How to Protect Medical Devices from Cyberattacks
By Eddie Myers, Crothall Program Manager for Cybersecurity Solutions
Amid recent geopolitical tension in the Middle East, there’s a new risk of nation-state cyberattacks against US companies, government agencies and even healthcare organizations. But there are plenty of steps hospitals and healthcare organizations can take to help ensure their technology networks are protected from any new cyberattacks.
Cyberattacks against hospitals aren’t new. Data breaches cost the healthcare sector an estimated $4 billion in 2019, according to Black Book Market Research. And one of the biggest targets is medical devices. In a report issued one year ago, the US Department of Health and Human Services listed “Attacks Against Medical Devices” as one of the five most common threats facing US hospitals and clinics.
Here’s the issue facing hospitals when it comes to cyberattacks: several medical devices ranging from MRI machines, CT scanners and nuclear medicine cameras are connected to central computer networks. All of these devices work together, so if the network breaks down, those devices go down, too.
But there are solutions. I lead the team in Crothall’s Healthcare Technology Solutions (HTS) Informatics Department responsible for the unit’s cybersecurity program. Working with Information Technology experts at hospitals around the country, our team helps protect our clients’ medical devices from computer viruses and cyberattacks, while also ensuring HIPAA security compliance.
Given the potential for new cyberattacks, our technicians work closely with hospitals to develop and coordinate plans to prevent any cyberattacks. Given the new potential threat, there are several steps hospitals can take. Here are five recommendations that any organization should consider:
Check Settings for Firewalls and Intrusion Prevention Systems While Ensuring Software is Updated. As hackers attempt to find and exploit any vulnerable areas of a computer network, it’s important a hospital has the latest software to close and patch all possible points of intrusion. In one of the latest large scale vulnerabilities called URGENT/11, SonicWall Firewall devices were impacted. SonicWall quickly created a patch for the SonicOS to close this vulnerability that attackers could have exploited.
Control of Medical Devices’ Access. Security is improved by limiting the number of devices that can communicate information to other devices. For example, a hospital can limit a CT scanner to communicate only with a Picture Archiving and Communications System (PACS), a Radiology Information System (RIS) and an Electronic Medical Records system. By preventing access to other devices, there is less chance a hacker can disrupt key medical equipment.
Consider Network Segmentation for Medical Devices. By separating certain medical devices from the regular production network, the exposure to these devices is reduced. A hospital can place medical devices on their own network and reduce the risk of a computer that accesses less secure websites from infecting a mission-critical medical device.
Know All Legacy Systems and Enforce More Controls. It may not be feasible or financially practical for many hospitals – especially small ones in rural areas -- to upgrade each medical device to work with the latest and greatest operating system. These legacy devices have operating systems that are no longer supported and there are no patches to protect against the most current threats. Once you know what legacy systems are on the network, you can then block the internet and also close unused network ports to reduce the exposure of the device on the hospital network.
Staff Awareness and Training. By training frontline staff that use and protect medical devices every day, a hospital can significantly reduce its security footprint and create a human firewall. Make certain these associates understand that hackers can deploy a virus to infiltrate a computer network and malware can be introduced from any vulnerable spot in your network or operating system.
An employee can unknowingly click a file, download unauthorized software, or load a contaminated thumb drive. Train employees to create strong, secure passwords and frequently change their passwords.