Computer-controlled medical devices and healthcare industry under fire from cyberattacks

The healthcare industry has been reportedly under constant cyberattack, with 67 percent of healthcare executives deeming system-infecting malware as their top security concern, according to KPMG. Another 32 percent say they worry about medical device security.

 

Since 2009, the cost of healthcare breaches is estimated at around $31 billion, with 1,286 incidents reported and more than 153 million people affected, according to Privacy Analytics.

 

While 65 percent believe some of the greatest vulnerabilities in data security come from external attacks, 35 percent say wireless computing opens the door for security incidents. Some 44 percent responded they’ve tracked between 1 and 50 attempted breaches in the last 12 months, and one survey participant claimed to have seen a 1,000 percent increase in incidents and vulnerabilities after implementing a Security Operations Center (SOC), according to the same KPMG report.

 

Implantable medical devices (IMDs) and other medical devices, such as drug pups, have also been deemed hackable, with the Food and Drug Administration recently issuing safety notices for infusion pumps used in hospitals. Considering that the United States has a market size of around $110 billion, and it’s expected to reach $133 billion by 2016, internet-connect IMD and medical devices will continue to proliferate and open the door to new hacking attempts and vulnerabilities that could put human lives at risk.

 

“Having life-sustaining medical devices connected to an unprotected and easily hackable network is comparable to leaving your home unlocked in a bad neighborhood while on vacation and hoping that you won’t get robbed by the time you get back,” said Catalin Cosoi, Chief Security Strategist ad Bitdefender. “We can’t bury our heads in the sand when we’re talking about securing devices that ultimately are responsible for keeping us alive.”

 

Current recommendations issued by the FDA and the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) for known vulnerable medical equipment involve disconnecting the affected device from the network – even if it might impact operation – and closing FTP and Telnet ports.

 

“Disconnect the affected product from the network. Ensure that unused ports are closed, including Port 20/FTP and Port 23/TELNET,” reads the FDA alert. “Monitor and log all network traffic attempting to reach the affected product via Port 20/FTP, Port 23/TELNET and Port 8443. Contact Hospira’s technical support to change the default password used to access Port 8443 or close it.”

 

With more than 2.5 million people already relying on IMDs to keep various illnesses under control, the lack of medical equipment security and OTS (Off-the-Shelf) software updating procedures could have serious repercussions.

 

A Public Service Announcement issued by the Federal Bureau of Investigation says all patients should be informed about the capabilities of all medical devices prescribed for home use.

 

“Patients should be informed about the capabilities of any medical devices prescribed for at-home use,” says the PSA. “If the device is capable of remote operation or transmission of data, it could be a target for a malicious actor;”

 

The risks of overlooking cyber security in network-connected medical devices and IMDs should be minimized by implementing industry-wide standards both for hospitals and manufacturers of such devices.