As technology continues to transform the way healthcare is delivered, the industry is burdened by the growing cybersecurity risks inherent in the expansion of connected devices. Understanding that each connected device opens another pathway for threat actors, it’s incumbent upon device manufacturers to keep security foremost throughout the development life cycle.
The question is, how can manufacturers ensure the security of the devices they create? Furthermore, what can healthcare companies do to mitigate the risks inherent in the future of healthcare cybersecurity?
Taking the Pulse of Health Care Cybersecurity Today
Because they are so often the target of cyberattacks, healthcare organizations took a beating once again in 2018. We saw some significant data breaches last year, such as the attack on Med Associates where more than 270,000 patient records were breached.
New research from Clearwater found that the three most common vulnerabilities in healthcare cybersecurity are user authentication deficiencies, endpoint leakage and excessive user permissions — which, combined, account for nearly 37 percent of all critical risk scenarios. Credential misuse continues to threaten enterprise security across all sectors, including healthcare.
“When malicious actors gain access to accounts — whether by weak passwords or phishing attacks — they are given the literal keys to the kingdom,” said Justin Jett, director of audit and compliance for Plixer.
When it comes to medical devices, however, cybersecurity is making progress. According to Leon Lerman, CEO of Cynerio, “We are currently in the increased awareness state where healthcare providers, the Food and Drug Administration (FDA), the Department of Health and Human Services (HHS) and device manufacturers are starting to be more active in the space.”
Moving Toward a More Secure Future
The good news is that healthcare providers at hospitals are starting to include cybersecurity requirements in their procurement process. In fact, some are no longer depending on the medical device manufacturers and instead actively looking for dedicated device security solutions.
According to Lerman, the FDA and Department of Homeland Security (DHS) recently launched a joint initiative to “increase coordination in dealing with threats related to medical devices.” In addition, HHS released cybersecurity best practices to help healthcare organizations manage threats and protect patients from internet of things (IoT)-based attacks and other threats.
Manufacturers have not progressed alongside hospitals, though there are more conversations about strengthening the security of their devices, taking part in cybersecurity testing and streamlining the patching process. In reality, though, it’s only been within the last decade that these conversations have been taking place, and according to Anura Fernando, chief innovation architect at UL, medical devices can take at least that long to develop and get into the market.
“If you couple that with the fact that many devices are used by hospitals for 20–25 years, you can see that there is a major legacy systems issue, with many devices lacking security controls at the device level. Based on that timing offset, it could easily be five to 10 years before we see the complete turnover of equipment in use by hospitals that didn’t even have cybersecurity considered during design,” Fernando explained.
The Challenges of Securing Connected Devices
Legacy systems present myriad cybersecurity challenges, but there are other obstacles to securing medical devices. One that is closely related to legacy equipment is that of component obsolescence.
“When you consider the lengthy development timelines associated with most devices, it can easily be the case that security-related components such as operating systems and microcontrollers cease to be supported by the component vendor soon after a medical device reaches the market,” Fernando said.
As a result, maintenance activities such as security patches are no longer feasible for hospitals. Let’s say that security patches are released by the vendors, however. The time and cost it takes to validate these updates to devices is onerous.
“Even once this validation process is complete, it can be a daunting task to manage the deployment of a patch into the highly dynamic operational life cycle phase of a device, which may be in process of performing critical functions like life support,” said Fernando.
How Health Care Organizations Can Mitigate Security Risks
You can’t protect what you can’t see, so proper visibility into connected devices and their ecosystem is critical. Once you have visibility, understand the risk that each of these devices poses and take necessary proactive measures to minimize this risk, such as network segmentation, patching and removing devices from networks.
By monitoring device behavior and understanding what devices do in the context of medical workflows, you can detect anomalies when devices behave suspiciously. And, of course, early detection enables quicker response.
Strengthening password requirements can help you reduce risk, but when malicious actors gain a foothold, organizations need network traffic analytics to understand where the attack started and determine whether it has spread.
“By looking at how credentials are used throughout the network and creating a baseline of normal usage, network and security teams can be alerted to anomalous credential use and stop attacks as they happen,” Jett said.
Furthermore, all of the different stakeholders in the healthcare value chain need to be invested in securing the future of connected healthcare. Since this is a widespread effort across the healthcare environment, industry leaders should develop guidelines and standards to evaluate whether products and devices meet cybersecurity standards.