Medical Device Cybersecurity: It Takes a Village

Medical Device Cybersecurity: It Takes a Village

It seems that not a month goes by without a cybersecurity incident that seriously impacts a community healthcare provider.  This may be a Phishing scheme that results in tens of thousands of patient medical records becoming compromised, or it can be ransomware attack where the system storing the EMR becomes encrypted, potentially crippling the delivery of care.  In an extreme example, the California provider Wood Ranch Medical decided to close its doors at the end of the year after hackers completely wiped computer systems and backup drives.  The challenge is exacerbated by implementation of the Internet of Things (IoT), where hospitals now have 10 to 15 connected devices per bed.  These devices do not have firewalls or the ability to detect malware.  For example, 48 UK hospitals were significantly impacted by the WannaCry ransomware attack in May 2017.  Vital medical device equipment such as MRI scanners and X-ray machines had to be taken offline, resulting in the cancellation of many patient procedures and appointments.

Many health IT executives have operated under the false impression that their medical practice or hospital are not significant enough to become a target.  Unfortunately, organizations can now become collateral damage of indiscriminate attacks that have been characterized as acts of war. A prime example is the NotPetya cyberattack that occurred in June of 2017.  On the surface, this appeared to be a variation of the Petya ransomware that was first discovered in 2016.  This strain was designed to spread across computer networks at an extraordinarily rapid rate.  One network of a large Ukrainian bank was wiped out in 45 seconds and a portion of a major Ukrainian transit hub was down in under 16 seconds.  Worse yet, the virus was a data wiper by design.  There was no ransom that could be paid to recover the encrypted information.  The financial losses were enormous:  $870 million for Merck Pharmaceutical company, $400 million for FedEx, $384 million for Saint-Gobain French Construction company, $300 million for Maersk Danish shipping company, and the list goes on.  The White House estimated the global impact of the virus topped $10 billion.

So, can this be viewed as a health IT problem as opposed to a Medical Device problem? 

Well, not really.  In the case of Notpetya, the virus takes advantage of a vulnerability in Windows that permits unauthorized code to run on the machine.  Prior to the outbreak, Microsoft had released a patch that closed the security hole in the operating system.  Unfortunately, the virus leverages shared network credentials from an unpatched machine in order to gain access to other machines on the network, whether the OS was patched or not.  Networks were impervious to the virus only if the latest security patches from Microsoft were fully deployed on each machine in the network.  Any machine could serve as the potential access point to bring down the entire network, whether a Medical Device or otherwise.  Healthcare networks were particularly vulnerable given the tendency to maintain IT equipment for 15+ years when the duration of operating system support is typically under 10 years.  The challenges faced by manufacturers and healthcare facilities alike are very similar from the standpoint of cybersecurity.  Medical Device and Health IT Joint Security Plan released by the Healthcare and Public Health Sector Coordinating Council in January 2019 clearly states that cybersecurity is a shared responsibility across the wide range of healthcare stakeholders.

Pages: First |1 | 2 | 3 | ... | Next → | Last