A U.S. government official is sounding the alarm about a threat that’s invading hospitals and endangering patients’ lives—and it’s not COVID-19.
The threat, he told a recent healthcare conference, comes from cyberattacks on hospital IT systems via ransomware and, increasingly, connected medical devices.
“We have been so afraid to admit that cyberattacks and IT failures can impact patient care and patient safety that if we continue in denial mode, we will go back to business as usual,” warned Joshua Corman, chief strategist of the COVID-19 task force at the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Corman is making a brutal point that healthcare cyber breaches don’t just put patients’ privacy and data at risk—they put people’s lives at risk. Two tragic incidents have vaulted the issue into the headlines:
- Parents of a newborn who died in 2019 are now suing an Alabama hospital; they allege their baby died because a ransomware attack at the hospital impaired the connected system that remotely monitored the fetal heartbeat before and during childbirth.
- A 78-year-old woman in Germany died from an aortic aneurysm in 2020 when a ransomware attack at the nearest hospital forced her ambulance to go to another hospital an hour away; police conducted a homicide investigation but did not lay charges.
Last fall Corman’s agency, CISA, reported that hospitals hit by cyber incidents suffered higher mortality rates afterward.
Now a new global study is putting connected medical devices under the microscope. Researchers from Cynerio analyzed data from more than 10 million devices: traditional IoT devices used in hospitals such as wireless security cameras and smart door locks, as well as Internet of Medical Things (IoMT) devices used only in healthcare. Among the findings:
- 53% of IoMT and IoT devices in hospitals contain at least one known “critical” cyber vulnerability
- 73% of IV pumps (which comprise 38% of the total IoT footprint in hospitals) “have a vulnerability that would jeopardize safety, data confidentiality or service availability” if exploited by hackers
- one-third of bedside healthcare IoT devices in hospitals contain an identified critical cyber risk
- ransomware attacks cost hospitals around the world a combined US$21 billion last year
According to the report, ransomware attacks on hospitals increased by 123 per cent over the past year. Know what else is increasing? The use of connected medical devices.
The global market for IoMT devices is expected to hit $94 billion by 2026, up from just $25 billion in 2021. Since 2019, the FDA has issued critical alerts about cybersecurity risks to insulin pumps, implantable cardiac devices and remote heart monitors used for home-based healthcare.
Medtech’s unique risks
Addressing cyber risk in connected medical devices isn’t as simple as running security software throughout each hospital.
As the Cynerio report explains, IoMT devices at hospitals are almost constantly in use, leaving little downtime to patch or update them. Unlike smartphones and other mobile devices, IoMT devices involve dozens of operating systems and hundreds of different vendors, making it tough to deploy cybersecurity solutions.
Many IoMT devices run on versions of Windows that are so outdated, they’re no longer secured or supported. (According to Cynerio data, that includes 53 per cent of devices used in oncology departments and 25 per cent of devices used in surgical units.)
What can be done
Cynerio researchers offer hospitals some strategies (other than the traditional patch-and-update model) to combat cyber threats to connected devices:
- Make it a priority to identify and address the risks of vastly outdated Windows deployments
- Use network segmentation (Cynerio estimates splitting hospital networks into operational “slivers” would address more than 90% of critical IoMT risks)
- Deploy security at the device level versus the OS level
- Implement an IT quarantine system to contain damage during cyber incidents
A self-proclaimed cyber nerd believes even more can be done, well before those devices ever make their way into hospitals.
Baking it in
In April 2020, Dan Bardenstein joined the U.S. government’s Defense Digital Service (DDS), an elite cyber squad that proudly calls itself the Pentagon’s SWAT team of nerds. One of DDS’s biggest missions to date is safeguarding Operation Warp Speed, America’s COVID-19 vaccine program.
“We worked closely with a lot of other cybersecurity agencies around the government to protect the entire end-to-end process of the vaccine, from the research and development (to) the clinical trials, the distribution and manufacturing,” Bardenstein told the Federal News Network.
Operation Warp Speed opened Bardenstein’s eyes to the enormous challenges of protecting biotech and medtech from hackers.
Now Bardenstein has a new job (working alongside Corman) as technology and cyber strategy lead at CISA. And he’s calling for new rules to protect medical devices at the source: the manufacturing level.
“The FDA should establish a clear list of minimum cyber protections that medical devices must possess in order to receive FDA approval,” Bardenstein argued in a position paper released earlier this month.
“The FDA’s current approach to cybersecurity standards is to provide ‘non-binding recommendations’ to device manufacturers,” he continued. “As a result, many device manufacturers still do not implement basic protections sufficiently, if at all, nor comply with FDA recommendations.”
Under Bardenstein’s proposal, manufacturers of connected medical devices would have to meet standards for:
- password requirements
- data encryption
- patching-and-updating procedures
- user guidance on securing and configuring devices
- timely disclosure of security vulnerabilities
- embedding automatic checks for software and security updates into device systems
It may seem shocking that healthcare devices can be manufactured and sold without such basic security features. Whether cybersecurity for connected medical devices is hardened through hospital IT practices or FDA regulations, Bardenstein says it’s an emergency situation that requires urgent care, not Band-Aid solutions.
“When we’re talking about securing medical devices,” he said in a recent speech, “we’re really talking about securing patients and saving lives.”