Secure Systems Start with Secure Medical Devices: Here’s Why

By Scott Bristol, an exhibitor at the HIMSS Interoperability Showcase™ at the 2018 HIMSS Global Conference & Exhibition; Information Security Manager, Dräger, Inc.

When you think about cybersecurity, what comes to mind? Perhaps things like anti-virus software or people-focused processes to minimize threats. You’re probably also thinking of IT systems, computers, laptops, tablets and smartphones, right? For healthcare, it requires more than that: It encompasses medical devices, too.

Medical device security is a global healthcare concern. Healthcare recently has experienced cyberattacks, including malware, ransomware, social engineering and direct attacks. High-profile cases, such as the “WannaCry” attacks that impacted U.K. and U.S. hospitals, have put the importance of security – especially medical device security – front and center.

Let’s look at the state of cybersecurity in healthcare today. To put it mildly, it isn’t good:

  • More than 50 percent of all organizations have a network security score of “C” or lower (SecurityScorecard)
  • In the last two years, 91 percent of healthcare organizations have had at least one data breach involving the loss/theft of patient data (Ponemon Institute)
  • 75 percent of healthcare organizations were infected with malware between August 2015 and August 2016 (SecurityScorecard)
  • In 2015, 268 breaches resulted in the loss of more than 113 million records (OCR)

Cyberattacks can shut things down in any industry. But with healthcare – which already lags behind when it comes to cybersecurity – a shutdown can be a matter of life or death.

Here’s how devices can be attacked:

  • Web servers can be compromised, putting data at risk; and once a device is infected, it can also impact the entire network of a healthcare organization
  • Database servers pose risks of reverse engineering (external manipulation to access personal informational) or SQL injections that can destroy data
  • Application software that is not regularly updated can cause vulnerabilities, not to mention incompatibility with legacy systems
  • Direct access attacks are facilitated by weak or well-known passwords, lack of physical device security and unused USB ports

It goes without saying that access to internal networks can be devastating. Equipment malfunctions put patients at risk and theft of hospital and patient data could have repercussions for years.

Tips for Protecting Your Devices

Now let’s talk about solutions. To combat cyber dangers, there is one adage every healthcare organization should keep in mind: Secure systems start with secure devices.

Where to start? Here are some quick tips:

  • Close unused and unsecure ports
  • Remove unneeded software
  • Apply and maintain all third-party updates (not doing this was the main reason for the recent WannaCry attacks)
  • Configure devices to meet industry best practices for security, such as Center for Internet Security (CIS) Benchmarks
  • Integrate security into the design and development of systems and processes using a secure development lifecycle approach

According to management consultant and author Peter Drucker, “The best way to predict the future is to create it.” Cyberthreats are not going away. Your organization needs to take steps now to protect your IT systems, your data, your medical devices – and above all, your patients.

Experience up-and-coming digital health innovations at the HIMSS Interoperability Showcase™.