Published: Jan 29 2021

How to Build Up Your Medical Device Cybersecurity: Principles and Best Practices

Strong cybersecurity is critically important when it comes to your medical devices: these devices not only house sensitive patient data but also connect to your broader systems, which means that a breach on any device could compromise your whole organization.

What’s worse, hackers know this, and they’re exploiting medical device vulnerabilities every chance they get. According to a survey in Black Book Market Research’s “2020 State of healthcare Cybersecurity Industry” report, it is estimated that more than 1,500 healthcare providers are vulnerable to data breaches of 500 or more records in 2021, representing a 300% increase over 2020. That means that breaches are expected to triple – and 75% of healthcare providers don’t feel prepared for what’s to come.

Here’s how to build up your medical device cybersecurity so you don’t become one of these statistics.

Cybersecurity in 2021

Medical Device Cybersecurity: Security Isn’t Keeping Up with Hackers or Advancing Device Technology

Today’s medical devices and software applications are more advanced and technologically interconnected than ever before. As BSI explains, “What once existed as non-networked and isolated equipment now exists as fully networked equipment with bi-directional communications, remote access, wireless connectivity and software.” What’s more, the introduction of the Internet of Things (IoT) in the healthcare space allows for more integration between Hospital Enterprise Systems/Information Technology (IT), Clinical Engineering (CE) and suppliers through remote connectivity.

In many senses, this creates new opportunity for things like remote monitoring and diagnostics, making patient care faster, safer and more convenient. Patients with implanted heart devices, for example, can be monitored remotely so they don’t have to visit their cardiologist on a regular basis. Similarly, patients with diabetes can manage their blood sugar autonomously using glucose meters and insulin pumps.

However, this interconnectivity also presents new and ever-increasing cybersecurity risks. After all, these medical devices (and the sensitive data they house) are connected to one another, to the Internet and to broader hospital networks via wired or wireless connection — and this interconnectivity makes them vulnerable to cyber threats.

This concern is even more pressing when you also consider the presence of legacy technology, security vulnerabilities and inadequate device management, all of which make medical devices even more vulnerable to developing huge security gaps.

The good news? Many of these cybersecurity threats and vulnerabilities can be reduced if regulators, manufacturers and healthcare organizations understand how to effectively manage and reduce cybersecurity risks. Here are some best practices to follow.

Best Practices to Improve Medical Device Cybersecurity in 2021

Accruent - Blog Post - How to Build Up Your Medical Device Cybersecurity: Principles and Best Practices

1.Remember That Cybersecurity is a Multi-Level Process

Cybersecurity protection does not simply fall on the shoulders of healthcare delivery organizations (HDOs). Instead, it’s a multi-pronged effort that requires cooperation from medical device manufacturers (MDMs) and healthcare organizations.

Manufacturers, on one hand, must identify risks during production and take the necessary steps to mitigate those risks. Similarly, healthcare organizations must consistently evaluate their network security and make sure that no vulnerabilities go unnoticed.

Only when both entities do their part can cybersecurity threats be effectively avoided.

2. Hold Your Medical Device Manufactures (MDMs) Accountable

When it comes to maintaining cybersecurity, your medical device manufacturers must proactively identify and reduce risks when they are building these devices. They should, at minimum:

  • Understand where vulnerabilities can be introduced during development (i.e., during design, implementation, and through third-party software components) and how to prevent those vulnerabilities.
  • Offer a contract that guarantees the cybersecurity of the device.
  • Offer secure installation.
  • Provide ongoing cybersecurity support throughout the asset’s lifecycle.

There should also be a degree of on-site liability for devices that do not follow current cybersecurity best practices.

3. Understand What Vulnerabilities Cybersecurity Attackers Will Target

If you know what attackers are after, you know what you’re trying to stop and what those proactive measures might entail. Attackers primarily target medical devices to access the broader hospital network and the sensitive data therein – and they're extra motivated because hospitals have shown that they’re willing to pay to get their information and systems freed.

