A Top Priority
Technological developments in recent decades have been a driving force in improvements in medicine. Today’s medical devices give doctors and others in the field far greater ability to see details that would previously have been missed, and the dropping cost of medical technology makes these devices more accessible. However, these advantages come with some downsides. In particular, poor security can put patient data at risk, and certain types of malware can render devices inaccurate or even unusable. Cybersecurity now must be a top priority for practices of all sizes.
Why are Medical Devices Targeted?
In short, patient information is worth a considerable amount of money. Malicious actors who successfully gain access to patient information can sell it at high prices, making practices, even smaller ones, popular targets for data thieves. This information can be used for identity theft, and it’s effectively impossible for information that’s been leaked to ever be fully protected again. In addition, malicious actors who wish to wreak havoc on an individual entity or a nation’s medical infrastructure might find that poorly protected medical entities offer an easy target. Ransomware attacks are growing in popularity, and medical entities need access to their infrastructure for even the simplest tasks, meaning organizations are willing to pay a high cost to have ransomware disabled.
Who’s Responsible for Data Security?
According to the FDA, it’s the responsibility of both medical device manufacturers and medical practices to ensure medical devices are secured effectively. Although device manufacturers have some guidance for security, these rules aren’t always perfectly clear, and it’s often the case that no third-party security verification is needed to bring devices to market. Ultimately, however, it’s up to medical entities to ensure that they’re properly securing their infrastructure.
Secure Communication
Some medical devices simply display results to a screen or a printer. However, since nearly every medical practice uses some sort of networking, communication between devices to servers or other infrastructure is useful. Man-in-the-middle attacks, which hijack data as it’s being sent across a network, provide a relatively easy method of attack for those looking to steal data. Fortunately, modern encryption technology can prevent most of these attacks. Small bugs, however, can render this encryption moot, and improper implementation can lead to data being sent insecurely. All devices on a network must send data in a secure manner, which can prove to be challenging in an era where IoT devices are becoming more popular.
The Human Factor
Perhaps the most difficult elements of security to implement are those involving people. Even in the most secure networks, it often takes only a single person using a weak password to leave a network open to data leaking. The FDA and other organizations providing guidance emphasize the importance of proper staff training to prevent these types of attacks. It’s also helpful to restrict users to only the data they need, which can limit the scope of certain attacks. However, it’s also worth noting that access to any staff member’s account opens up other potential types of attacks that can potentially compromise the entire network. Training staff adequately is crucial, but it’s also worth noting that enforcing these policies is critical and often difficult to implement. Furthermore, some security policies provide mixed results. Forcing staff to change their passwords at a set interval may lead to people using simpler, and easy to hack, passwords, and it increases the likelihood that people will write down their passwords, potentially making them easy to steal.
Effective Maintenance
Securing medical devices, and broader technological infrastructure, is an ongoing process, not a one-time part of implementing new hardware and software. Above all, updates must happen on a regular basis. This is especially true of operating systems, which often have well-publicized hacks released online and require updates to patch. However, medical devices sometimes have vulnerabilities that aren’t discovered until the product has been on the market for an extended period of time, and finding information about potential vulnerabilities can be challenging. As part of their overall security process, medical organizations need to ensure that they regularly check for updates from the device manufacturer. This can be a challenge, especially if the manufacturer is bought by or merges with another entity, which is common.
Use of Legacy Devices
Many medical devices are expensive, and organizations that use them often plan to continue to do so for many years to come. However, devices manufactured in the past sometimes have poor security, making them popular targets. These devices are sometimes implemented in a haphazard manner with newer infrastructure, and some devices, including non-medical devices such as printers, are often forgotten about. One of the keys to effective security is ensuring every device on the network is accounted for so it can be properly secured.
Physical Security
Large medical entities, such as hospitals, have plenty of people coming and going, which can make it fairly simple for someone to gain physical access to hardware. Once a malicious actor has physical access to hardware, compromising it is much simpler than doing so remotely. As part of an overall security plan, organizations need to ensure that their physical devices are adequately protected by keeping devices locked up and preferably monitored by camera to identify potential breaches. While these attacks might seem unlikely, the black market value of patient data is high enough that attackers might find the risk to be worthwhile.
It’s difficult to overstate just how much technology has changed how medicine is practiced, and computer-based medical records provide security and data protection that was impossible in the past. However, with these advantages come a number of obligations organizations need to meet in order to keep their patient data protected. As medical devices become even more common over time, it’s crucial that those who use these devices do so in a secure manner. Small mistakes can open up potential attack vectors, and vigilance and foresight are needed to prevent data breaches. Fortunately, the FDA and other organizations offer excellent guidance, and organizations that implement strong policies are well positioned to ensure their patient data is protected.