Calyptix Blog

Medical Device Security: 3 Biggest Fears of Health IT Pros

by Calyptix, September 4, 2017

The internet of things is everywhere – including in hospitals, nursing homes, and doctor’s offices.

The wireless and network-connected gadgets bring many conveniences to healthcare. Unfortunately, they also bring massive security gaps (examples below).

The makers of medical devices are aware of the security problem, but few are working to solve it. Two-thirds (67%) expect attacks on their devices but only 17% are taking serious steps to prevent them, according to a Ponemon study.

The widespread lack of security in medical devices creates many concerns for health IT professionals. Their top concerns are highlighted in a new report, the 2017 HIMSS Cybersecurity Survey.

3 Fears of Medical Device Security

HIMSS asked 126 health information security professionals in the U.S. about their priorities, plans, and concerns for their organizations.

Here’s what they said were their top concerns for medical device security.

1-medical-device-security-v3

Note: This chart compares responses from healthcare organizations that do and do not have security leadership (such as a chief information security officer).

Fear #1. Patients will be hurt

Patient safety is the top concern overall, mostly among organizations that have a senior information security leader.

The threats posed by poorly secured medical devices are scary.

Examples:

  • 465,000 pacemakers can be hacked wirelessly to change their settings, including their “pace” (i.e. heartrate), according to an FDA alert issued in Aug. 2017.
  • Drug infusion pumps of a certain type made by Hospira are accessible remotely through a network and can allow an unauthorized user to control the device and change its dosage, according to an FDA alert issued in July 2015.

Thankfully, these types of threats rarely materialize (if ever) – but the possibility of them occurring has grabbed the attention of health IT professionals.

Nearly one-third (32%) of respondents who worked an organization with a health information security leader felt patient safety was a top concern.

However, only 15% of respondents at organizations without a security leader agreed.

5-medical-device-securityFear #2. Data breach

Judging from news headlines and regular updates to the HIPAA wall of shame, every healthcare organization should be concerned about the possibility of a data breach.

So it’s not surprising to see the threat of breach reaching number two on the list for top concerns about medical device security.

Due to their flaws, some healthcare IoT devices can make it easier for attackers to breach a network and steal health data.

Examples:

  • Siemens PET/CT scanners that run Windows 7 and are unpatched have vulnerabilities that can allow attackers to remotely execute arbitrary code, according to an Aug. 2017 alert from the Cyber Emergency Response Team (ICS-CERT).
  • MEDJACK (a.k.a. medical device hijack) is an attack technique that infects medical devices with malware to create a backdoor and allow the attacker to traverse the network. Version 3 of the attack was discovered in 2017, according to DarkReading.
  • Backdoors in blood analyzers, CT scanners, x-ray machines, and other medical devices were documented in more than six cases, according to the TrapX Healthcare Cyber Breach Report 2016.

Data breach is the number-two concern for both groups, those with security leadership (26%) and those without (17%).

6-medical-device-securityFear #3. Spread of malware

Just as poor security in medical devices can enable a data breach, it can also allow malware to take root and spread across the network.

Malware is third on the list of fears overall, but it’s the number-one concern for healthcare organizations without security leadership (26%).

These fears are not unfounded. Ransomware in hospitals has sparked headlines around the world this year.

Part of the problem is the devices often run or are connected to outdated operating systems, such as Windows XP. Or they use more recent operating systems but remain unpatched..

Examples:

7-medical-device-securityOther Fears of IoT in Healthcare

The rest of the medical device security concerns are not as widespread as the top three. The next biggest category is “other.”

The fifth largest category is “device loss or theft.” Although low on the list, it’s a fear grounded in reality.

At least 36 HIPAA violations reported in 2017 are attributed to physical theft, according to according to the HIPAA breach portal of U.S. Department of Health and Human Services Office for Civil Rights (OCR).

In February, the OCR fined a children’s hospital $3.2 million in response to non-compliance and two data breaches. One breach was related to a lost Blackberry. The second was related to a stolen laptop.

While healthcare offices are more likely to experience a stolen laptop or computer, the growing number of medical devices on the network may raise the chance of theft.

The remaining concerns, in descending order, are “don’t know,” liability concerns, and intellectual property theft.

Medical Devices Tested for Security

In response to a growing number of medical devices with poor security, many healthcare organizations are testing devices before they’re allowed through the door.

2-medical-device-security-v3

More than half of all respondents to the HIMSS survey said their organization performs due diligence analysis on the cybersecurity of products and services before purchasing them.

Not surprisingly, organizations with an information security leader are more likely to do the assessments (88% of respondents) than organizations without one (57%).

Related resources

10 Biggest Problems in Healthcare Cybersecurity

HIPAA Compliance for IT Providers: Top 5 questions

Hospital Ransomware Attacks: A HIPAA Breach?

WannaCry Ransomware? The Answer is “Yes”

No Comments


    Leave a Reply

    Your email address will not be published Required fields are marked *

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

    *