Keep in mind, though, that these attacks don’t always happen in the most obvious way. There are many go-to vulnerabilities that attackers actively target because they’re things that developers or hospitals may overlook. These will be their first attempted points of entry. They include:

  • Unsecure firmware updates: Many software updates are implemented incorrectly, making it easy for attackers to exploit vulnerabilities.
  • Physical attacks: Physical attacks, where malware is installed through a physical point of entry, can be carried out through ports, flash drives and other points of entry.
  • Manufacturing support left enabled: During manufacturing, the manufacturers have access to a lot of commands and functionalities that they use to test and calibrate devices. If these capabilities are left enabled, it can be easy for attackers to find the commands and gain access to functionality.
  • Points of communication: Things that connect devices, like Bluetooth low energy (BLE) are inherently insecure – and an unsecured pairing to one of these systems can open your devices up to vulnerabilities. These pairings must be checked pre-emptively to confirm that the device is pairing to the right place and that there are no security risks.
  • Personal devices: In the wake of COVID-19, many doctors and medical professionals are working remotely – and most healthcare organizations haven’t taken the necessary steps to secure personal devices or train employees on security measures. What’s more, 40% of all clinical hospital employees claimed to receive little to no cybersecurity training in 2020, which can only make things worse.

4. Understand What Attacks May Look Like

Accruent - Blog Post - How to Build Up Your Medical Device Cybersecurity: Principles and Best Practices

There are many kinds of active threats that your employees and systems may face. These include:

  • Crypto ransomware attacks: There has been a dramatic increase in crypto ransomware attacks in recent years, whereby criminals use malware to encrypt important information (like patient data or even logins to systems) and then demand payment to recover that information or restore operations. These kinds of attacks have started to happen all over the world and they’ve made the news for being so wide-spread and high-cost to healthcare providers.
  • SQL injection: During this type of attack, hackers use malicious code to attack a database’s back end and gain access to sensitive information.
  • Spoofing/impersonation: During a spoofing attack, hackers trick hardware or software into thinking that a request is coming from a legitimate source so they can be let in.
  • Phishing: Phishing attacks use fake emails or websites that encourage people to click to give attackers access to their information.
  • Denial-of-Service (DoS) attacks: A denial of service attack, as the name suggests, makes operating systems, hard drives or applications unavailable. The goal here is to prevent legitimate users from getting in, thereby disrupting operations and costing businesses money.
  • Physical destruction: Physical destruction of devices and components can be a part of a cyberattack.
  • Intellectual property threat: This is expected to rise in 2021 and attackers go after valuable intellectual property like COVID-19 research.

5. Understand Who Attackers Are

Cybersecurity threats can come from a variety of different sources. It's important to understand the possibilities, motives, technological capabilities and resources of each source:

  • “Hacktivists”: These are thrill-seeking attackers that can go after your software for fun, for money or with a specific plan in mind. The problem with “hacktivists” is that the tools they use are getting more sophisticated and ease-to-use, which means that they can try hacking without having a robust technical background.
  • Crime groups: Organized crime syndicates attack healthcare devices for monetary game via phishing schemes, spyware, malware or spam. The goals? To commit identity theft, to extort organizations and to sell access to networked systems or to commit industrial espionage.
  • Inside hackers: Employees can easily (and often unwittingly) introduce malware or access sensitive information – usually either for personal gain or if they are disgruntled.
  • Individual phishers, spammers or malware authors: All these individuals can attack your systems or trick employees for monetary gain.
  • Industrial spies: Attackers in the industry may seek to gain intellectual knowledge via hacking or malware.
  • Bots: Hackers can often use networks of bots to control multiple systems and perform multiple attacks at once. These attacks will usually take the form of denial-of-service attacks or phishing.

In many instances, these attackers are after one thing: money. And there’s a lot of money to be had by attacking the healthcare system. That’s why hospitals have been targeted for cyberattacks ever since the advent of electronic health records. And this has only become more prevalent during the pandemic. Reuters reports that ransomware attacks overall were 50% higher over the last few months of 2020, with nearly twice the number of health care organizations impacted in the third quarter of 2020 than the previous quarter. And attackers have gotten millions of dollars from these attacks, all to say that you should remain prepared for this type of threat in the future.

Accruent Can Help

Accruent’s healthcare computerized maintenance management system (CMMS) can help your organization identify and resolve any medical device and security risks. To mitigate cybersecurity risks, the right CMMS system will:

  • Analyze and report against all medical devices, network data and software.
  • Reconcile MDS2 data and other security attributes against inventory.
  • Automate workflows unique to your organization when potential security risks or gaps are found.
  • Integrate with network monitoring tools.

These features can ultimately help you identify security gaps, automate mitigation steps and track those fixes as they happen.

That’s just the tip of the iceberg when it comes to how a CMMS can streamline your operations and maximize your security.

Schedule a demo to see, in real-time, how a healthcare CMMS can benefit your organization.