Cyberattacks on the Health System is a Patient Safety Issue
Saheed Oyedele B.Tech., M.Sc., M.Sc., Doctoral Cand.
??Electrical & Electronics Engr. | Network Engineering Specialist | Data Analytics Pro | Cybersecurity Professional | Risk Analyst | Ethics & Compliance Advocate | Doctoral Candidate in Cybersecurity & Info Assurance??
(*??Disclaimer: Many of these vulnerabilities were discovered under experimental conditions that did not directly affect patients but exhibited reality.??*)
Medical Devices are used in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease. If these connected medical devices are compromised, for example, Magnetic Resonance Imaging (MRI), Positron Emission Tomography (PET) scans, vital sign monitors, etc. or source of a venerability to your network as well as directly alter the readings, or operations, of the devices themselves, that is an attack on our wellness resources. They have their unique functionalities, creating interface between the human body and computerized systems. In short, the medical devices are mostly Internet of Bodies (IOB), differing?from Internet of Things (IOT). Researchers have shown that unauthorized access and DDoS attacks against medical devices are possible. While network-connected and more complex software-based devices have transformed patient care for the better, they also present more difficult cybersecurity challenges for both design and servicing. Medical devices attached to and implanted in our bodies to mediate life and death for patients are highly vulnerable to cyberattacks. For example, cochlear implants, insulin pumps and glucose meters, pacemakers, intracardiac defibrillators, intrathecal pain pumps, nerve stimulators and more. Compromise of these devices could result in inaccurate readings of healthcare information, overdoses of drugs, and even the delivery of electric shocks at the wrong time. Some may be vulnerable to simple radio signal interference. The radio frequencies that wirelessly transmit data may even be publicly available in the manuals that come with the devices, potentially allowing malicious parties to intercept or disrupt them.?
Devices may also be entry points to database servers and web servers. Devices connected to database servers are prime targets for structured query language (SQL) injections. These types of attacks are extreme in extent. In the hacker's world, digital nature and entry points are the ultimate search. According to an African proverb, "there must be a crack in a wall for a lizard to invade". Numerous penetration tests have demonstrated the vulnerabilities of medical devices. A threat intelligence analyst once revealed a transmission between two component devices were unencrypted. Also, there exists the device to intercept the control of insulin pump and glucose monitor, and?very affordable online.?Some medical devices are even susceptible to eavesdropping. A surgical robot was once experimentally hacked and taken over. A deep brain simulator (DBS), meant for movement disorders was interfered with by hackers causing alteration of impulse data. A wearable heart monitor for infants, have proven that they are susceptible to attacks. The transmissions from the monitor were unencrypted and easily controlled by other users. The reason why the product researchers demonstrated that they could gain unauthorized remote access to an insulin pump from 100 feet away, changed already-issued wireless pump commands, remotely changed the software, and denied communication with the pump device and for those who use a mobile phone to help patients monitor their glucose levels. Malicious actors could breach the security of the mobile phone to change the insulin pump’s settings. The three primary types of cyberattacks: unauthorized access, malware, and a denial-of-service or distributed-denial-of-service (DDoS) attack could also happen to the health system. Attacks on medical networks themselves can affect devices, too. Device manufacturers have become more attentive to these medical vulnerabilities.?
Federal regulatory regimes including the Federal Food, Drug, and Cosmetic Act (FDCA) and HIPAA govern medical device manufacturers and healthcare providers. HIPAA provides some protection against cyberattacks by creating a regulatory framework to safeguard PHI. Under FDCA, the FDA has begun to evaluate cybersecurity as a part of the medical device approval process. the Anti-Tampering Act should also apply to defendants who electronically tamper with medical devices. The introduction of digital health devices into healthcare systems is the window to cyberattacks. The vulnerabilities in medical devices pose significant risks, potentially compromising patient safety, privacy, and the overall integrity of healthcare systems. Legacy medical devices that operate on outdated software are hard to update and ultimately leave them vulnerable to cyberattacks. There is a forecast for cybersecurity in medical devices to grow, which indicates an increase in connectivity and digital integration of medical devices, as they provide more opportunities for cyberattacks. Aligning cybersecurity and patient safety initiatives not only will help your organization protect patient safety and privacy but will also ensure continuity of effective delivery of high-quality care by mitigating disruptions that can have a negative impact on clinical outcomes.?
Healthcare sectors possess so much information of high monetary and intelligence value to cyber thieves and nation-state actors. The targeted data includes patients’ protected health information (PHI), financial information like credit card and bank account numbers, personally identifying information (PII) such as Social Security numbers, and intellectual property related to medical research and innovation. Cyberattacks on electronic health records and other systems also pose a risk to patient privacy because hackers access PHI and other sensitive information. cyberattack access to medical records either intentionally or unintentionally alter the data, which could lead to serious effects on patient health and outcomes. Patient outcomes were threatened when Britain’s National Health Service was hit as part of the May 2017 “WannaCry” ransomware attack on computer systems in 150 countries, resulting in ambulances being diverted and surgeries being canceled. Since that time there have been other instances of ambulance diversion orders issued due to ransomware. Missing or incorrect patient health information can lead to an improper diagnosis or therapy, which may result in harm or death due to delayed or inappropriate treatment.
