Business News Daily provides resources, advice and product reviews to drive business growth. Our mission is to equip business owners with the knowledge and confidence to make informed decisions. As part of that, we recommend products and services for their success.
We collaborate with business-to-business vendors, connecting them with potential buyers. In some cases, we earn commissions when sales are made through our referrals. These financial relationships support our content but do not dictate our recommendations. Our editorial team independently evaluates products based on thousands of hours of research. We are committed to providing trustworthy advice for businesses. Learn more about our full process and see who our partners are here.
Here's how to protect against cyberattacks on medical devices in the age of healthcare IoT.
The internet of things – the ever-growing network of connected devices used throughout the world today – is especially prominent in modern businesses. From manufacturers to retailers, companies everywhere are implementing connected devices to capture more data across more business processes, and medical practices are no different.
In few industries is the growth of connected devices so rapid and widespread as it is in the healthcare industry. Today, the average hospital room contains 15 to 20 connected medical devices. In some hospitals, connected medical devices outnumber mobile devices, such as laptops and smartphones, 4 to 1. A large hospital could be home to as many as 85,000 connected devices. While each of these devices has a significant role in the delivery of care and operational efficiency, each connected device can also open the door to a malicious cyberattack.
“Lots of IoT devices, coupled with the free flow of patient data in the network, create massive internal blind spots about what’s happening,” said Chris Morales, head of security analytics at Vectra. “The biggest threat is in the network, where perimeter security is blind.”
Healthcare organizations are a prominent target of hackers for several reasons. Here are the five biggest ones.
Healthcare organizations create, receive, maintain and transmit vast amounts of confidential patient data, making their networks and connected devices prime targets for cyberattacks. While the average cost of a data breach in 2020 was $3.86 million across all global industries, healthcare has the highest industry-average cost of $7.13 million, according to IBM Security’s annual report.
Healthcare providers can greatly mitigate their risks of breaches, ransomware, and costly noncompliance fines from HIPAA and the European Union’s General Data Protection Regulation by investing in security orchestration, automation, and response (SOAR) – a system designed to increase detection rates and reduce the response and containment time.
The vast number of connected medical devices of varying specifications and from different manufacturers makes security upkeep especially challenging for healthcare IT professionals. While medical devices don’t always store significant amounts of patient data, they can be vulnerable entry points for attackers to access data-rich servers. Keeping these entry points updated and secure must remain a priority for the healthcare industry to reduce the costs and damage of unauthorized access.
Cyberattacks on medical devices can be dangerous, even life-threatening. A hospital in Germany suffered a ransomware attack in September 2020, stopping the intake of new patients and forcing reroutes for emergency patients. One patient died while the hospital struggled to restore services. With access to connected devices and networks storing sensitive patient data, everyone working in your healthcare organization is a member of your security team. That’s why it’s critical for you and your staff to embrace a zero-trust security model to prevent unauthorized access to confidential data.
The emergence of telemedicine and collaboration between medical providers greatly increases the patient’s chance to receive the best care possible. Protecting patient data in a remote environment is increasingly challenging, however. Many organizations are implementing multifactor and risk-based authentication methods to identify and grant access to authorized individuals across devices and locations. IT administrators can establish increasing stringency on the authentication process based on unusual activity.
Large healthcare organizations store the most patient data, making them the most valuable targets for malicious threats. However, hackers know smaller businesses have fewer resources to dedicate to cybersecurity, making them much easier targets. If your practice is a small healthcare provider, with limited resources at your disposal, you should focus your cybersecurity efforts on governance, risk management and compliance programs. You can protect your patients’ data in cloud environments, greatly minimizing the complexity of IT and security your busines is responsible for, as cloud software providers often handle the upgrades and security maintenance of the system. This includes endpoint management as well as identity and access management to monitor and protect medical devices and ensure secure remote access.
Healthcare organizations are especially valuable targets for hackers, who know that smaller practices tend to be the most vulnerable.
Editor’s note: Looking for an electronic medical records (EMR) system for your practice’s data? Fill out the questionnaire below and our vendor partners will contact you about your needs.
