Welcome to HIMSS

This site uses technologies such as cookies to provide a better user experience by personalising content and ads, analysing web traffic and trends, and improving site operations. We may share information about your use of the site with third parties in accordance with our Privacy Policy. By continuing to use this site you agree that we can save cookies on your device, unless you have disabled them. You can change your cookie settings at any time by visiting our Cookie Policy, but parts of our site may not function correctly without them.

Medical Devices

The medical device ecosystem: Managing the risks of emerging cyberthreats

Healthcare is more than 200 percent more likely to encounter data theft than other industries.
By Axel Wirth
October 12, 2015
10:57 AM

Medjacking: the latest vulnerability

When it comes to IT security, the healthcare industry has an unfortunate track record. Healthcare is more than 200 percent more likely to encounter data theft and sees 340 percent more security incidents and attacks than other industries. And, unfortunately, threats are increasingly targeted and sophisticated. While hospitals are trying to manage run-of-the-mill attacks on their networks, a new problem with more sinister overtones is now percolating--security vulnerabilities of network-connected medical devices.

If the prospect of hackers honing in on medical devices makes you uneasy, it should. White-hat security professionals have already proven that pacemakers and insulin pumps, as well as surgical and anesthesia devices, ventilators, infusion pumps, defibrillators, patient monitors, and laboratory equipment are all vulnerable to incursion. In fact, security researchers Scott Erven and Mark Collao recently found that a "very large," unnamed US healthcare organization with some 12,000 staff and 3,000 physicians exposed more than 68,000 medical systems. Affected systems included 21 anesthesia, 488 cardiology, 67 nuclear medical, 133 infusion systems, 31 pacemaker systems, 97 MRI scanners, and 323 picture archiving and communications gear--and that organization was merely one of "thousands" with discoverable equipment.

While the possibility exists to do real harm to actual patients, there is no known case of such an incident occurring--yet. However, it's been demonstrated that medical devices are already being exploited as entry or staging points for deeper attacks on systems within a healthcare organization, in what has been dubbed medjacking. Therapy and diagnostic devices connected to hospital networks are especially vulnerable because they rely on standard network connectivity that exposes them to the same threats as any IT system in the hospital, yet typically they are poorly protected. This puts medical devices at risk and makes them an easy target and entry point for sophisticated attacks or malware. In some cases, hospitals have had to shut down clinical services and reroute patients when medical devices became infected--not necessarily because they were targeted, but because malware simply leveraged the weak spot found in a medical device.

Security researchers, government regulators, and healthcare providers are alarmed. The US Department of Homeland Security, the FBI, and the FDA (PDF), as well as international regulators, have all issued recent warnings and expressed concerns about the need to improve the cyber security of the medical device ecosystem. With more devices connecting to the burgeoning Internet of Things (IoT) all the time, the problem is poised to get worse before it gets better.

The scale of the problem

It's a complex problem with no easy solution. Whereas traditional workstations, servers, and mobile devices generally have a layered security solution built-in, medical devices tend to lack this technology. As a result, not only are they helpless to defend themselves, but they also can't detect or report out when they've been compromised. This means not only that we can't easily detect an ongoing attack, but also that we don't actually know the extent of the problem.

In addition, highly motivated attackers are increasingly sophisticated. A thriving underground economy for data and services means anyone who wishes can now buy toolkits or hackers-for-hire to execute an attack. As a result, we're now seeing up to one to two million pieces of new malware per day. Medical devices designed ten years ago simply can't withstand this volume or these types of threats. 

Organizational and technical challenges abound

A multitude of stakeholders--from healthcare providers and device manufacturers to government agencies and regulators--have started to address the problem, but progress seems grindingly slow.  Hospitals own thousands of pieces of equipment from dozens, if not hundreds, of different manufacturers with different operating systems and varying levels of security. Too often, no single group within a hospital is assigned responsibility for medical devices. Rather, they're managed independently within a department--sometimes with little or no IT or security oversight at all.

Protective strategies

Solving the problem will require all stakeholders to find a meaningful path forward together. Manufacturers need to begin designing security into their devices at all levels. Hospitals must do a better job of understanding risks and taking a risk management-based approach to mitigating device vulnerabilities. That includes understanding their device inventory--where devices reside, who owns them, and how they're configured--and then systematically alleviating the greatest risks. Regulators need to provide meaningful guidance to help the industry every step of the way.

A number of best practices are emerging. The Nashville-based Center for Medical Interoperability (CMI), funded by a number of hospitals across the country (including HCA and Scripps), is currently building a medical device integration showcase that addresses the security aspects of device integration in addition to the clinical (such as ensuring that data flows correctly across devices for efficiency and clinical benefit).

The good news is hospitals and manufacturers are waking up to the challenge. They realize they are in the crosshairs of cyber criminals and that their traditional approach to security is insufficient. They also understand that the average trained biomedical engineer or even hospital security professional is just not up to the challenge--the bad guys have gotten too good. With so many medical devices spread across complex organizational and IT landscapes, choosing the right processes and tools are essential to success. Only a comprehensive risk management and mitigation approach can secure today's complex medical device infrastructure and protect the data it contains and the patients it serves.

Symantec is taking a leading role in developing medical device protection strategies. To learn more about how Symantec can help identify, manage, and mitigate your risks, watch our latest webcast, Medical Device Cybersafety – A pragmatic approach to addressing a complex problem.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Dr. Ronald Rodriguez of The University of Texas Health Science Center at San Antonio on AI
AI & ML Intelligence
Physician AI expert cautions clinicians and execs: Be wary of AI challenges

Most Read

Teal Health secures $10M for at-home cervical cancer screening
Asan Medical Center reaches Stage 7 of INFRAM24
From reactive to predictive: Equipping general wards with AI
Heart Hospital in Malaysia scores country’s first EMRAM validation
Q&A: Implementing digital health in hospitals
HIMSSCast: AI assurance labs and improving quality

Research

White Papers

More Whitepapers

Artificial Intelligence
Artificial Intelligence
Patient Engagement

Webinars

More Webinars

Privacy & Security
Privacy & Security
Privacy & Security

More Stories

VA building sign
VA will deploy Oracle Health EHR to nine additional sites 
Ed Mitchell, Advocate Health, and Aaron Sheedy, Xealth, at HIMSS25
Healthcare more personal with customized digital messaging
hand on keyboard
Cobalt Strike abuse in the wild drops 80%, says Fortra
Dan Cohen of Adhere+ on telemedicine
DEA role must be clearly defined in controlled substance Rx via telemedicine, expert cautions
Healthcare worker taking off mask
HIMSS leaders outline 2025 public policy priorities
Cherry Drulis, director of Samsung's healthcare mobile B2B
Q&A: Samsung on its digital healthcare tech and HIMSS25 announcement
Aaron Miri CDIO at Baptist Health on MDM technology
Baptist Health scores collaboration wins with master data management system
Daymond John at Shark Group_Las Vegas skyline Photo by halbergman/E+/Getty Images
The inside story behind the 'Health Shark'