device security standards on someone’s whim. It came as the result of frightening statistics related to healthcare cyber security. For example, the healthcare industry has been the most attractive target for hackers for twelve consecutive years. Furthermore, cyber attacks on healthcare are rising due to high costs related to data breaches in the industry: the price of a single stolen patient record can go as high as $429.
Cybersecurity for medical devices is thus an issue related to patient privacy. Protected health information is a lucrative target for attackers who practice ransomware: stealing the information with the threat of releasing it or locking the devices until the criminals’ demands are met.
The Role of Medical Device Manufacturers
There are not many industries in which the security of devices is as important as in healthcare. We have already touched on the dangers of failing to comply with medical device security standards. Several standards apply to medical device manufacturing, according to NQA. The one we are mainly concerned with right now is ISO 27001. Based on cybersecurity risks in your organization, it has a set of best practices for developing and implementing software not specific to any platform. From there, it is essential to note that the FDA has already assembled a list of requirements manufacturers must fulfill to secure medical devices. Those are:
- Establishment registration
- Medical Device Listing
- Premarket Notification 510(k), unless exempt, or Premarket Approval (PMA)
- Investigational Device Exemption (IDE) for clinical studies
- Quality System (QS) regulation
- Labeling requirements
- Medical Device Reporting (MDR)
The above highlights how manufacturers must develop, design, label, package, and otherwise integrate a device into the healthcare system. FDA emphasizes that it is the responsibility of manufacturers to ensure medical device cyber security. The question that imposes itself is how these devices are targeted.
Medical Device Hacking
If an individual has a pacemaker or a heart monitor, a hacker could try and affect the device, potentially even stopping the device and killing the target. Understanding this danger means taking the necessary precautions to prevent it from happening. Here are some of the reasons why a hacker might attack a medical device:
- To steal data for ransomware, should medical device cyber security fail
- To treat a disease that the device was not intended for
- To bypass pay-per-use features
- To damage it or the patient
Little good can come from hacking a device in the health industry. Malicious attempts aside, attackers need to find a way to attack it. They can do so in the following ways:
- Physically, by removing a panel
- Gaining access to the network the device is attached to
- Overloading the machine (exceeding its designed parameters of operation)
- The attackers can also exploit medical device security if they gain access to non-encrypted data
Even though the manufacturer must secure the device they produce, there are also steps you can take to protect your medical organization and patients from IoT threats.
Keep Your System Updated
Regular patches and software updates are necessary, given the constantly changing landscape of cyber threats. You should also monitor your network and be aware of devices connected to it.
Encrypt Your Data
Cybersecurity for medical devices can fail. If the attacker does get access to your data, having it encrypted would thwart their plans, be they harming the device itself, the patient, or ransomware.
Implement Multi-Factor Authentication
Limiting access to health devices can go a long way toward their protection. Installing authentications at every step can be exhausting for patients and medical providers due to constant password entering. However, in doing so, medical devices cyber security is drastically improved and could potentially protect your institution from physical threats. With biometrics, among other technologies, it will be possible to automate the entire authentication process without today’s arduous steps.
Knowledge is power, or so they say. But understanding the potential internet threats means understanding the necessary preparations. Educate yourself and your employees on possible access points, what technologies can hackers exploit, and how. With that, and all the steps mentioned above, you will drastically improve the security of your organization and your medical devices cyber security.