The number of global medical Internet of Things (IoT) devices is growing rapidly, with 75% of all medical devices now connected to the Internet. But despite the numerous benefits of these connected devices, it leads to inherent security vulnerabilities that are difficult to patch and secure. Since the healthcare sector stores large volumes of confidential data, together with a network of connected medical devices, it makes healthcare organisations a prime target for cybercriminals. Richard Staynings, Chief Security Officer at Cylera, explains why training healthcare professionals is so important, to protect them as well as patients, and how healthcare can manage the growing number of medical IoT devices to minimise threats.
The UK’s healthcare delivery system is digitalising at pace and this is leading to connected healthcare environments becoming ever more complex and therefore, potentially more vulnerable to a cyberattack.
Healthcare has transitioned from maintaining patient records in manila files at each facility to centralised electronic record keeping with complete system interoperability. This encompasses a broad range of users, including general practitioners (GPs), hospitals, pharmacies, government population aggregate services and public health systems.
Furthermore, the adoption of IoT devices for tracking, monitoring and maintenance in the healthcare sector has dramatically increased in recent years. In 2021 US$21 billion was spent on IoT in healthcare, which is predicted to increase to a staggering US$54 billion by 2029 as medical technologies continue to develop and the sector drives for greater efficiencies in healthcare delivery.
These connected devices vary from radiological cancer treatment systems, x-ray, ultrasound, CT and PET scanners to infusion pumps that provide life-saving medications. The medical industry benefits greatly from these devices, but they also have inherent security flaws that are challenging to patch against security vulnerabilities and to safeguard without the right cybersecurity strategy in place.
It’s perhaps not surprising then to know that the healthcare sector is the third most targeted industry globally by cybercriminals with an average of 1,463 malicious attack attempts per week. This is an increase of 74% from 2021.
It’s therefore important not to undervalue the level of security that should be applied to these medical devices. Recent studies have shown ransomware attacks are leading to an increase in morbidity and mortality rates and having an impact on even basic healthcare services like scheduling medication. Medical device cybersecurity is a problem that affects more than just patient privacy; it impacts the capability and accessibility of healthcare services, which are essential to guarantee patient care and safety.
Cyber awareness training
The major disruption and damage of a cyberattack upon healthcare highlights the important necessity for healthcare staff to receive cybersecurity training so they can contribute to the protection of these vital hospital-use equipment. Regular training can help medical employees recognise the warning signals of a cyberattack, know when one is happening and know how to reduce any risks to patient safety.
Training should include:
- Basic cyberhygiene tips – including using strong passwords that are changed regularly, enabling multi-factor authentication and not clicking on unknown links
- Awareness – training employees to recognise the signs of a device that is acting differently from how it should and when it needs to be reported to IT services for review. This should also entail ensuring that medical personnel are well-versed in the risks associated with using these medical devices, such as understanding what a ransomware attack is, what its effects are, how it is initiated and how to respond to unknown emails and steer clear of phishing emails
- Correct processes – medical staff members should be aware of the proper procedures for safely connecting medical devices in order to avoid common mistakes like these devices connecting to a public Wi-Fi network
- Clean up – all online-connected medical and IT systems need to be properly maintained and managed in terms of IT hygiene. Requirements for IT hygiene should be flexible
- Incident response plan – in the same way that everyone has a part to play during a fire drill, there should be an action plan in place in the case of a cyberattack. Without a suitable cybersecurity incident plan and software backup solution, healthcare organisations run the danger of losing patient data, having an adverse impact on patient care and safety and having their brand name damaged. All employees should be aware of their role and place within this plan.
- Crisis simulation training – once your incident response plan is in place, testing this through a crisis simulator is recommended. Crisis simulators are training exercises in which fake crisis scenarios are presented. For example, a ransomware attack, in order to assess employees capacity to adhere to their incident response plan religiously and respond to a crisis successfully.
Cybersecurity training should be performed regularly to ensure staff are up-to-date with the latest developments in the field. Health facilities should regularly review and identify knowledge gaps among staff in order to provide pertinent and effective training.
Since many healthcare professionals regularly interact with these devices, their actions are therefore crucial to the prevention of cybercrime. They serve as the patient safety’s eyes and ears, managing and keeping a watch on crucial medical and other IoT devices needed to diagnose, monitor, manage and treat patients.
Most medical devices are employed in hospitals and clinics, but since COVID-19, the number of remotely monitored patients has risen. There’s an increasing number of traditional and wearable devices sent home with patients, allowing care teams to monitor patients remotely from their homes. This means more systems communicating back to hospitals across the Internet and a greater attack surface for cybercriminals to exploit.
Securing medical devices
With so many medical devices now connecting to the network, how can the industry secure them?
The inventory, risk analysis and risk remediation of hospital IoT (HIoT) linked devices can now be dynamically automated by cybersecurity providers using compensating security measures thanks to advances in the next generation of IoT security technologies. Artificial Intelligence (AI), Machine Learning (ML) and DigitalTwin technology are used to achieve this. With the aid of current network access control (NAC) tools, these technologies enable highly precise analysis and identification of discrete systems, passive risk assessment of frequently delicate life-sustaining equipment and can be seamlessly integrated and automated into the network.
This is an excellent illustration of how cutting edge security tools are being used to mitigate new risky medical equipment. As many HIoT devices cannot be updated with security patches, medical device ‘enclaving’ or ‘network segmentation’ acts as an efficient form of remediation, lowering threats to patients and the medical network. Regulators often allow this compensatory security measure, which enables the on-going safe use of otherwise end-of-life medical devices.
To protect against the growing threat of cyberattacks, what is required is a combination of people, processes and technology. Advances in AI-based cybersecurity tools means healthcare organisations can now automate the entire security process through a progression of asset identification, risk analysis, profiling and improved medical device management. However, you’re only as secure as your weakest link, and medical staff members are a critical factor in keeping healthcare cyber secure and protecting what matters most – patient care.