State of Medical Device Security: Cyber Risks and Solutions

New innovations in healthcare bring new possibilities for delivering care to patients, but as medical devices are added to a healthcare delivery organizations (HDOs) ecosystem daily the question remains — how do we protect our increasingly interconnected world from cyberattacks? According to this KPMG advisory on medical devices, they predict that annual sales for the medical device industry will reach nearly $800 billion by 2030. These projections are a reflection of increasing demand for new and innovative technologies and services as lifestyle diseases become more prevalent and economic development unlocks potential in emerging markets. These devices will undoubtedly change the way that patients receive care, but they also bring the possibility of unlocking new safety and cybersecurity risks.  

What is Medical Device Cybersecurity?

Medical device cybersecurity refers to the practices and technologies HDOs use to protect their internet of medical things (IoMT) and other connected medical devices and software from unauthorized access, theft of sensitive data, damage to patient safety, and/or disruption of critical services. Medical devices such as implantables, diagnostic equipment, and hospital information systems are increasingly connected to the internet, making them vulnerable to cyberattacks. Medical device cybersecurity is a critical concern because attacks on medical devices not only can result in the compromise of protected health information (PHI), but they can also cause patient safety issues due to interference with care delivery. As we know, the healthcare industry has long been a target of cyberattacks due to its vast amount of sensitive health information — but now, the addition of highly connected medical devices has grown the attack surface for cybercriminals looking to disrupt patient care in search of more profitable ransom. 

Why is Cyber Security Important for Medical Devices?

Hundreds of thousands of life-sustaining or life-supporting medical devices such as patient monitors, infusion pumps, ventilators, and imaging modalities reside in hospitals across the United States — and, many times, are accessible via wireless technologies. Digital transformation and the rise of interconnectivity brought by these devices have played a transformational role in healthcare, but they have also left HDOs exposed to the risk of being hacked. A successful attack on a medical device could result in serious harm to patients including unauthorized access to their PHI, modification of treatment plans, or even physical harm. This Ponemon research study on cyber insecurity in healthcare, further supports this rising issue — outlining the cost and impact on patient safety and care. Stating, “fifty percent of respondents say their organizations had an attack against its supply chain. Seventy percent of those respondents say it disrupted patient care. The consequences included the delay of procedures and tests that resulted in poor outcomes such as an increase in the severity of an illness (54 percent). Another consequence was a longer length of stay (51 percent), and  twenty-three percent of respondents say there was an increase in mortality rate”. Although cyberattacks have been historically measured fiscally, this report unveils that financial loss is no longer the only repercussion of these targeted attacks. Organizations must now broaden their focus from protecting the confidentiality, integrity, and availability of patient data to cyber patient safety. 

Cybersecurity regulations and standards have also become essential for the protection of medical devices. As we’ve established, medical devices are vital tools in the healthcare industry, providing at times lifesaving measures to patients. By meeting industry regulations and standards, HDOs and medical device manufacturers can ensure uninterrupted care to patients. Here are a few of the most important medical device regulations and standards in the industry:

1. HHS Section 405(d): The Department of Health and Human services has released a Cybersecurity Framework Implementation Guide to establish a risk based framework for a systematic approach to risk reduction. 405(d) includes a deeper set of considerations around medical device cybersecurity in addition to the existing focus on consensus-based and industry-led guidelines, best practices, methodologies, procedures, and processes that serve to reduce cybersecurity risk to healthcare environments

2. HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that establishes strict standards for the security and privacy of patient health information (PHI). Although HIPAA does not explicitly focus on medical device security, it does affect any medical devices that handle or transmit PHI. Setting requirements for implementing appropriate administration, physical, and technical safeguards to protect data stored or processed on medical devices.  

3. GDPR: Similar to HIPAA, the General Data Protection Regulation (GDPR) is a comprehensive privacy and data protection law in the European Union (EU). This regulation has a significant impact on the security and privacy practices related to medical devices that process personal data. Adhering to GDPR requirements help protect patients' privacy, promotes transparency, and enhances security. 

4. NIS2: The Network and Information Security Directive (NIS) has established NIS2 compliance to tackle the limitations of NIS1 by providing legal measures to boost the level of cyber-resilience and incident response capacities of businesses operating in the EU. NIS2 affects medical device manufacturers by requiring they establish a cybersecurity risk management process, a reporting process, and an information sharing process to enhance their overall cybersecurity posture.  

