By: Chris Clements, VP of Solutions Architecture at Cerberus Sentinel
We’re All Connected (By Attack Surfaces)
In the years following the widespread disruptions caused by the global COVID-19 pandemic, malware attacks and data breaches have grown across industries with over an 80% increase in cyber threats. Research shows that more than 1,2000 security leaders have found that 49% of organizations report experiencing a data breach – up more than 25% since 2020.
As industries expand through innovative technological solutions, a corresponding effort must be made to safeguard the technology environments that support these industries. One such sector is the healthcare industry, especially as it continues to grow at an extraordinary pace. In 2020, US national healthcare expenditure reached $4.1 trillion, or $12,530 per person, and this figure is estimated to reach $6.2 trillion by 2028.
The expansion of the healthcare industry represents an increase in endpoints and attack surfaces for cybercriminals, as malicious actors are capable of exploiting both people and the medical devices. From 2021 to 2022 the number of ransomware attacks on healthcare organizations increased a staggering 94%, and more than two-thirds of healthcare organizations in the U.S. report experiencing a ransomware attack in 2021, up from 34% in 2020.
The Risks of Connected Medical Technology
In 2022, the average cost of a data breach in the healthcare sector was over $10 million, almost double the cost of a breach in the financial sector.
Even though hospitals are frequent targets of ransomware attacks, a reported 75% of clinics and hospitals are unprepared to respond to cyberattacks as connected devices are increasingly used as a means for compromising security certificates, protected health information (PHI), personal identifiable information (PII), and intellectual property.
Understanding and identifying vulnerabilities in connected medical devices and technology represents a necessary first step toward improving Cybersecurity Culture throughout the healthcare industry, whether dealing with patients, devices, or sensitive data.
What are Connected Medical Devices?
Connected medical devices can transmit and/or receive data either to or from another device or the internet. This transmission happens via Wi-Fi®, Bluetooth®, or radio transmission on devices such imaging machines (e.g., MRIs), clinician-monitored wearable fitness trackers, or even automated drug delivery devices (ADDS), such as a Data-Centered Insulin Pen. Wirelessly connected electronic devices are not only beneficial in care facilities but also allow for patient-administered therapy. The enhanced capabilities of this technology, however, are not without risk.
The global connected medical devices market size is expected to reach a market value of $181.9 billion by 2030. The vast number of connected medical devices of varying specifications and from different manufacturers makes security upkeep especially challenging for healthcare technology professionals. The FBI’s recent warning to the healthcare community indicates that not only are more than half of internet-connected medical devices at hospitals were prone to cyberattacks, but also there has been an increase in cybercriminals targeting healthcare payment processors in an attempt to hijack the payments.
The Cybersecurity and Infrastructure Security Agency (CISA) recently reported that a Philips Healthcare e-Alert magnetic resonance imaging (MRI) monitoring software contained a vulnerability that could allow an unauthorized user to remotely access and shut down the system. If exploited, unauthorized users could issue an unauthenticated remote shutdown command, leading to DoS Attack to the e-Alert hardware solution.
While the recommendation from Philips was made for “only authorized personnel” to be granted access to the network and the connected devices, this example represents the growing need for increased testing, auditing, and transparency regarding cybersecurity issues pertaining to medical technology. Philips supports coordinated vulnerability disclosure, and encourages vulnerability testing by cyber researchers and by customers, with responsible reporting to Philips, It seems, though, that a more robust penetration test effort is needed to better understand cyber threats and close the security gap before they can cause social and financial disruptions.
The Internet of Medical Things Has Changed Healthcare
The Internet of Medical Things (IoMT) represents the connected infrastructure of medical devices, software applications, and healthcare technology systems and services. The IoMT contain the operational functions of devices as well as represents a vast pool of patient, clinician, and caregiver data.
Wireless technologies can be compromised anywhere signals are within reach. Furthermore, hacked internally connected medical devices could bypass a firewall’s logging and intrusion detection system and enable backdoor access to hospitals’ network infrastructure. Common Types of Attack Vectors include:
- Weak or Compromised Credentials
- Malicious Insiders
- Lack of Encryption
- Security Misconfigurations
- Trust Relationships
Compliance in Healthcare Data
The Health Insurance Portability and Accountability Act (HIPAA) defines the industry standard for sensitive patient data protection and organizations across the healthcare industry must ensure HIPAA Compliance when dealing with Protected Health Information (PHI). The HIPAA Privacy and HIPAA Security Rules set forth by the U.S. Department of Health and Human Services (HHS) establish the national standards for the protection and privacy of certain health information. Additionally, the Security Rule is the national set of standards for protecting specific health information that is stored or transferred in electronic form.
What Safeguards are Needed for HIPAA Compliance?
When networked medical devices and technology are in use the following safeguards are required to remain compliant, including:
- Physical Safeguards: limited facility access and control, including the proper handling, transferring, removal, disposal, and reuse of electronic media and electronic protected health information (ePHI);
- Technical safeguards: restricted authorized access to ePHI, requiring user IDs, emergency access procedures, automatic log off, encryption and decryption, as well as documented audits, reporting, and tracking;
- Technical Policies: integrity controls or measures and disaster recovery and data redundancies to ensure electronic media failure can be remedied and PHI is secure; and
- Network Security: protecting unauthorized public access of ePHI concerning all methods of data transmission including email, Internet, or private cloud.
Mitigating Cybersecurity Risks in Healthcare
For Medical Device Manufacturers (MDMs) and Healthcare Delivery Organizations (HDOs) it is incumbent on them to ensure appropriate safeguards to reduce risks, including remaining vigilant about the vulnerability and hazards associated with MDMs and the need for HDOs to routinely audit and evaluate their hospital systems.
The Internet of Medical Things has transformed patient care, yet the need to protect the integrity of these systems and devices from cyber threats and malicious actors is as important as the development of the systems themselves. A holistic approach to cybersecurity coupled with routine vulnerability scans and penetration tests will improve the security posture across the healthcare industry.
Reach out to Cerberus Sentinel for all your cybersecurity needs and services to ensure cyber resiliency and learn how best to create a culture of cybersecurity.