Avoiding a Data Breach Caused by Medical Devices

In headlines of late, the terms “data breach” and “healthcare organization” aren’t strangers, and now relative to that, avoiding a data breach caused by medical devices is becoming a hot topic.

Recent studies and investigations done by cybersecurity professionals in the industry have found that cyber hackers are beginning to use medical device vulnerabilities as an intrusion point into the entire organization’s network. It’s quite common for medical devices to run outdated, thus vulnerable, software, and it’s difficult to mitigate vulnerabilities—putting millions at risk.

Several medical devices are now being targeted by hackers as a way to infiltrate an otherwise secure network, according to recent reports. These networks likely have an IDS, firewall, antivirus, etc., to safeguard information, however, the lack of security in these devices presents a huge threat to patient information. At an increasing rate, more and more Americans are using medical devices and/or equipment that supports a direct connection to the hospital’s network. According to research by the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, roughly 300 medical devices from approximately 40 vendors are vulnerable due to passwords that are unchangeable.

The types of medical devices that are possible targets for a cyberattack include, but are not limited to, devices such as blood gas analyzers, X-ray machines, pacemakers, insulin pumps, and heart monitors. These wireless and Bluetooth enabled devices can allow hackers to create a backdoor into the network’s security infrastructure, gain access to patient records (healthcare information, social security numbers, date of birth), and plant malware on employees’ computers through malicious websites.

As manufacturers struggle to find a quick solution to properly secure every medical device from potential threats going forward, several entities are urging manufacturers, healthcare organizations, and users to follow best practice security guidelines to protect against a possible cyberattack. As the FDA continues to implement software security guidelines for manufacturers, healthcare organizations can begin protecting themselves from potential threats by following these best practices:

  1. USE STRONG PASSWORDS

Do not use default passwords set by vendors. These become easy targets for hackers. Use strong passwords and utilize a strict password management program to ensure that network security is maximized.

  1. POLICIES AND PROCEDURES

Be sure you have a fully documented and enforced set of policies and procedures, specifically, dictating your network security program. Who has access to what? How do we detect intrusions in our network? What are our firewall and antivirus policies? Updating these to reflect the secure culture of your organization can help defend against an attack.

  1. ANNUAL EXTERNAL AND INTERNAL PENETRATION TESTING

Network and application security is critical to your organization. Engage in regular testing to help identify and mitigate any weaknesses and vulnerabilities in your organization’s security before someone else does.

The healthcare sector continues to be a major target of hackers. According to a recent study by the Ponemon Institute, breaches cost the healthcare industry around $6 billion annually. Defending ourselves from the threat of cyberattacks must continue to be a group effort as we educate and empower each other to greater levels of security.

For more information on ways to improve network security at your organization or for tips on how to safeguard your PHI, email me at s.morris@kirkpatrickprice.com.

 

Sarah Morris is the Managing Editor at KirkpatrickPrice, a valued partner of AIS Network. She is certified in General Information Security Fundamentals (GIAC GISF) and specializes in keeping organizations up to date on information security and regulatory compliance by being a thought leader and developing valuable content that revolves around industry trends and best practices.