Connectivity has opened the door to cybersecurity attacks beyond the computer.
Security breaches can happen anywhere there is a connected electronic device. CAT scans, MRI machines, anything plugged in such as pacemakers and insulin pumps, create security vulnerabilities that can be overlooked in standard hospital cybersecurity procedures.
“In surgery room, everything is a computer,” said Fred Langston, executive vice president of Professional Services for CI Security. “We’ve opened the door, these are all networked together, sometimes communicating to the internet and cloud. It can literally make a connection to a patient device to the EMR on up to the cloud.”
The breaches can occur well away from the hospital.
“It’s not just the walls of hospitals,” Langston said. “It’s walking on the street.”
WHY IT MATTERS
Criminals infiltrating medical devices pose more than a threat to data security. Hackers accessing medical devices can threaten patient harm, whether that’s the intent or not.
“It’s not just, ‘Hey, we’ve lost a medical record,’ it’s patient safety,” Langston said. “When they make these attacks, it’s not because they’re taking over a medical device, it’s indiscriminate.”
As the government and hospitals push for interoperability, more coordinated care and patient-centric care, providers become more vulnerable to cyber attacks.
Most hospitals now have mobile access to electronic health records. It’s no coincidence that the uptick in cyber attacks began happening around the same time the government pushed for EHRs, according to Lisa Rivera, a healthcare security expert who is a former federal prosecutor handling civil and criminal investigations for the Department of Justice.
CI Security’s estimated 50 hospital clients have yet to experience a cyber attack through a medical device, but there are documented cases where this has happened.
THE LARGER TREND
One infamous case is that of the computer worm Stuxnet, which was first discovered in 2010. The U.S. government, in conjunction with Israel, targeted Iran’s production of uranium through the malicious computer worm, according to The Wall Street Journal. The worm caused substantial damage to Iran’s nuclear program.
The worm caused the centrifuges used to separate nuclear material to spin so fast that they blew up, according to Langston. In essence, the same concept can be applied to medical and other connected devices.
“This is the same type of attack,” Langston said. “Take the operational technology and do something you shouldn’t do.”
The 2017 ransomware attack Wannacry exposed weaknesses in cybersecurity response. The attack took down the national health system in Great Britain and put them back to paper and pencil.
In 2017, the U.S. Food and Drug Administration required nearly 500,000 patients with a radio frequency-enabled St. Jude Medical implantable pacemaker to install a software patch to protect themselves from cybersecurity vulnerabilities that had been discovered in the devices. The FDA issued an alert warning patients that the device’s vulnerabilities could allow unauthorized users to access the device. The FDA did not report any patient harm related to the cybersecurity vulnerability.
Since breaches can’t be totally stopped, the number one way for health systems to cut down on the damage and costs is to detect a breach quickly, said Drex DeFord, executive healthcare strategist with CI Security.
The average amount of time a hacker is in a system before detection is 197 days. If a medical facility is able to catch hackers in two hours or less, the impact is lowered significantly.
CI Security is in the business of monitoring alerts, including medical device vulnerabilities, and working with clients to take the right response.
The company has seen all sorts of malware and has picked up policy violations, such as healthcare data being transmitted unencrypted.
Hospitals have done a good job putting in preventative controls to manage firewalls and antivirus detection. But only the largest systems have the resources needed to work on the back end and respond quickly, DeFord said.
All of their clients have dealt with some sort of cybersecurity issue.
“Of the 50 hospitals we work with, everyone of them has gotten a handful of calls of a particular thing,” DeFord said. “Healthcare organizations need to monitor, detect breaches early and be able to respond in hours rather than 200 days.”
Email the writer: firstname.lastname@example.org