By: Manish Rai, Great Bay Software VP of Marketing

Here’s another term for your Cybersecurity lexicon: Medjacking – the hijacking of biomedical devices to create backdoors in hospital networks. This is yet another huge challenge for IT, because in most cases they have no say in the deployment of these devices and, as a result, no visibility or control. It’s not unusual for a hospital to have 10-15 networked devices per bed, but no effective biomedical device security. Hackers know this. When the network backdoor is wide open, the potential for unrestricted access to valuable patient data is practically unlimited.

Medjacking has even infiltrated the popular psyche. To highlight this, Popular Science cited an episode of the TV series Homeland, where hackers kill the vice president by disabling his pacemaker. And, though the FDA has known about the issue for some time and issued guidelines to manufacturers to make biomedical devices more secure, some claim that they aren’t strict enough.

Network breaches are without question costly to healthcare organizations. Under the regulations imposed by HIPAA and HITECH, penalties and fines are levied for breaches that involve the disclosure of protected health information.

So why are healthcare organizations not investing more in securing their networks? The answer is twofold.  First, even with the FDA having oversight of hospitals’ networked biomedical devices, their requirements are concerned only with patient safety.

While the FDA has issued warning and guidance about cybersecurity, the agency does not require device manufacturers nor healthcare providers to ensure only “trusted” users can access devices. Excluded from this guidance are biomedical device data systems, image storage and communication devices.

Second, hospital IT organizations are simply unable to secure their biomedical devices with their current NAC, firewall, IDS/IPS systems and other solutions. This lack of awareness and control of network-connected medical devices is the root cause of vulnerability. In an article entitled It’s Insanely Easy to Hack Hospital Equipment, Scott Erven from Essentia Health noted: “There are very few [devices] that are truly fire-walled off from the rest of the organization. Once you get a foothold into the network, you can scan and find almost all of these devices, and it’s fairly easy to get on these networks.” An additional layer of purpose-built security is needed to secure vulnerable endpoints.[2]

However, it is possible to mitigate these threats and effectively secure medical devices. Our customers use the Beacon Suite to do just that. For example, the Ann & Robert H. Lurie Children’s Hospital in Chicago is a pediatric teaching hospital. With 14 clinics and 8,000 employees, the IT department wanted a way to authenticate and ensure their biomedical devices. Great Bay’s Beacon Suite is the hospital’s primary tool for profiling and onboarding 100 percent of their biomedical devices. 

So, now that we have the definition under our belts, what is the Rx to help mitigate this threat?

The Rx for Mitigating Medjacking

A proven countermeasure against the medjacking of IoMT and other network-connected devices is to deploy a purpose-built security layer in order to:

1.     Identify every single device on the network and assign it an identity profile. This creates an up-to-date and comprehensive database or inventory of 100 percent of your biomedical devices and equipment.

2.     Onboard every medical device securely using critical factors in its profile. This delivers a much more granular and secure method for MAC authentication to establish and enforce access privileges and/or restrictions.

3.     Monitor the network to detect any device exhibiting uncharacteristic behavior. Endpoint profiling provides continuous monitoring, which is essential to detect and thwart an attack in progress.

4.     Enforcing access restrictions as needed to thwart an attempted breach. Endpoint and IoMT connection security systems provide a choice of manual and automatic enforcement options to maximize medical device security.

Clearly, biomedical devices have a profoundly beneficial impact on the quality of healthcare. But medjacking is a pervasive and serious threat, and traditional security solutions, while necessary, do not offer truly effective IoMT security. Purpose-built endpoint security systems work in tandem with existing infrastructure to thwart breaches – without breaking the bank.

Want to learn more about Medjacking and minimizing security risks created by medical devices? 

 1. http://www.popsci.com/fda-issues-warning-cyber-security-risks-medical-devices

 2. https://www.wired.com/2014/04/hospital-equipment-vulnerable