Connect with us

Hi, what are you looking for?

OPINIONS

Cybercrime and the Internet of Medical Things

Anything connected to a network is at risk. And it doesn’t matter what type of device, or what type of connection—LAN, WAN, wireless, wired, cellular, or WiFi—it is vulnerable, and must be protected.

By Andy Solterbeck
Regional Director for APAC, Cylance

Hackers can take over your smartphone or intercept telemetry from your fitness band. That’s bad enough. But what about if hackers could gain control of a drug infusion pump, trigger false alarms that may prompt doctors and nurses to administer unnecessary and adverse treatment or hold a hospitals database and routine operations hostage?

Cloud to the max1

Anything connected to a network is at risk. And it doesn’t matter what type of device, or what type of connection—LAN, WAN, wireless, wired, cellular, or WiFi—it is vulnerable, and must be protected.

This is a global issue, however, in some cases, the threats may be more severe in countries that lack a strong culture of security, or where there aren’t laws and industry regulations that not only specify best practices, backed up by strong financial penalties when organizations fail to take proper precautions.

A May 2016 study on privacy and security of healthcare data conducted by the Ponemon Institute revealed that criminal motivations are the leading drivers behind healthcare data breaches. Cybercriminals include those seeking financial profit as well as hacktivists and nation states who leak private information or threaten data integrity as leverage for geopolitical or economic gain.

Advertisement. Scroll to continue reading.

The study showed that criminal motives top the list of the causes of healthcare data breaches. Employee negligence and lost or stolen devices still result in many data breaches, but one of the trends is a shift in data breaches—from accidental to intentional—as criminals are increasingly targeting and exploiting healthcare data. Ponemon says that “Cyber criminals recognize two critical facts about the healthcare industry: 1) healthcare organizations manage a treasure trove of financially lucrative personal information and 2) they do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect healthcare data.”

Compared to other attack vectors – such as employee negligence, cyber-attackers, attacks against smartphones, and the use of public cloud services – insecure medical devices are not at the top of the cyberattack food chain. They aren’t yet a primary attack vector, or a top target for cybercriminals. That’s just as well – since those devices aren’t particularly secure, and many organizations wouldn’t know where to begin to protect them.

When it comes to protecting connected medical devices, there are three main factors to consider: 1. Capability of the device, 2. the ability for the practitioner/provider to provide care and then 3. the critical function of the device itself. If any of those are compromised, patient health or privacy could be at risk.

Merely having some security built into the device, such as passwords or data encryption during transmission, does not assure security and privacy. The implementation and post-implementation support is a part of the entire life cycle to assure security of those devices and the information flowing to and from them.

Everything the device utilizes must be efficient and has to be secure; otherwise, this will have a detrimental impact on the facilities ability to provide care. The supply chain of technology including the device itself, the manufacturers, servers, network and the medical professionals themselves need to be secure in order to assure patient health and the appropriate delivery of the medical service.

Advertisement. Scroll to continue reading.

In many countries or regions, the use of devices is regulated – they must be approved before they can be purchased or deployed. The government may carry out testing or certification, or have a specific set of requirements placed on the device and its manufacturers. The question raised is the mentality of how security is approached; is the government taking an active role in security, ensuring there are preventative methods for these medical devices?

In the United States, there are centralized agencies like the U.S. Federal Drug Administration monitoring these devices, setting standards, and publishing best practices, whereas in in other countries, those roles are played by a national health service, who have the authority to mandate the use of specific products and vendors.

MEDICAL DEVICE SECURITY DOWN-UNDER

One country that is aware of the problem, but has yet to take strong regulatory action, is Australia. The Therapeutic Goods Administration of the Department of Health offers regulatory guidelines for all medical devices. Last updated in May 2011, those guidelines are not up-to-date with the latest best practices about cybercrime and the Internet of Things. However, the government is working on measures and even beginning to take action in this area. In March 2016, the Department of Health published a Medical Devices Safety Update, which focuses on reducing the vulnerability of medical devices to potential hacking, malware and other such attacks. The update identifies a wide range of medical devices as potentially vulnerable to unwanted intrusion, including devices incorporating wireless communications that are particularly vulnerable as potential hackers can operate remotely.

Although there have been no reports of hacking attacks on medical devices in Australia, there have been reports of such attacks overseas. Cybersecurity experts in Australia have demonstrated a wide range of potential vulnerabilities in simulated attacks, advising medical device sponsor and asset owners to perform risk assessments by examining the specific clinical use of potentially affected products in the host environment.

Advertisement. Scroll to continue reading.

The Australian report refers healthcare organizations back to the U.S., and guidelines from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). No specific requirements are highlighted for securing medical devices or the infrastructure supporting those devices.

WHAT YOU CAN DO

Medical device security is a multi–facetted problem; you can’t just point to the device itself and ask “Is it secure?” The security chain is only as strong as its weakest link, and that chain goes all the way from the hospital to the manufacturer to the regulator. At the end of the day, it starts with the doctor attaching the device to the patient and making sure the correct security checks have been made to ensure patient safety.

Part of ensuring strong security is having the right technology in place to guard the end-points – everything from servers to databases to laptops to medical devices. Cylance believes that traditional signature and heuristics-based protection fails to provide an effective defense as threats grow in sophistication (e.g., sandbox-aware malware). The concept of an effective prevention security layer needs to be brought forth in order for the healthcare industry to right itself and deliver on the promise of administering quality care through uncompromised medical devices and hospital systems.

Utilizing a revolutionary artificial intelligence agent, Cylance’s solutions and services are designed to proactively prevent the execution of advanced persistent threats and malware.

Advertisement. Scroll to continue reading.

For more information about how Cylance can protect the healthcare industry — including the Internet of Medical Things, read “The Medical Device Paradox: Hospital Systems and Device OEMs Race Against Time to Close the Patient Safety Cyber Gap.”

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

ELECTRONICS

Philips EasyKey partnered with Megaworld and equipped their world-class properties with only the best-in-class smart locks we have on offer, the Philips EasyKey 9300.

HEADLINES

The PLDT wireless unit is also calling on customers to report these messages to Smart’s HULISCAM portal for further action.

HEADLINES

Here are some tips from Sophos for staying secure online during the cybersecurity awareness month.

HEADLINES

While only 21% of hackers believed that AI technologies enhance the value of hacking in 2023, 71% reported it to have value in 2024....

HEADLINES

Kaspersky has enhanced its Kaspersky Industrial CyberSecurity (KICS), a native XDR Platform for industrial enterprises, and streamlined Managed Detection and Response (MDR) for Industrial...

HEADLINES

Smart has received reports about unscrupulous individuals pretending to be company executives or representatives of organizations asking for donations for made-up or nonexistent relief...

HEADLINES

Located in the Kaspersky office, the new facility will provide the company’s stakeholders with services ranging from an overview of Kaspersky’s practices, to a...

HEADLINES

Smart and Maya emphasize that they never send SMS with links requesting login credentials, personal information, or account verification. If you receive such a...

Advertisement