The internet of things is everywhere – including in hospitals, nursing homes, and doctor’s offices.
The wireless and network-connected gadgets bring many conveniences to healthcare. Unfortunately, they also bring massive security gaps (examples below).
The makers of medical devices are aware of the security problem, but few are working to solve it. Two-thirds (67%) expect attacks on their devices but only 17% are taking serious steps to prevent them, according to a Ponemon study.
The widespread lack of security in medical devices creates many concerns for health IT professionals. Their top concerns are highlighted in a new report, the 2017 HIMSS Cybersecurity Survey.
3 Fears of Medical Device Security
HIMSS asked 126 health information security professionals in the U.S. about their priorities, plans, and concerns for their organizations.
Here’s what they said were their top concerns for medical device security.
Note: This chart compares responses from healthcare organizations that do and do not have security leadership (such as a chief information security officer).
Fear #1. Patients will be hurt
Patient safety is the top concern overall, mostly among organizations that have a senior information security leader.
The threats posed by poorly secured medical devices are scary.
- 465,000 pacemakers can be hacked wirelessly to change their settings, including their “pace” (i.e. heartrate), according to an FDA alert issued in Aug. 2017.
- 114,000 insulin pumps can be hacked wirelessly to deliver a fatal dose of insulin to the user, according to warnings from Johnson & Johnson last year.
- Drug infusion pumps of a certain type made by Hospira are accessible remotely through a network and can allow an unauthorized user to control the device and change its dosage, according to an FDA alert issued in July 2015.
Thankfully, these types of threats rarely materialize (if ever) – but the possibility of them occurring has grabbed the attention of health IT professionals.
Nearly one-third (32%) of respondents who worked an organization with a health information security leader felt patient safety was a top concern.
However, only 15% of respondents at organizations without a security leader agreed.
Fear #2. Data breach
Judging from news headlines and regular updates to the HIPAA wall of shame, every healthcare organization should be concerned about the possibility of a data breach.
So it’s not surprising to see the threat of breach reaching number two on the list for top concerns about medical device security.
Due to their flaws, some healthcare IoT devices can make it easier for attackers to breach a network and steal health data.
- Siemens PET/CT scanners that run Windows 7 and are unpatched have vulnerabilities that can allow attackers to remotely execute arbitrary code, according to an Aug. 2017 alert from the Cyber Emergency Response Team (ICS-CERT).
- MEDJACK (a.k.a. medical device hijack) is an attack technique that infects medical devices with malware to create a backdoor and allow the attacker to traverse the network. Version 3 of the attack was discovered in 2017, according to DarkReading.
- Backdoors in blood analyzers, CT scanners, x-ray machines, and other medical devices were documented in more than six cases, according to the TrapX Healthcare Cyber Breach Report 2016.
Data breach is the number-two concern for both groups, those with security leadership (26%) and those without (17%).
Fear #3. Spread of malware
Just as poor security in medical devices can enable a data breach, it can also allow malware to take root and spread across the network.
Malware is third on the list of fears overall, but it’s the number-one concern for healthcare organizations without security leadership (26%).
These fears are not unfounded. Ransomware in hospitals has sparked headlines around the world this year.
Part of the problem is the devices often run or are connected to outdated operating systems, such as Windows XP. Or they use more recent operating systems but remain unpatched..
- WannaCry ransomware quickly infected hundreds of thousands of devices in May. They included radiology devices and other medical equipment. About 30 hospitals in the U.K. were hit.
- 10 fake medical devices put online by security researchers in 2015 recorded more than 50,000 potentially malicious logins and nearly 300 pieces of installed malware.
- 68,000 vulnerable devices from a single U.S. healthcare organization were identified by the same team of researchers.
Other Fears of IoT in Healthcare
The rest of the medical device security concerns are not as widespread as the top three. The next biggest category is “other.”
The fifth largest category is “device loss or theft.” Although low on the list, it’s a fear grounded in reality.
At least 36 HIPAA violations reported in 2017 are attributed to physical theft, according to according to the HIPAA breach portal of U.S. Department of Health and Human Services Office for Civil Rights (OCR).
In February, the OCR fined a children’s hospital $3.2 million in response to non-compliance and two data breaches. One breach was related to a lost Blackberry. The second was related to a stolen laptop.
While healthcare offices are more likely to experience a stolen laptop or computer, the growing number of medical devices on the network may raise the chance of theft.
The remaining concerns, in descending order, are “don’t know,” liability concerns, and intellectual property theft.
Medical Devices Tested for Security
In response to a growing number of medical devices with poor security, many healthcare organizations are testing devices before they’re allowed through the door.
More than half of all respondents to the HIMSS survey said their organization performs due diligence analysis on the cybersecurity of products and services before purchasing them.
Not surprisingly, organizations with an information security leader are more likely to do the assessments (88% of respondents) than organizations without one (57%).