Cyber attacks have been all over the news, with a great deal of focus on the most recent WannaCry ransomware. We urge you not to put your blinders on and think these attacks are only aimed at PC’s – medical devices are also predicted to experience cyber attacks within the next year. For example, Siemens (a well-known medical device manufacturer) had their files compromised during the WannaCry epidemic.1 If you are a healthcare provider, you need to be aware of how this may affect your patients/residents and your operation.
A recent study by Synopsys found 67% of medical device manufacturers and 56% of healthcare delivery organizations believe medical devices could be a target of cyber attacks within the next 12 months. While those percentages are disturbingly high, the percentage of manufacturers that have taken steps to prevent cyber attacks on their devices is alarmingly low – sitting at only 17% of manufacturers and 15% of Health Delivery Organizations.1
What’s possibly even more alarming is that security researchers have found they can successfully manage to remotely control medical devices including defibrillators, pacemakers, and insulin pumps that are controlled by a hospital’s network.
How can health providers protect their patients and systems for this kind of attack? While there isn’t a 100% fool-proof plan just yet, we feel these are an excellent start:
- Advise patients with remotely accessible devices to secure their home wireless networks or contact an IT service provider to do so.
- Be sure your internal systems are updated and secure. This is critical if you are remotely managing any patient devices [or monitoring devices].
- Maintain software patch updates on a regular basis.
- Limit inbound and outbound remote access to only those who require it to perform their jobs.
- Design any remote access to medical devices to operate using network and security systems which are separate from your internal network, whenever possible.
- Educate your employees on good basic security concepts, such as suspicious emails and attachments.
- Ask your device manufacturers their security policies and how their programming protects devices from cyber attacks.
- Check to see if your medical device manufacturers are members of the Information Sharing and Analysis Organization (ISAO) under the FDA. This organization shares details about security risks and attacks. The FDA recommends these manufacturers report potentially dangerous issues that haven’t caused harm to the end user within 30 days, the problem fixed within 60 days, and information shared through the ISAO for other manufacturers to help fix or prevent the same type of problems.2
Be diligent friends, and if you want to do more reading on this subject, here are links to some great articles:
http://www.ceitcollaboration.org/docs/Cyber-Security-Part-II.pdf
https://www.fda.gov/downloads/MedicalDevices/DigitalHealth/UCM544684.pdf
https://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm
http://www.himss.org/medical-device-security
Resources:
1Dellinger, AJ. (2017, May). “Medical Device Makers Expect Attacks Within Next Year, But Aren’t Prepared.” Retrieved from www.newsweek.com.
2Dellinger, AJ. (2016, December). “Medical Device Security, Privacy: FDA Issues New Guidelines On How To Protect Gadgets From Cyber Attacks.” Retrieved from http://www.ibtimes.com
Article written by Jerry Horton, IT Director of Networks Plus (LeadingAge Kansas’ IT Partners).