Industry Trends

Medical Device Security: The Continued Concern

By Susan Biddle | September 19, 2016

During the 1990s, investment in medical device research and development more than doubled. Fast-forward to today, and the United States reportedly boasts the largest medical device market in the world (valued at around $148 billion). This charge into the future is showing no signs of slowing down, as its value is expected to rise to $155 billion by 2017, fueled by the industry’s desire to find better solutions for diagnosing, treating, or managing medical issues.

As the healthcare industry moves forward, its professionals must remember that medical device security is critical - not only affecting an organization's safety, but also potentially a patient’s health. Let’s take a look at the continued security concerns that exist around medical devices and what manufacturers and healthcare institutions can do to prevent harmful attacks.

The Battle Between Innovation and Security

This is a dilemma that is continuously being faced in today’s healthcare industry. As new medical device ideas and innovations come to fruition, manufacturers and IT professionals are being tasked with weighing the risks vs. the rewards.

For example, wirelessly connecting a pacemaker to a hospital’s network might provide a clear view into the performance of the device, but it could also open the door for potentially life-threatening hacks. The FDA is tasking manufacturers and hospitals alike to address this balance and ensure the rewards outweigh the risks prior to bringing IP-enabled devices to the market.

The Potential Impacts of an Attack

After medical devices are released onto the market, there’s a chance they could be hacked if proper security measures haven’t been put in place by the manufacturers or the hospitals that are using them. The wide range of endpoints, whether they be heart monitors or insulin pumps, transfer data directly to the networks and systems that cybercriminals frequently target. Cybercriminals can access these entries to steal sensitive patient data (like social security numbers) and even take control of the devices themselves, which poses an extreme hazard to patient safety.

For example, the University of Southern Alabama put medical device security vulnerabilities on full display a year ago, when researchers successfully hacked a wireless patient simulator’s pacemaker, and then killing the simulator. The research project was an eye-opening revelation at just how dangerous it can be to have medical devices connected to unsecured networks.

Manufacturers’ Roles in Medical Device Security

According to the FDA, medical device manufacturers are accountable for understanding the risks and hazards that could potentially be exposed in worst-case scenarios. These risks are now, more than ever, being tied to cybersecurity. Manufacturers need to have mitigations in place to protect against patient security breaches and ensure the devices will work as intended, even under extreme circumstances.

The FDA also suggests that manufacturers look into utilizing cybersecurity tools to rate their devices’ vulnerabilities based on severity. Some things manufacturers should keep in mind when running tests include, the complexity of the attack, the scope of the vulnerability, and its impact on integrity. The main point for manufacturers to understand, and put to work, is that simply creating devices around convenience and moving the healthcare industry further into the technological future is not enough. Medical devices also need to be designed with security as a top of mind concern.

Healthcare Providers’ Roles in Medical Device Security

Healthcare institutions that have older medical devices, or implemented new connected medical devices, need to be just as vigilant as the manufacturers themselves when it comes to security - and HIPAA will hold them accountable. Despite the growth in the number of connected medical devices, research shows that the vast majority of healthcare security professionals have not properly prepared their networked environments for the risks these devices pose. The reality is that an abysmal 9.6% of respondents from a recent IDC Health Insights survey said they have integrated medical devices into their security strategy.

At the most basic level, healthcare providers need to educate themselves and others within the organization about the evolution of threats, and acknowledge that traditional security measures are no longer enough. New techniques and advanced security solutions need to be considered in the effort to slowdown cyber-attacks.

"We try to preach that a lot. Be aware of your surroundings. Understand what you are doing

and who you are seeing in front of you, in your email, and when you're online. Security is everybody's responsibility," emphasizes a security engineering manager interviewed for the IDC Health Insights cyberthreats report.

What Healthcare Institutions Can Do: Outside-In and Inside-Out Protection

At a more advanced level, healthcare institutions should consider investing in both outside-in and inside-out protection technologies to establish an integrated approach.

Conventional firewalls alone simply don’t get today’s job done when it comes to protecting from the outside in. To fight today’s sophisticated threats, healthcare organizations must adopt an integrated security strategy that uses multiple technologies, and threat intelligence applied across the attack cycle and throughout the healthcare system. An advanced threat protection (ATP) framework can help prevent threats based on known threats, detect unknown threats, and put a halt to damage by responding in a timely matter to potentially harmful incidents. This approach combats threats from the network’s core to the endpoint user device, and even into the cloud, protecting valuable health data and intellectual property.

When looking for inside-out protection, especially for medical devices, healthcare institutions should consider investing in internal segmentation firewalls, or ISFWs. This new class of firewalls intelligently segments internal networks, making it more difficult for cybercriminals to access valuable health IT assets. While edge security might keep the outer layer secure, ISFWs keep the individual assets inside the network more secure. In addition, ISFWs ensure continuous operations, limit the risk of publicly accessible networks (very important in today’s healthcare industry), provide an additional layer of security, restrict the east-to-west movement of an attack should it get through the perimeter defenses, and can quickly isolate infected devices or network segments.

Read this white paper for more information about outside-in and inside-out protection strategies for healthcare. 

Let’s get a conversation going on Twitter! Do you think today’s hospitals and healthcare institutions are successfully defending against attacks on medical devices?