A cyber-induced health scare waiting to happen
The benefits of internet-connected medical devices have seen many hospitals and healthcare facilities rapidly introduce them, without understanding the security implications of connecting them to the network. We outline how to avoid a potential cyber disaster.
The potential risk of hackers accessing medical devices is huge and the Abbott pacemaker vulnerability is a stark warning to the industry. Not only would hackers be able to get hold of the information held on these devices, such as personal information or medical history, but because these devices are network-connected, hackers can essentially use them as an open door into a hospital’s wider network. That’s access to all patient files, billing systems and other sensitive information.
Even worse, if hackers wanted to target an individual with one of the intelligent implants, once they gain access to the device, they can tamper with the controls. This could cause anything from a bad night’s rest to death, particularly for patients with pacemakers and respirators.
In fact, former US Vice President Dick Cheney was even warned about the risks when he came into office, and had to turn off his pacemaker’s wireless capabilities to thwart any potential attacks.
It’s imperative these new connected devices are secured properly and updated with the appropriate patches regularly. Not doing so leaves hospitals and healthcare institutions at risk to a major hack or a cyber-induced health scare.
To avoid a potential cyber disaster, there are a number of precautions hospitals and healthcare institutions can take to ensure these new devices are kept secure.
Security awareness campaign
Perhaps the most important action to take is to educate everyone about cybersecurity issues. This can be as simple as putting posters up as reminders or holding meetings to educate staff on security measures. Our people may be our greatest asset, but they can also be our greatest downfall. That one insecure connected device on the network, clicked link in an email or inadequate password could lead to a major security threat.
Research the manufacturer and the product
Before purchasing any connected medical device, research the manufacturer. This could be as straightforward as a bit of desktop research, looking at the company’s history or seeing if any cybersecurity flaws have been reported. Alternatively, cybersecurity companies can provide threat analysis reports on potential providers to ensure products meet cybersecurity requirements.
Include security requirements in the contract
This will be critical moving forward. Within any contract with a third party, outline all the security requirements the manufacturer needs to adhere to, whether it be within its products or the way in which it connects to your network.
Implement secure configuration
This can be as simple as ensuring the default passwords on devices are changed. It is surprising how many hackers get into networks by trying ‘admin’ and ‘admin’ as the username and password. To further protect your data, ensure all data is encrypted, even within those connected medical devices.
Pen test everything
Penetration testing, or pen testing, essentially involves testing the security of a product hands-on, trying to bypass its defences to find vulnerabilities. It’s always best to use an independent party, as they will often think laterally about the problem and find ways that the IT team or vendor may never have thought about.
Keep IT in the know
Ensure your IT team is made aware of all new devices and products connecting to the network, so they can implement appropriate security measures and upgrades. Ensure they are connected with your partners, so they can receive the latest patch information as well.
Whilst health care and hospitals are no more vulnerable than other sectors, the consequences are much more dangerous. Our information, sensitive data and wellbeing are all vulnerable if security is not made a priority. The best thing a healthcare facility can do is educate its employees about security awareness. After all, they are in the business of saving lives, and getting them cyber-trained can help them do just that.
Dr Laborde explains how data is being used not only for research, but to create efficiencies,...
IT strategies that meet the bare minimum compliance regulations are not an option for healthcare...
Embedding telehealth into clinical consultations is a priority reform area of Australia's...