‘Healthcare information is rich in both, financial and personally identifiable data, fetching up to $60 in the black market’
Venkat Krishnapur, VP-Engineering and MD, McAfee India, highlights the huge cybersecurity threat posed by medical devices and systems in hospitals and outlines measures to mitigate this menace
Can you give us an overview of cybersecurity threats through medical devices? How complex and multifaceted is this issue?
The healthcare industry today is moving towards a network of connected medical devices – network and cloud connected equipment such as nurse stations, patient monitors, diagnostic devices and scanning systems, among others. Similar in nature to other Internet of Things (IoT) devices, medical equipment is a vulnerable attack surface. Typical attacks include large scale cyber-attacks which range from ransomware, data exfiltration, distributed denial-of-service (DDoS) attacks malware to network breaches. These devices can also be exploited for large-scale data theft considering how healthcare information is rich in both, financial and personally identifiable data, fetching up to $60 in the black market. Hackers can further put the patient’s life in danger by gaining control of control devices such as blood gas analysers. McAfee research has also unearthed vulnerabilities in the hospitals’ picture archiving and communication system (PACS) such as unencrypted traffic between client and server, click jacking or default accounts that could be misused by cybercriminals for extortion.
How can we assess the major vulnerabilities in the use of any medical device?
Assessment of risks related to medical devices should encompass a technical assessment, security programme assessment and include a risk management strategy. The first step will identify the network of all connected medical devices by type, network interfaces and device relationships. It also recognises devices with the likelihood of security incidents and mitigation opportunities. The Medical Device Security Program will evaluate physical security controls, patch management and incident management. It will gauge elements of access management such as user credentials and segmentation. Multiple stakeholders involved in device management can effectively secure and manage devices through a Medical Device Security Risk Management Strategy. It helps address contextual issues such as purchase of the device, implementation, maintenance and disposal.
How can we safeguard and assure the safety, effectiveness, and security of medical devices, even as we leverage the transformational abilities of technologies such as IoT?
Firstly, organisations must develop an incident response plan as a rapid recovery mechanism. Patches on general purpose devices must be updated regularly and end point protection should be changed from default to advanced to block malware executables. Enhancing the anti-spam filter can help evade ransomware attacks through uncommon file formats, packed several levels into .zip files to evade detection. Use network segmentation to separate critical devices required for patient care from the general network. Keep your backup data safe by disconnecting it from the production network in the event of a ransomware attack. Most importantly, foster a culture of security within the organisation as lack of user awareness remains a key vulnerability to undertake cyber-attacks.
How can the healthcare providers be made more aware and informed about the cyber security vulnerabilities and empower them to prevent them?
Multi stakeholder collaboration between regulators, manufacturers, industry experts and healthcare professionals along with proactive preparation are vital for maintaining the security of devices. Building a community will enable enhanced collaboration and provide them with a platform to voice out the challenges of addressing device security. A strategic plan that maps out industry best practices for designing and building security into medical devices can generate consensus between key industry players. It is also important to educate and motivate the first-line defense– people – about the latest modus operandi of cybercriminals, governance and compliance requirements, cybersecurity policies and adequate training to deal with cyberattacks.
Is it possible to make these products ‘secure by default’? What would it involve?
Incorporating default security requires a ‘Security by Design’ approach, a proactive and ground up approach to enable security controls throughout the development process — building in security from the start, rather than as an add-on, is key. This entails identification of assets, threats and vulnerabilities during the software development process and in the code being deployed. Using advanced data analysis tools, the process identifies the impact of threats on device functionality and end users, including potential vulnerabilities from outside sources. Use of static analysis tools can provide manufacturers with process documentation, test completion and software readiness reporting capabilities to provide information related to the cybersecurity of their device at the premarket submission phase.