For audio summary click below
Moving away from static offline devices and paper notetaking, to having the full system and communication done online was a breakthrough for the healthcare industry. This however introduced new challenges for medical device cybersecurity. This article explores some of the most alarming statistics on how the industry has been affected by cybersecurity threats over the past few years.
How vulnerable are medical devices?
According to a recent report by Cynerio, about 53% of connected medical devices have at least one critical vulnerability. To put this into perspective, about 38% of a hospital’s Internet of Medical Things (IoMT) are made up of IV pumps and 73% of them have at least one vulnerability. That is a substantial field of vulnerability.
There are a number of critical vulnerabilities that when exploited by a bad actor can lead to access deeper within a Health Delivery Organization (HDO)’s network, or other negative outcomes. Some of these threats are designed to execute arbitrary code granting unauthorized access (Apache Log4j), while others rapidly spread through computer systems, locking important files (WannaCry and Maui ransomware), or just forcing devices on the network to communicate without authorization (Urgent/11).
How are medical devices exposed?
With the industry having such a wide attack surface with lots of legacy devices at risk, HDOs have become one of the primary targets for the bulk of cybersecurity threats, the most serious being ransomware and data breaches.
Ransomware hit 66% of healthcare businesses in 2021, up from 34% in the previous year. During the course of 2020, ransomware attacks cost the healthcare industry about $20.8 billion worth of medical disruptions, which again is double that over the previous year. While the number for medical disruptions is particularly alarming, the actual amount paid out to these hackers is much lower, around $2.1 million in contrast.
With the pandemic’s increased strain on HDOs, the disruption of devices not working correctly and workers being locked out of their systems, the essential services suffered dramatically. Looking at the number of patient records ransomed, for example, there was an increase by 470% throughout 2020 and the pandemic, when compared to the statistics of 2019, which was particularly devastating for the patients who were caught in the middle, worried about the most private elements of their lives being exposed to the world.
Since the operation of healthcare delivery is highly dependent on data (patient records included), any delay in gaining access can have a negative impact on the patients directly. The most recent U.S. figures show that 289 healthcare institutions were impacted by 24 ransomware incidents, targeting hospitals and multihospital health systems in 2022. The most notable attack was on CommonSpirit Health in October 2022, exposing the data of 623,000 patients from 140 hospitals in total.
A report released by Sophos indicates that the healthcare sector is the one that is most likely to pay the ransom, making healthcare the second-highest sector in recovery cost payments after a ransomware attack, at up to $1.85 million in 2022. While these attacks have devastating effects on the industry, they are not the only contributing factor that’s worthy of security considerations.
There were 337 reported healthcare data breaches in the U.S. (affecting more than 500 individuals from each) reported in the first six months of 2022, slightly fewer than the 368 cases reported in the same period last year. However, 80% of them – an increase of 7% from the previous year – were related to hacker or IT-related incidents.
As 2022 came to a close, the number of healthcare data breaches involving 500 or more records in the U.S. decreased by 1.13% year-on-year for the first time since 2015. Despite this drop, the amount of recorded breaches in 2022 still placed it as the second worst year on record.
Source: HIPAA Journal, 2023
HDOs suffer significant financial losses as a direct result of these data breaches. It is anticipated that the average cost of a healthcare data breach will reach a record high of $10.1 million in 2023. This number, however, accounts for more than just high remediation costs, as the expense of improving security capabilities, paying cyber insurance premiums, the potential costs of class-action lawsuits and regulatory fines are also included.
How can medical devices be better prepared?
For all connected medical (and even non-medical) devices, the best approach is to employ a defense in depth approach from the early design stage, rather than bolting on security capabilities right before putting a device on the market. And there are a number of best practices and security technologies that should be included:
- Raising awareness across the industry will help in identifying when there are issues present in medical devices. One example of this is by using the Coordinated Vulnerability Disclosure (CVD) for diagnosis and remediation. Several non-profit associations (H-ISAC, Z-CERT, ANSSI to name a few) also organize the communication of new vulnerabilities for the healthcare industry and in some cases, the FBI releases industry alerts providing insight into unpatched and outdated cyber-attack possibilities.
- Device monitoring involves establishing a baseline of performance and then reviewing the medical device at regular intervals to check for irregularities. The two main approaches include: Network monitoring on the HDO side and assessing the medical device’s capability.
- With the rise in ransomware attacks, recovery from malware is a crucial element in keeping HDOs operational. By storing backups offline, major companies can restore their data quickly without even having to engage with their attackers, thus lowering the ransomware payoffs.
- Public Key Infrastructure (PKI) manages the use of digital certificates and public keys for encryption allowing for devices to have their own identity, integrity and method of authentication. Using a PKI allows for a longer-term view on effective and trustworthy encryption protocols.
By incorporating more of these critically important activities, hospitals and industry stakeholders can be better prepared until such a time as the newly developed and more secure medical devices can take the place of the current ones.
Let’s act against cybercriminals!
Follow our blog for more information on medical device cybersecurity.