Our healthcare delivery system is continuing to automate. This digitisation will see tens of thousands of more medical devices, both new and dormant, connected to IT networks in the next couple of years, potentially exposing our healthcare systems to thousands of vulnerabilities.
These devices include an array of typically large diagnosis machines, such as CT, X-Ray, PET, MRI, ultrasound, and also treatment systems such as ventilators, infusion pumps, defibrillators, radiotherapy, and chemotherapy devices, and a multitude of systems for patient monitoring and management.
There’s also the large number of laboratories, CCTV, elevators, door locks, and other connected building systems critical to hospital workflow and safety that need to be considered. The opportunity for cyber criminals to penetrate the network is endless, and as we continue to add more and more devices, the threat surface will increase.
Most medical devices are employed in hospitals and clinics, but an increasing number of traditional and wearable devices are sent home with patients, allowing care teams to monitor patients remotely from their homes. The number of remotely monitored patients has risen sharply since Covid-19 with these systems communicating back to hospitals across the Internet.
It is these ‘connected devices’ or HIoT (Healthcare IoT) that healthcare leaders, heads of hospital IT and even patients are worried about being vulnerable to a cyber-attack, especially in times of growing online threats, rising geopolitical tensions and state-sponsored cybercrime and cyberespionage.
The challenge is that most of the thousands of connected medical devices have been offline for years and have never been patched or aren’t likely to be patched. Unfortunately, neither patching nor security fixes are something built into most manufacturers’ business models. Therefore, these devices often come onto the network containing significant security vulnerabilities, leaving a door wide open for cyber criminals to gain access to the network and put patient safety at risk.
Instead of being managed by IT and security teams, medical devices are typically managed by clinical engineering or biomed technicians who know little about cybersecurity and IT, and report outside of the IT department in health systems. This adds to risk and patient safety concerns.
How to reduce cyber risk in HIoT
The biggest issue is that traditional network vulnerability scanning will crash, break, or permanently damage fragile medical devices. Secondly, hospitals generally have a very poor inventory of what devices they own, where they are located, and what firmware and software levels each maybe running. And thirdly, patching devices is difficult even when ade available by manufacturers, as these devices often run 24 by 7.
Hospitals need tools that use advanced technologies like artificial intelligence to identify and profile inventory, and risk assess medical devices passively so as not to harm fragile systems yet still meet industry governance compliance standards. From that profile we can easily establish a baseline of ‘normal’ network activity for each device and quickly alert when anomalous traffic is attempted – which can be a sign that a device is being compromised.
We can also apply compensating security controls to highly vulnerable devices that cannot be patched using existing technologies already owned by Trusts and that are built into their networks. Network Access Control can ‘enclave’ or ‘micro-segment’ all at-risk devices and therefore provide an additional layer of protection. With the right tools this can be done easily with a simple click of a button. Providers can safely continue to use unpatched devices and remain compliant while operating at an acceptable level of risk against cyberattack.
Patients are safe, the integrity of the healthcare network is safe, and hospitals don’t need to find millions of pounds to replace perfectly working devices that manufacturers are not providing patches for.
Luckily next generation AI-based tools, like Cylera MedCommand, automate this entire process, through a progression of asset identification, risk analysis, profiling and improved medical device management. This allows a multitude of existing security and network security systems to work together seamlessly through the automation and orchestration of the Cylera platform - helping to protect patient safety and care.
To find out more about Cylera and Cylera MedCommand, visit us at stand 45 at HETT North on 2nd March 2023.
About the Author
Richard Staynings is an internationally renowned expert in the field of healthcare cybersecurity, serves as Chief Security Strategist for Cylera, a pioneer in the space of medical device security and is an Adjunct Professor of cybersecurity and health informatics at the University of Denver. Richard has served on various government committees of Inquiry into some of the largest healthcare breaches and is a regular presenter at healthcare and security conferences across the world.
Photo by Tima Miroshnichenko: https://www.pexels.com/photo/close-up-view-of-system-hacking-5380642/