While healthcare providers have been implementing technical, administrative and physical safeguards related to patient information, they have not been as diligent in securing their medical devices. These devices are critical to patient care and can leave hospitals at risk for cyberattacks, causing major disruptions to patient care.
In fact, 88 million individuals were affected by large breaches, compromising vast amounts of electronic protected health information (ePHI) last year according to the U.S. Department of Health & Human Services. This year, several large healthcare providers have again been impacted by cyberattacks, including Change Healthcare, Kaiser Permanente and Ascension. “Synnovis, a key provider of laboratory and diagnostic services in London, fell victim to a ransomware attack causing widespread disruptions,” reported Halcyon. The attack affected several hospitals including Guy’s, St Thomas’ and King’s College, Evelina Children’s Hospital, Royal Brompton, the Harefield specialist heart and lung hospitals and the Princess Royal Hospital in Orpington, reported The Guardian.
The total number of worldwide hospitals is expected to reach 166,548 by 2029, according to a report by Statista. The average number of connected medical devices per hospital bed is approximately 10 to 15, according to the HIPAA Journal. This data suggests that there will be 1.67 million connected medical devices worldwide by 2029, with many devices manufactured without a secure-by-design approach. According to a survey by the Ponemon Institute and Proofpoint, 89% of healthcare organizations have experienced close to one attack per week. The risk is compounded because 53% of healthcare organizations said they lack the in-house expertise to address cybersecurity issues. These numbers are alarming, given the vast amount of interconnected medical devices in hospitals.
Why are medical devices vulnerable to attack?
Although medical devices are designed to monitor a patient’s health, they can also be a major point of entry for hackers into a hospital’s network. While healthcare providers have improved the security of electronic health records (EHRs), hackers are now targeting medical devices. This has put the security of medical devices into a “code blue” situation. Some examples include:
Legacy devices: Many older medical devices still in use were not designed with cybersecurity in mind. They often run outdated software, which introduces vulnerable points of entry.
Regulation gaps: Although the Food and Drug Administration (FDA) has taken significant steps to enforce medical device regulations in recent years, there is still inconsistent compliance by medical device manufacturers and healthcare providers.
Lack of security protocols: Many medical devices are designed without robust protocols, making them easy targets for attackers.
Complexity: Medical devices are complex systems that can be difficult to secure because of their multiple components, interfaces and connectivity options.
Interoperability requirements: Medical devices need to communicate with other systems, devices and networks, creating security risks.
Lack of resources: Some medical device manufacturers do not have cyber expertise to implement proper security controls.
Supply chain risks: Healthcare providers often have limited end-to-end visibility across their medical device network and supply chain, which limits proper detection and response.
Addressing these vulnerabilities in medical devices will help significantly enhance the resilience of healthcare providers’ networks and mitigate the risk of cyberattacks.
What are vulnerable points of attack?
Examples of medical devices that are favorite targets of hackers include:
- Insulin pumps deliver insulin to diabetic patients in controlled doses, which can be hacked to alter insulin dosing
- MRI images can be altered through malware and system breaches
- Infusion pumps, which are used to deliver medications, can be hacked to alter the dose or duration of treatment
- Pacemakers can be hacked to alter the device’s settings, such as changing heart rhythms or stopping it altogether
- Medical devices that are at the highest cyber risk are nurse call systems since many have unpatched vulnerabilities
It is critical that healthcare providers ensure that interconnected medical devices on their hospital’s infrastructure are secure to mitigate risk and ensure patient safety.
Enhancing healthcare cybersecurity with gen AI
Healthcare providers can enhance medical device security, strengthen their cybersecurity posture and improve the quality of patient care by leveraging generative artificial intelligence (gen AI). Some key strategies include:
Compliance monitoring: Use gen AI to ensure adherence to HIPAA (Health Insurance Portability and Accountability Act) and other regulatory standards.
Threat intelligence: Employ gen AI to analyze large amounts of data, detect and respond to potential threats to medical devices and deliver alerts to healthcare providers.
Data privacy: Ensure HIPAA compliance by anonymizing ePHI before processing with gen AI and incorporating tokenization to avoid external dissemination of patient information.
Training: Create AI-driven cybersecurity training for healthcare providers to improve awareness, minimize security risks and meet compliance requirements.
Vulnerability management: Conduct AI-assisted vulnerability assessments to mitigate security risks.
Patch management: Implement an efficient, AI-driven patch management system to ensure that the most critical vulnerabilities are patched first and medical devices receive timely software updates.
Incident response: Use AI to analyze data to identify patterns in potential attacks to provide insights to analysts for improved decision-making and reduce the time spent analyzing alerts.
Moving forward, secure by design principles will be critical
In closing, the healthcare industry relies on the digital connectivity of medical devices. Medical device manufacturers have traditionally not followed secure-by-design approaches, introducing risks into hospital network infrastructure. Attackers are taking advantage of this and successfully executing ransomware attacks, shutting down hospitals’ operations, as well as and other types of cyberattacks. Healthcare providers can significantly improve medical device security by implementing cybersecurity best practices and leveraging the power of gen AI to improve the quality of patient care and, ultimately, the safety of patients’ lives.
The post Cybersecurity risks in healthcare are an ongoing crisis appeared first on Security Intelligence.