As medical devices and processes continue to become more technologically sophisticated, so do the schemes of bad actors trying to steal private patient information and hold health care practices hostage. Potential cybersecurity threats should get addressed early and frequently, as data breaches can occur at any point in the medical environment.
In particular, medical practices and medical device Original Equipment Manufacturers (OEMs) must safeguard their Internet of Things (IoT) connected devices which, according to Deloitte, remain a prime target of cybercriminals. Today, medical organizations must implement best practices and security services to minimize points of vulnerability in their connected devices and the complete set of subsystems around them. Doing so will protect sensitive patient information, ensuring the highest quality of care and staving off media and reputation disasters.
The Rise of IoT Devices and the Evolving Threat Landscape
While medical IoT devices bring various benefits to patient care, like remote capabilities and improved accessibility, the number of vulnerabilities related to such devices saw a 59% increase since 2022 compared to the growth rate of overall vulnerabilities at a mere 0.4%. Unfortunately, efforts from bad actors have been relentless, with the health care industry paying almost $20.8 billion in downtime in 2020 and $2.1 million in ransom for patient data. Moreover, health care organizations averaged 1,463 cyberattacks per week in 2022, a 74% increase from 2021.
Some estimates posit that there are 20 to 30 billion IoT-connected medical devices in the US, including infusion pumps, insulin pumps, pacemakers, medical wearables, ventilators, guided imagery, monitoring sensors, etc. Because these devices connect to the Internet, each one is vulnerable to hacking, malware and ransomware attacks. Likewise, diagnostic medical devices like Magnetic Resonance Imaging (MRI) machines, Computed Tomography (CT) scanners and X-ray machines increasingly connect to networks, making them susceptible to the same threats.
By infiltrating medical IoT devices, which transfer and utilize patients’ personal information, bad actors could access this sensitive data and use it for nefarious purposes. Cybercriminals can also exploit medical IoT devices to penetrate a health care practice’s infrastructure, allowing them to disrupt critical, life-saving procedures and systems. Recently, in an Alabama hospital, ransomware attacks led to preventable patient deaths, as staff were unable to use fetal heartbeat monitors.
Best Practices for Securing Medical Devices
To combat these escalating security threats, it is paramount that medical organizations follow best practices to maintain the benefits of IoT technology without compromising patient safety or data integrity. Firstly, health care organizations must identify potential threats and vulnerabilities to their connected medical devices and related IT subsystems through a risk assessment and craft a corresponding risk management plan that addresses these issues. Next, medical practices can deploy security solutions that enable real-time tracking, monitoring and detection, including analytics platforms with notification and alert features.
Establishing robust authentication mechanisms that limit access to key functions and sensitive data, including an inventory of all IoT devices and related assets, is also crucial. Likewise, medical practices must implement cutting-edge data encryption algorithms and protection techniques for data storage and transmission, such as encrypting data sets based on their criticality level. Furthermore, many medical practices will benefit from learning the security ramifications of cloud services — especially as more health care organizations transition their IT infrastructures to the cloud.
Ensuring the security of medical IoT devices and connected hardware is a two-way street. Health care organizations and medical device OEMs play equally important roles. In particular, OEMs must build the capacity to remotely monitor and securely deploy firmware security updates and patches as new threats surface over the device’s lifecycle. In the same way, security is also a shared responsibility between patients, providers, and medical device/system manufacturers; therefore, medical practices should provide them with appropriate guidance and support to promote security across every aspect of the health care landscape.
Notable Technology in IoT Medical Device Security
Medical organizations should be aware of new threats as well as emerging technologies that can help them repel bad actors like Artificial Intelligence (AI), blockchain, and microsegmentation. For instance, AI and Machine Learning (ML) technologies enable health care IT teams to bucket data and be cost-effective when selecting data security strategies. Blockchain technology is excellent for concealing sensitive patient data as it stores this information in a manner that makes it unintelligible and impossible to edit. Plus, blockchain technology is decentralized, allowing health care providers to share information with patients quickly and securely.
Another relevant technology is Zero Trust architecture which follows a “never trust, always verify” principle. By treating every connection on the network as a possible threat, Zero Trust architecture only grants access on a need-to-know basis, significantly decreasing the risk of security breaches and their devastating consequences. Additionally, medical practices should consider leveraging microsegmentation or dividing a network into smaller segments or zones. Microsegmentation helps network administrators reduce unauthorized access and limit an attacker’s movement if they manage to get inside.
Taking Responsibility for Device Security
Although the Food and Drug Administration (FDA) began requiring that connected medical devices meet cybersecurity guidelines in 2023, medical device manufacturers and health care organizations are both equally responsible for preventing cyberattacks on devices. The security onus does not rest solely on the connected device manufacturer. That said, medical practices, on top of doing their due diligence to address threats, should exercise scrutiny when selecting device makers.
Be sure to ask specific security-related questions, like if the medical device manufacturer builds security into the very heart of their devices rather than tacking it on as an afterthought, as well as integrating the functionality to proactively and securely manage the security of those devices after they are shipped and deployed, keeping them secure throughout their entire lifecycle until obsolete. Likewise, health care organizations should investigate and utilize knowledgeable wireless and wired communication partners with experience supporting IoT medical devices end-to-end, bearing in mind hardware, software, tools and cloud and security services.
Miguel Perez is the OEM Product Manager for Digi International.