5. SOCI: The Security of Critical Infrastructure (SOCI) Act creates a framework for the regulation and protection of Australia’s critical infrastructure sectors. The objective is to ensure HDOs and other critical infrastructure organizations take a holistic and proactive approach towards identifying, preventing, and mitigating risks from all hazards. Requirements include registration of critical assets, mandatory cybersecurity incident reporting, and an implementation of a risk management program to combat the recent rise in cyberattacks, and to protect the integrity of Australia's essential services.  

Industry regulations and standards play a crucial role in ensuring the safety and security of medical devices. Without proper security measures in place, organizations will be more vulnerable to attacks, unauthorized access, and data beaches — leading to compromised patient safety, privacy breaches, or even potential harm to those relying on these devices for care. Although standards and regulations can be complex and subject to frequent updates, they are essential to ensuring the security, integrity, and safety of medical devices. 

In the next section, we will outline examples of how an attack could compromise medical devices to invoke the kind of harm discussed above. These examples will further emphasize how HDOs require a strong medical device security strategy, and compliance with industry standards and regulations, to anticipate and address cybersecurity risks, and to safeguard patients and their PHI. 

What are Examples of Cyber Attacks on Medical Devices?

In this video, Claroty’s Team82 demonstrates an attack on a healthcare monitoring system. During the demonstration, Team82 displays how a hacker could gain access to a patient monitor in order to fake vital signs. By accessing the patient monitor remotely and injecting code into the device's logic, the team was able to alter the vital signs readings on the device. This type of attack, and subsequent alteration, would impact a physician's ability to diagnose and treat a patient. Although this attack was simulated, it displays the effects that a ransomware attack can have on an embedded device, and what it takes to recover from the breach. As the team emphasizes, healthcare is one of the most targeted verticals within critical infrastructure, and having a strong medical device security strategy in place is paramount to protecting this infrastructure. 

A real-world example that unfortunately echoed Team82’s demonstration occurred in Des Moines, Iowa and affected MercyOne healthcare system. This ransomware attack caused hospital-wide outages at multiple health systems, and most notably affected a 3-year-old who was receiving care after a tonsil surgery. According to this NBC article, MercyOne’s computer system that automatically calculated medicine doses stopped working, causing the resident doctor to mistakenly give the child five times the amount of pain medicine that was prescribed. Thankfully, the child made a full recovery — but, the effects of this attack should serve as a warning for healthcare providers when it comes to the importance of protecting their medical devices. As noted by these examples, cyber risks facing healthcare systems are growing considerably, and HDOs need a proactive approach to healthcare cybersecurity in order to ensure patient safety and medical device effectiveness. 

How to Solve the Medical Device Security Challenge 

As we now understand, a breach to medical devices goes far beyond privacy concerns, with the potential to cause physical harm to patients, disruption of medical care, and affected health outcomes. Due to the severity of safety and security concerns, there have been some promising advancements in government regulations pertaining to connected medical devices. Recent provisions were released by the House and Senate appropriations committees in the Omnibus Appropriations Bill. This bill requires vendors submitting medical devices to the Food and Drug Administration (FDA) to meet a number of security requirements — including a process for addressing post-market vulnerabilities within 90 days, and out-of-band fixes for critical bugs. This legislation represents acknowledgement that patient safety can hinge on the security of connected medical devices, and is a step in the right direction to solving the medical device security challenge. 

In order to comply with government regulations and policies, and further address the medical device security challenge, HDOs can partner with a cyber-physical systems security vendor, like Claroty, to gain visibility across their IoMT ecosystem, assess and mitigate risks, detect and respond to threats, and prevent future breaches. Medigate by Claroty has a deep understanding of proprietary device communication protocols and clinical workflows across medical device vendors and models — providing HDOs with unmatched visibility. We also have clinical domain expertise that detects activity that is out of the clinical scope of its intended workflow, generates non-generic alerts, and minimizes false positives. With advanced detection capabilities, HDOs know exactly what and with whom their devices can and cannot communicate, and under what conditions — taking the guesswork out of risk assessment. Finally, Medigate empowers HDOs’ medical device security strategy with prevention techniques based on accurate device identification with clinical context — allowing for successful microsegmentation, security policies, and VLAN assignments. 

Ultimately, the impacts of cyberattacks on medical devices are unlike those seen in most industries. As we’ve discovered through this article, in healthcare, the impact of an attack is more dire than a hit to an organization's financial ledger — and, are progressively being measured by increased mortality rates, health complications, and a lower quality of life. Luckily, there is an answer to the question: how do we protect our increasingly connected world from cyberattacks? By being more vigilant when it comes to adopting laws and regulations associated with medical device cybersecurity, and by partnering with a vendor that specializes in healthcare cybersecurity and understands that medical device security requires clinical expertise.