What hospital execs should be asking medical device vendors about cybersecurity
Cybercriminals are increasingly attacking medical devices with ransomware and other malware since they are both soft targets and, because they are often essential to patient’s lives, hackers have considerable leverage when demanding payment.
That means hospital CIOs, CISOs and their staffs should be taking steps now to protect health data.
“Ransomware attacks against medical devices are going to continue to grow like crazy in the coming months and years because most of the connected medical devices are not being secured properly,” said Mandeep Khera, chief marketing officer at Arxan Technologies, a cybersecurity vendor whose specialties include the Internet of Things in healthcare. “Hackers know that, the industry knows that, and because of the sensitive nature of these devices, hackers know they can use them for ransomware and they will get paid because it is all about affecting patients’ lives.”
First of all, they need to be asking the right questions. What types of security have you built into the device? Have you conducted penetration testing on it and what were the results? What is your process for distributing security updates and patches?
These are all questions to be answered ahead of a cyberattack or serious threat.
Neil Ganguly, CIO of JFK Health System recommended that hospitals also conduct internal and external independent security audits to determine the value of legacy systems and calculate the risk of keeping them against the cost of replacement.
Health systems must prioritize the most risky security holes and then balance the costs like any other initiative. If securing an older medical device that still delivers value, for instance, will cost $500,000 but only reduce the risk by half, that can be hard to convince CFOs to sign-off on, said Roy Wyman, partner at Nelson Mullins Riley & Scarborough in Nashville, Tennessee.
Don’t forget about educating patients, either, because most are not aware of security issues specific to medical devices.
“As we start to see more and more of these types of attacks, patients will get more savvy,” Khera said. “It will take some time. Famous patients like Dick Cheney know how to ask the right questions: ‘If there is no security behind this, I don’t want this to be connected with my pacemaker.’ Common users have no idea what questions to ask. Hospitals need to educate these patients so they know if they are secure or if there is a risk.”
Khera said the bottom line is that while many medical device manufacturers have thus far missed the mark on security most are now improving but it’s still up to hospital customers to keep their vendors accountable.