As you can see, the healthcare industry is particularly vulnerable to cyberattacks. Hackers are well aware of the value of protected health information and willing to deploy various attack methods to compromise healthcare organizations’ networks.
“From a threat perspective, healthcare is often seen as a large, soft target,” said William Peteroy, security CTO at Gigamon. “There are increasing interdependencies between technology and providing quality care, which means that we’re seeing more technology in healthcare than ever before, but we don’t see a strong and consistent focus on information security to go along with that.”
These are some of the most common attacks and threats facing healthcare organizations:
Defending against these threats and others requires a constantly evolving cybersecurity plan that includes visibility into all connected medical devices, proper network segmentation, and regular patches and updates to prevent exploitation of vulnerabilities. Otherwise, the consequences could be quite steep.
Hospitals and other medical practices must contend with various cyberthreats, such as data breaches, ransomware, malware and cryptojacking.
Cyberattacks can cost healthcare organizations more than $1 million in the recovery process, according to the IBM Security report. Moreover, patient safety relies on the security of a hospital’s network, making cybersecurity a larger consideration than just lost revenue and new expenses for a medical practice.
“The healthcare industry houses some of the most personal and sensitive data one can imagine,” said Stephen Cox, former vice president and chief security architect of SecureAuth. “Having this data be stolen by attackers and leaked to the dark web can be an absolute catastrophe for phishing campaigns. Having a device taken offline due to an incident could delay a patient from receiving a vital treatment.”
Without a sufficient cybersecurity plan and the software to back it up, healthcare organizations risk potentially irreparable consequences, including the following:
Cyberattacks are especially costly to healthcare organizations and, even more importantly, can put patients’ health and safety at risk.
Despite the cybersecurity threats associated with connected medical devices, medical IoT is an essential part of modern healthcare. Deploying, monitoring, and updating your practice’s connected medical devices in accordance with your wider cybersecurity plan is key to reap the benefits without opening up your practice to unnecessary risks.
Every single connected medical device your practice uses should be monitored in real time, allowing your security team to constantly probe for vulnerabilities or anomalous behavior that could signal the device has been compromised. In an environment with hundreds or thousands of connected devices, employing some type of intelligent cybersecurity solution is the only way to effectively manage the network.
“Tracking devices for visibility manually is indeed difficult, especially with a small security team,” Morales said. “When you factor in the time it takes a lean security team to discover a data breach that comprises unknown connected devices, it is apparent the security team needs some level of augmentation of capabilities through intelligent technology.”
Properly segmenting connected medical devices based on their vulnerability and risk profile can reduce hackers’ penetration of your network if a cyberattack does occur.
“Hospitals can mitigate risks by creating an isolated network for connected devices, which is simple and can be done with VLANs and firewall technology that’s been around for decades,” Peteroy said.
Regular software updates are critical to ward off cyberattacks. The high-profile WannaCry ransomware attack, which affected large companies all over the world, exploited a vulnerability that was patched in a Windows update released months prior. As a result, the only organizations affected by WannaCry were those that had failed to update their software. Every connected medical device should be subject to regular software patching and firmware updates, prioritized by individual risk profile. This makes each device less ripe for exploitation.
While software solutions and regular updates are great ways to reduce the chances of a cyberattack, a smart security team knows it is a matter of time before their defenses are probed by a malicious actor. A comprehensive cybersecurity plan includes an incident response procedure that can be deployed at a moment’s notice and involves the major stakeholders across all departments within the organization.
Hospitals and medical practices are vulnerable targets because of the value of their information and the sheer scale of their networks. However, leveraging connected medical devices and the many benefits they offer doesn’t mean your practice must fall victim to hackers and cyberattacks. By implementing an intelligent cybersecurity solution that can identify and monitor all connected devices in real time, properly segmenting those devices’ risk levels, regularly updating your software, and developing a comprehensive incident response plan, you and your security team will be as prepared as possible to face these ever-evolving cybersecurity threats.
You must secure, monitor, segment, and regularly update all your connected medical devices to prevent unauthorized access to your network and sensitive patient data.
Jeff Hale contributed to the writing and reporting in this article. Some source interviews were conducted for a previous version of this article.