Medical Device Security: Now Is the Time

Healthcare is making innovative strides in every corner of the industry. Equipment that once needed to be plugged in and connected to a hospital bed are now portable and wireless. Nearly everyone is using a wearable fitness device. While the convenience is noted, the security concerns with medical devices, especially those connected to the Internet, are alarming. There is no better time to address these security issues, and protect individuals from potentially dangerous scenarios.

The Growing Price of Healthcare Data

Healthcare information is a hot commodity. Healthcare cyber-attacks are on the rise, and this is largely due to the high price of healthcare data. On the black market, medical records can be sold for up to 20x more than credit card information. This makes healthcare companies the perfect target for attack; additionally, many healthcare companies are failing to protect themselves or their patients from attacks by not taking proper precautions.

Privacy vs. Security

In the past, the healthcare industry focused heavily on the privacy of patient and other proprietary data. HIPPA, for example, protects patient information by limiting access rights. But privacy is not security. Over the last decade, the industry has made great progress in protecting the privacy aspect of healthcare records.  The focus now needs to shift to security. Many players in healthcare are underprepared and face serious security risks in many areas.

Networked Medical Devices

One of the largest opportunities for security improvement lies in networked medical devices. Unsecured medical devices, like MRI and x-ray machines, heart monitors, ultrasounds, infusion pumps, and others, pose a security risk to patients, providers, and hospital administrators. As networked medical devices become more common, the security of these devices becomes critical.

Too many medical devices in the industry right now are unsecured. A recent study by the Atlantic Council explored the rewards and risks of networked medical devices. It found that risks lie in software, firmware, and connectivity for many medical devices.

“The very fact of being connected to the Internet via email, or to a supplier via a private network, exposes the ecosystem to a network-based risks,” the report said. Blocking certain traffic or shutting down ports is not sufficient protection. Proper security policies should be in place, and there should be real-time monitoring of traffic across the network.

Remote Monitoring

Remote monitoring is another area that needs security. There are numerous technologies that allow patients to be active while still being monitored. These devices are becoming more prevalent in homes and there will be an estimated 1.8 million people using a wireless, remote-monitoring device by 2017.

Diabetes patients are predicted to overtake COPD patients as the largest group using telehealth technology in coming years. Diabetics are able to transmit blood glucose levels to their doctor’s office from home or other locations using a wireless insulin pump.  There are also other home monitoring systems that can measure and transmit a patient’s vital signs to doctors to ensure continued health of a patient.

These advancements provide increased mobility and flexibility to patients, and allow healthcare professionals to more closely monitor the health of their patients and make informed critical care decisions.  However, these new systems also bring security vulnerabilities.

Wireless infusion pumps are a very common remote monitoring device. In recent months, a number of concerns have been expressed about these devices. One of the main concerns is the fact that some wireless infusion pumps cannot be scanned by traditional IT security tools, and many lack features for streamlined software upgrades, the National Institute of Standards and Technology said in a report.

Some pumps don’t validate the authenticity of updates before installing, leaving the device vulnerable to malware or unauthorized access. Recently, security researcher Jeremy Richards said a certain brand of drug pumps was the least secure IP device he had ever seen.

As Deloitte points out in a recent article, “[Networked medical devices] have the potential to play a transformational role in healthcare but also may be a vehicle that exposes patients and healthcare organizations to safety and security risks.”

Taking Action

Manufacturers and healthcare organizations can no longer procrastinate security.  We will continue to see major data breaches in the coming years until healthcare organizations begin taking action to secure devices and data.  All healthcare organizations need to have the right security practices in place to maintain a safe network—one that cannot be preyed on by malicious attackers.

Posted in Encryption, Healthcare Security, Internet of Things