Securing Medical Devices: Why It's More Important Than Ever

April 28, 2022


Securing Medical Devices: Why It's More Important Than Ever
Image Courtesy of Author

Securing medical devices is more important now than ever before. Hackers are increasingly targeting medical devices, hospitals, and private practices due to the high volume of PHI and e-PHI stored there. Read on to see the dangers medical devices face in 2022 and what your organization can do to stop these threats. 

What medical devices are being targeted? 

Ventilators, insulin pumps, heart defibrillators, artificial cardiac pacemakers, are just a few examples of life-saving medical devices being targeted. MRI and CT scanners, infusion pumps, clinic programmers, and other monitoring devices must all be connected to the wider hospital network to function properly and help save lives. Security cameras, RFID readers, and other devices must all be protected against cyber assaults and security breaches in a hospital or healthcare facility. 

Tom Rudolph at Iron Range Cyber comments that medical devices represent one of the primary vulnerabilities in today’s Healthcare IT environments. In his experience as a D.C. based cybersecurity consultant, healthcare companies would do well to take this threat seriously. 

What is PHI and e-PHI?

According to the HIPAA Journal, personal health information known as PHI is defined as "any health information that may be linked to an individual, This covers information utilized in the delivery of healthcare, the payment for healthcare, and the operations of healthcare. PHI stored electronically on a hard disk, server, thumb drive, or other device is known as e-PHI.

There are four main categories of targeted medical devices:

Consumer health devices such as FitBits, smartwatches, Apple watches, and other connected consumer devices are at risk for breach. These devices hold a treasure trove of valuable information, including PHI such as weight, height, activity, heart rate and more. There are other necessary devices such as portable insulin pumps, continuous glucose monitors, pacemakers, defibrillators, and other similar devices. Diabetics and cardiac patients need these devices to function consistently or risk dangerous medical consequences. HIPPA regulatory issues, the loss of sensitive PHI, the risk to patients’ lives, and the loss of reputation of the healthcare institutions, organizations, and IoT ecosystem partners engaged are just a few of the dangers of a medical device breach.

Hospital devices such as MRI machines and CT scanners must remain operational and connected to the hospital network. If these devices malfunction or are hacked, hospitals lose precious time treating patients and run the risk of a HIPAA violation. The majority of medical equipment has had known vulnerabilities for years. Recently, there has lately been an upsurge in assaults and knowledge of these flaws. The US Food and Drug Administration (FDA), for example, recently identified another medical device vulnerability, this time involving a commonly used infusion pump.

WannaCry Ransomware Strikes

The first known ransomware attack on networked medical equipment occurred in May 2017. At this time, the international ransomware attack WannaCry has compromised radiological devices in several hospitals. Cancer patients receiving radiation therapy at four healthcare facilities had to postpone appointments due to a software failure triggered by a hack on a third-party vendor's oncology cloud service.

These examples show how cyberattacks and data breaches may have a significant impact on the healthcare industry, which is heavily reliant on connected medical equipment. PHI captured and saved in these linked medical devices must be secured. PHI is transferred over the cloud via server-based systems, making it very susceptible to hackers.

For a Medical Device Manufacturer (MDM) with thousands of workers and clients worldwide, meeting these strict standards is a courageous goal. PHI is an important part of healthcare operations and an enticing target for hackers. This reality is reflected in the laws that have been enacted. As a result, the MDM made safeguarding patient data and complying with all applicable privacy requirements a significant priority.

Medical Devices are Connected

Medical equipment in the modern era is not isolated. Locally and via the Internet, they are linked. Built-in sensors within embedded medical equipment capture data that may be transferred via the Internet and to other hardware. The Internet of Medical Things (IoMT) is made up of these devices and their data, which aids in the diagnosis, monitoring, and delivery of therapy to patients over the Internet. Because these devices are connected on one network, if one is successfully hacked, all others            in that network area can be hacked.

Security vulnerabilities will only increase as medical devices grow more connected and interdependent on one another to function. The continual obligation of maintaining patient data safety throughout an organization necessitates a well-organized risk management strategy. Each healthcare company must study and comprehend the fundamental elements of its IT assets and medical equipment, as well as the security procedures in place, and how to use them as the guardian of patient data.