.webp)
Healthcare is a prime target for cyberattacks due to its rich data troves and the high profitability of stolen medical information. According to a US Justice Department report, American hospitals alone paid USD100 million to Russian ransomware hackers last year across more than 400 incidents. With patient lives at stake, it is crucial to defend healthcare environments against these vulnerabilities.
The solutions are within reach but require support from firms developing medical devices and those providing frontline care. The approach should be underpinned by a regulatory framework that offers clear guidance and adequate funding. Qt spoke to industry experts to map out the steps forward.
Cybersecurity for Connected Medical: Beyond Firewalls
“Cybersecurity attack impacts should be treated like natural disasters. Studies in the US show that over a fifth of cyberattacks result in increased mortality rates—not because the attackers are trying to kill someone, but because they take out systems that people rely on,” explains Chad Holmes, a cybersecurity evangelist at Cynerio.
Over the past two decades, medical devices like intravenous pumps have become networked, introducing numerous software vulnerabilities. If not properly secured, these devices can become targets for malware or ransomware. Unfortunately, encrypting data alone isn't always sufficient for security.
Picture Archiving and Communication Systems (PACS) are vulnerable due to default admin credentials or exploitable URLs, while cardiovascular information systems face phishing threats. Hospital smart whiteboards that display patient data have mobile interfaces that may leak information due to broad access assumptions. Additionally, bracelets given to newborns, while not medical devices, can be exploited to gain access to server data. This vulnerability could allow someone to manipulate the bracelet's data, potentially enabling the kidnapping of a baby by facilitating unauthorized access.
Despite their life-saving potential, many medical device technologies are highly vulnerable. Holmes notes that many cyberattacks exploit basic methods like phishing, gaining entry when someone inevitably clicks a malicious link. “We have very flat networks where all these systems are interconnected. For instance, an IV pump is talking to the nurse's station, which is fine, but the same IV pump should not be connected to the elevators.”
This can be avoided by employing an approach called segmentation or micro-segmentation at the network level. “By severely reducing unnecessary connectivity, it effectively allows communication only where needed, without introducing risks to patients. These projects can be intimidating, but they are the right long-term solution. Leading institutions are now focusing their efforts on this approach,” says Holmes.
Another promising development is Network Detection and Response (NDR) technology. NDR can detect unusual communication patterns, such as a microbial detection unit contacting foreign servers or a stress test treadmill attempting to connect with multiple devices on the network. “NDR allows us to identify and quickly address these anomalies, minimizing what could be major attacks to mere blips on the radar,” says Holmes.
Strengthening Medical Devices Against Cyber Threats
Hackers are driven by financial gain. They encrypt systems and demand ransoms, which are frequently paid to restore functionality swiftly. They also steal and sell data on the black market, with Electronic Protected Health Information (ePHI) being extremely valuable. Holmes asserts, “Hackers will always exist. The goal is to secure our environment so it is no longer an easy, profitable target.”
Investing in security can deter attacks, as seen with financial giants like Goldman Sachs or Barclays, which are rarely affected by ransomware due to their substantial security investments. In healthcare, however, cybersecurity often takes a back seat because funds not directly spent on patient care are viewed as misspent.
Jan Rueppell, Head of Product Security at Karl Storz, a manufacturer of endoscopes and surgical instruments, concurs that healthcare security lags 15 to 20 years behind other industries. He emphasizes the need for collaboration between manufacturers and hospitals to safeguard medical product cybersecurity. “Manufacturers have post-sale obligations to maintain and update products. Hospitals should consider software maintenance contracts to support these efforts, which are more cost-effective than paying ransoms in the long run.”
One critical area is the Software Bill of Materials (SBOMs), a file listing all software components in a product, like Qt, OpenSSL, or the Linux operating system. “Manufacturers use this to scan for CVE (Common Vulnerabilities and Exposures) during development. However, post-market surveillance is essential as new CVEs may emerge. Some customers now request SBOMs to conduct their post-market surveillance, aiding in risk assessment.”
Choosing the right Quality Assurance (QA) software tools is also crucial for reducing cybersecurity risks in healthcare. Key to successful software development is detecting issues at an early stage or, even better, avoiding them entirely. Architecture Verification ensures the software's design can withstand attacks by adhering to security principles like least privilege. Static Code Analysis can detect vulnerabilities such as buffer overflows and SQL injection without having to execute the program. Code Coverage ensures that the entire code is tested during tests, which are performed as part of QA to identify potential security flaws early.
A Path Forward for Healthcare Cybersecurity
The belief that hospitals were safe from attacks shifted dramatically in 2014 when the U.S. Food and Drug Administration issued guidelines for cybersecurity in medical devices. Other nations developed their frameworks, and by 2017, security became a regulatory requirement in the European Union with the introduction of the Medical Device Regulation (MDR).
Given the lack of a harmonized ISO standard, Karl Storz adopted the NIST cybersecurity framework (NIST SP 800-53) to harmonize various regulations. “When new regulations emerge, we check if they align with our framework and adjust if necessary. Fortunately, most medical device regulations are quite similar across different regions,” says Rueppell.
Securing healthcare environments is achievable with a coordinated effort. Holmes emphasizes the need for collaboration among medical device manufacturers, healthcare providers, and regulatory bodies. “By providing the necessary guidance and funding, we can significantly enhance the security of these systems. If these three groups work together, we can make substantial progress.”
Enhancing healthcare cyber resilience involves recognizing the critical nature of cybersecurity, adopting advanced detection technologies, fostering collaboration, maintaining robust regulatory frameworks, and continuously updating security measures. Through these steps, the sector can protect patient data and ensure the continuity of life-saving services.
