When it comes to medical devices deployed in clinical environments, diversity is a key factor. A typical hospital normally houses thousands of different medical devices manufactured by dozens of different companies.
This creates a significant challenge for IT and security personnel because these medical devices are increasingly connected to hospital networks as part of an ongoing global IoT trend with the objective of improving patient care and efficiency. The reality is that not only are the medical devices manufactured by many different companies, but the underlying operating systems and software applications running on these devices are also incredibly diverse.
To make things even more challenging, the medical devices themselves are embedded devices running firmware, which is not easily patched. Unlike a normal PC, the patching process is everything but seamless. The process requires quality assurance and software validation testing to be done by the device manufacturers, followed by deployment of the patch on-premise by Health Delivery Organization (HDO) staff. Sometimes even field engineers sent by the manufacturers must step in. One can only imagine that in a mission critical environment such as a healthcare system, unplugging a device for software patching is not a simple task. Ultimately, the result is that medical devices are not patched frequently, rendering them vulnerable to cyberattacks.
The magnitude of the described challenge is amplified even more due to the diversity behind manufacturers. This is because HDO IT and security personnel are now required to manage the patching process by communicating with dozens of these manufacturers who need to patch multiple operating systems and hundreds of device-specific applications. There just aren’t enough hours in the day to accomplish this successfully. In recent years, cyberattacks have become increasingly sophisticated, with breaches costing the U.S. healthcare system $6 billion worth of damage in 2015, according to Bloomberg .
Today, these cyberattacks continue to rise, targeting the healthcare sector even more due to vulnerabilities within medical device networks. This creates a critical exposure within the patient-provider information flow and can even affect the quality of patient care, and ultimately, their safety. Medigate has built a security platform to tightly protect this patient-provider data so that both parties can rely on the accuracy of critical treatment plans and confidentiality of their personal and private information.
Cybercriminals use backdoors and botnets to exploit devices and enter networks. For example, MEDJACK, first discovered in 2015, is an advanced zero-day attack, which hackers used to specifically target the healthcare industry, stealing valuable patient data. MEDJACK showed just how vulnerable medical devices, like X-ray machines and MRI scanners, are to attacks. Using malware to exploit older versions of Windows, hackers went undetected by endpoint security software. While MEDJACK specifically targeted healthcare, medical devices regularly use COTS (commercial off the shelf) operating systems, which are rarely patched, and so can also be hit by random cross-sector cyberattacks that aren’t just targeting healthcare.
Not surprisingly, the increasing frequency and sophistication of cyberattacks have led to a greater demand for effective network security among providers. In fact, a 2017 HIMSS cybersecurity survey reported that CIOs named network security as the leading IT priority for improvement, ranking ahead of other IT issues like patient safety and improved work processes.
In addition to triggering a host of network disturbances, data breaches pose a serious risk to patient safety, as attacks can lead to clinical errors, such as incorrect dosing and misdiagnoses of diseases. Medigate’s security platform prevents intrusions such as MEDJACK and instills confidence in the privacy and safety of medical relationships.
In today’s complex network environment, we are witnessing a different defense paradigm than the one we are accustomed to in normal IT networks. First, a risk profile for the connected medical devices must be dynamically generated by coupling technical attributes of the medical devices together with the pertinent threat landscape and compensating security controls in place. Identification of the high-risk medical devices is crucial as it enables the security team to focus all their effort and attention on specific devices rather than wasting valuable time and funds conducting mitigation activities that are not a top priority. This is everything but a simple task because, in many cases, HDOs won’t necessarily be aware of the technical attributes of their connected medical devices. These attributes are often obfuscated as part of the “security by obscurity” philosophy some manufacturers still embrace.
Second, dedicated security controls need to be inserted into the clinical environment in order to compensate for the lack of adequate endpoint security on the devices themselves, stemming from the cumbersome patching process. The clinical environment is so unique from a communications perspective that inserting generic IT security solutions into this environment just won’t get the job done adequately and sufficiently and will enable a common attacker to circumvent them effortlessly.
Finally, this process has to be automated (at least partially) otherwise the workload on HDO IT and security teams will be far too great to handle. This calls for new dedicated medical cybersecurity solutions to automate these rather complex processes and form a new standard for clinical networking security.
About Jonathan Langer
After 14 exhilarating years of military service in Israeli Defense Intelligence (IDI), Langer made a life-changing decision to seek new adventures in the civilian world. His next adventure was founding a cybersecurity startup. After surveying different civilian sectors in search of a burning cybersecurity problem that he could solve, extensive research, and the massive WannaCry attack wake-up call to the security industry, Medigate was born. Backed by YL Ventures and Blumberg Capital, Medigate provides the industry’s first and leading dedicated medical device security platform, enabling providers to deliver secure, connected care.