Keeping medical devices safe from cyber attacks
In the last few years, hospitals and medical facilities have been successfully targeted by cyber crooks looking to exploit or wreak havoc on the healthcare sector and its patients. Emboldened by the industry’s slow progress in adopting technologies that harden medical devices and data systems, criminals have upped their game.
By Alan Grau, VP of IoT/Embedded Solutions, Sectigo
HealthITSecurity.com reported that this year, at least six health care providers have been victimised by ransomware attacks. In June 2019, NEO Urology was attacked and ended up paying $75,000 to regain access to their system and data. In February 2019, a ransomware attack on the Southeastern Council on Alcoholism and Drug Dependence resulted in them having to notify 25,148 patients that their data was potentially breached. These are just the attacks that have been reported; experts assume that many other attacks have occurred but kept confidential.
Patient’s personal medical data can also be accessed, sold and used for nefarious purposes. According to CBS News and Protenus, in 2018, 222 medical companies reported hacking incidents, affecting more than 11 million patient records. HIPPA compliance becomes the least of a patient’s privacy worries when their medical records and credit card data are being sold on the dark web.
The cost of inaction, starting with something as obvious as email security, can be steep for healthcare organisations. According to Security Intelligence Magazine, the FBI in 2017 found that BEC (Business Email Compromise) and email account compromise represented the highest reported losses, costing 15,690 business victims a collective $676 million.
It’s also becoming more critical to outsmart cyber criminals by protecting connected medical equipment. For example, according to HealthcareIT News, the FDA said that several Medtronics’ insulin glucose pumps (now recalled) could have been remotely be taken over and induced to mis-perform, leading to dangerous healthcare consequences. Hardening these devices needs to start on the assembly line, and continue throughout the supply chain, from the processors and components inside the devices, to the software updated over the air.
Cyber security risks extend to patient safety as well. For example, if an iWatch or similar personal health monitoring device falsely indicates that a person’s heartbeat is too slow or too fast, the worst that can happen is that the patient may get needlessly worried. However, if a pacemaker gets hijacked, it is possible to either speed up or slow down readings of the electrical pulses regulating the heart, impacting the behaviour of the pacemaker. In the case of a glucose monitor used for diabetic patients, a false indication of blood sugar levels, combined with the incorrect “automatic” dosage of insulin, could become deadly.
How can the medical community immunise to prevent attacks?
We are living in a dynamic Internet of Things world where every ‘thing’ has some form of connected computer. By building security controls and policies into every device, medical manufacturers can not only prevent attacks that originate over the Internet, but also ensure that their equipment is not carrying a hidden malware payload injected during the manufacturing process.
To start: better knowledge and practises for website, network and database security using digital certificates and online security policies can ensure that medical organisations that use the internet to transfer and store information, conduct online transactions, and provide personal data, are secure from most common hacking attempts. By ensuring that every website, server, mobile device, application, and piece of equipment has a digital identity that is authenticated (enabling encrypted communications), companies greatly deter hackers. Keeping hackers out of the IT networks reduces risk of attacks against medical devices and other systems inside the network.
Advancements in email security, such as using Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates to secure email communication, provide protection against phishing attacks and BEC attacks—safeguarding from having employees inadvertently open malicious emails from fraudsters. Securing emails closes one more door to hackers, who would otherwise gain access to networks housing personal and financial data or cripple and hold systems ransom.
Equally important is building security into a device. This requires security features that protect the device from attack, protect the integrity of the device, and enable device identity. The good news is that manufacturers, suppliers, and developers in the sector are increasingly adopting best-practice technologies for connected device security, including:
- Secure Boot – Provides embedded software APIs that ensure software integrity from the initial ‘power on’ to application execution and enable developers to securely code sign boot loaders, microkernels, operating systems, application code, and data.
- Device Identity Certificates – Injecting digital certificates into devices during manufacturing, enabling devices to be authenticated when installed on a network and before being able to communicate with other devices in the system. This ensures devices cannot be spoofed and provides protection from counterfeit devices being introduced into the network.
- Embedded Firewall – Works with Real Time Operating Systems (RTOS) and Linux to configure and enforce filtering rules, preventing communication with unauthorised devices and blocking malicious messages.
- Secure Element Integration – OEMs and medical device manufacturers should integrate a variety of Secure Elements, such as Trusted Platform Module (TPM) compliant secure elements to provide secure boot, PKI enrolment using key-pairs generated within the secure element, and device attestation.
- Secure Remote Updates – Validate firmware is authenticated and unmodified before permitting installation of firmware updates, ensuring components have not been modified and are authenticated modules from the original equipment manufacturer (OEM).
The medical device developers and manufacturers that have implemented these security protocols and technologies have made huge strides in preventing remote attacks from infecting their devices and networks with malware, or inviting ransomware attacks. By adopting these modern security solutions, the industry ensures that the sub-assemblies and components, sourced from all over the world, as well as the various processors, boards, sensors, etc., built into their medical systems, are also safe from hacking.
Keeping medical devices and information safe from cyber attack is not simple and will never be perfect. It’s an ongoing battle. Cyber criminals are always improving their methods and developing new, clever attack vectors. However, by staying up to date with the latest cyber security trends and using smart security procedures and software, manufacturers, medical facilities, and their patients, can gain the best preventative immunisation available.