“First, do no harm.” A vital preemptive necessity, IT and OT medical device security has never been more important than right now.
Modern healthcare leans heavily on Information Technology (IT) and Operational Technology (OT) medical devices. Regrettably, these devices are facing a veritable tsunami of cyber threats that can jeopardize patient safety, privacy, compliance with industry data standards, reputation, and the continuity of healthcare services. There has never been a more urgent need for robust medical device security than right now to protect these vital assets.
Cyber Attacks on Healthcare and Medical Device Security
Cyberattacks on healthcare have risen significantly, driven by the exponential increase in connected medical devices and the rich data they generate. In 2020 alone, the FBI reported a 400% increase in cybersecurity complaints, many targeting healthcare organizations. The Ponemon Institute further highlighted that healthcare breaches cost a minimum of 429 USD per record – the highest among all sectors.
Cybercriminals are increasingly targeting medical devices, which are often the weakest link in the cybersecurity chain due to their inherent vulnerabilities. These devices, whether an insulin pump or a sophisticated MRI scanner, offer lucrative targets due to their critical role in patient care and the sensitive data they handle.
Medical Device Security Responsibility
While IT primarily concentrates on data security, the teams responsible for OT devices prioritize medical device safety, dependability, and accessibility.
Operational Technology (OT) medical devices fall under the strict regulatory purview of the U.S. Food and Drug Administration (FDA) and comparable regulatory bodies worldwide, like the European Medicines Agency (EMA). Consequently, these OT devices’ maintenance activities are typically reserved exclusively for certified clinical engineering staff – who often don’t have insight into the wider connectivity and security of the overall healthcare organization.
Ramifications and Cost of Medical Device Security Failure
The impact of a cybersecurity incident in healthcare goes far beyond financial costs. Cyberattacks can disrupt medical services, delay patient care, and even directly compromise patient safety. For example, the WannaCry ransomware attack of 2017 caused significant disruptions across the UK’s National Health Service, leading to thousands of appointment and operation cancellations.
While it may appear a worst-case scenario, patient harm is a very real possibility. For example, any disruption or modification to the function or alerts of an infusion pump due to a security incident could potentially lead to severe injury or even patient fatality.
Medical device security breaches can also damage trust between patients and healthcare providers. The 2015 breach at the health insurer Anthem (formerly WellPoint) exposed the medical data of nearly 78.8 million people, leading to a $115 million fine. As recently as March 2023, Shields Health Care Group, a Massachusetts-based medical imaging service provider, reported that a cybercriminal had gained unauthorized access to some of its IT systems, affecting over 2 million patients.
Key Regulations and Compliance for Medical Device Security
Given the serious implications, several industry cybersecurity standards aim to ensure the safety and effectiveness of medical devices. The FDA’s “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” guidance document emphasizes a risk-based approach to device design and development.
Similarly, the Health Insurance Portability and Accountability Act (HIPAA) sets out rules for protecting patient data held by medical devices, including access control (such as microsegmentation, minimizing the risk of unauthorized access), audit controls (requiring detailed activity logs and real-time monitoring), integrity (such as file integrity monitoring), and transmission security (further making use zero trust adoption and secure access to maintain secure transmission protocols).
The National Institute of Standards and Technology (NIST) Cybersecurity Framework offers a set of best practices to manage cybersecurity risks, including those associated with medical device security. Also, ISO/IEC 80001-1:2010 provides guidance on the risk management of IT networks incorporating healthcare devices.
Ensuring the Cybersecurity of Medical Devices
To safeguard medical devices, healthcare organizations should first gain visibility into the devices connected to their network. A comprehensive inventory, complete with each device’s functionalities and its data handling, forms the foundation of an effective cybersecurity strategy. We work with the leading asset visibility and security company, Armis, to provide device visibility and cybersecurity for healthcare organizations around the globe.
Medical device security should be considered from the outset, incorporating security principles in the design phase. This approach includes conducting threat modeling and risk assessments to proactively identify potential vulnerabilities and mitigate them.
Implementing a zero-trust security model, which assumes any device could potentially be compromised, can significantly enhance the security posture. It involves strictly controlling access based on least privilege principles, routinely verifying identities, and segmenting networks to contain breaches. Routine security assessments and vulnerability scanning of medical devices, alongside timely patch management, can help identify and fix vulnerabilities before they are exploited. Moreover, educating staff about cybersecurity best practices and social engineering tactics can prevent incidents due to human error.
The Future of Medical Device Security
The Hippocratic Oath, notably the principle of “First, do no harm,” holds significant relevance in the realm of medical device cybersecurity. Much like how a medical practitioner strives to avoid causing harm to a patient, in the future, cybersecurity efforts must prioritize the safety and well-being of patients above all else. Any compromise in the security of a medical device could potentially lead to malfunctions, incorrect readings, or unauthorized access to sensitive patient data, which in turn could result in physical harm to a patient or compromise their privacy.
Securing IT and OT medical devices is not optional, but a critical necessity. Cybersecurity measures must keep pace as healthcare delivery becomes increasingly digitized and networked.
By embracing robust security standards, best practices, and a proactive, risk-based approach to cybersecurity, it’s hoped that healthcare organizations can secure their medical devices and protect the trust and well-being of the patients they serve.