In January 2023, Insulet revealed that an incident had exposed the IP addresses of its Omnipod DASH insulin pump users. In February 2023, medical device manufacturer BD released a bulletin revealing that one of its infusion pumps had a password vulnerability that might allow access to personal information. A month later, ZOLL Medical acknowledged that the addresses, birthdates, and Social Security numbers of 1,004,443 individuals had been compromised due to a vulnerability in its LifeVest cardioverter defibrillator product. Several hospitals have experienced multi-day network outages due to malware attacks. Some devices do not allow anyone besides the original equipment manufacturer (OEM) to make repairs and update. Repairs and adjustment are impractical to some implantable devices, thus take on a different kind of risk because their devices are not secure.?According to the American Hospital Association, patients have struggled to get access to care and billions in payments to providers have been halted, threatening the financial viability of hospitals, health systems, physician offices and other providers. The healthcare industry has become a hot target for hackers, who realize the hospital’s executive team will pay ransomware demands to save lives. In some extreme cases, cyber-attacks have even led to the shutdown of entire healthcare facilities, putting patients' lives at risk. Ransomware attacks that lock access to critical healthcare IT systems often cause disruption that leads to cancelled outpatient appointments and elective surgical operations. Ransomware is the biggest threat to the security of healthcare data. Hackers use the data to get illegal medications, craft fake insurance claims and target victims with medical-related scams. They may sell it on the dark web or hold protected health information (PHI) for ransom. Losing access to medical records and lifesaving medical devices, such as when a ransomware virus holds them hostage, will deter your ability to effectively care for your patients. Medical devices such as infusion pumps and EKG machines are not designed with security in mind, and often run outdated operating systems. The attack surface for healthcare systems has expanded beyond medical IoMT to every device (such as HVAC systems, elevator control systems, cameras), applications, cloud and SaaS. Security begins with visibility and every connected asset can become a threat vector. Hackers are fully aware of the vulnerability of sick patient's dependent on technology and caregivers, who are easily manipulated when the health of patients is at stake.?
Criminals can access medical devices and use them to kill patients remotely. For example, they can hack into a pacemaker and stop the patient's heart or hack into an insulin pump and use it to administer a lethal dose of the medicine, thus killing the patient. In 2021, hackers broke into the infrastructure of software cancer provider Elekta. They found their way into the company’s internal systems through the internet and took its software offline. They took down their private cloud and?effectively shut down all cancer radiation therapy machines for about six weeks globally. There is possibility of a threat actor to gain access to a healthcare provider’s computer network through an email phishing attack. Actors could take command of a file server towhich a heart monitor is attached. During the scanning of the network for devices, the threat actor could take control (e.g., power off, continuously reboot) of all heart monitors in the Intensive Care Unit (ICU), putting multiple patients at risk. The top 10 Vulnerable Medical Devices are Insulin Pumps, Pacemakers, Infusion Pumps, Patient Monitors, MRI Machines, Radiation Therapy Systems, Diagnostic and Imaging Equipment, Surgical Robots, Defibrillators and Hospital Networking Equipment. Recorded cases of cyberattacks have been recorded for MCNA Dental, Community Health Systems, Change Healthcare, Anthem, Inc, American Medical Collection Agency, Premera Blue Cross, University of California, Los Angeles Health, Excellus Health Plan, Inc., Medical Informatics Engineering, Banner Health, Advocate Aurora Health Shields Health Care Group, Cerebral, Regal Medical Group, Medibank, HCA Healthcare and many more.?
Several strategies can be employed to mitigate cyber risks in the medical world. Security teams identify cyber threats, manage exposure and protect against ransomware and other attacks. Detect vulnerabilities across every asset including medical IoMT devices. Prioritize patching and threat response based on asset and organizational risk factors. Identify threats early by pinpointing behavior anomalies outside of known-good baseline. Find non-compliant devices such as medical devices in the guest VLAN. Broad integrations with existing workflows – ITSM, SIEM, security operations. Comprehensive incident response — block, terminate, quarantine, Zero Trust segmentation. Zero trust segmentation limits devices running outdated operating systems to “baseline” communications. Orchestrate enforcement on firewalls, switches and network access control solutions. Assess inventory traits such as IT components that may include the Media Access Control (MAC) address, Internet Protocol (IP) address, network segments, operating systems, applications, and other elements relevant to managing information security risks. Engage information security as a stakeholder in clinical procurements. Develop and implement network security applications and practices for device networks. Healthcare professionals should be able to recognize cyber threats so that action can be taken quickly, avoiding the potential detrimental outcomes of cyberattacks. Implementing encryption and authentication mechanisms can safeguard data transmitted between devices, and using network segmentation to isolate medical devices from other critical systems can limit the potential impact of cyberattacks. The most important defense is to instill a patient safety-focused culture of cybersecurity.? It is helpful if patients register their devices with the manufacturer to ensure that they receive these notifications. Providers should also attend to their procurement procedures and only use devices with appropriate security features when possible. Body-coupled technology, which uses the body itself as a transmission medium, may help to ensure that only specific readers can access the devices. An inventory listing when information from these devices is downloaded, where it is stored, who has access, and where it might be transmitted can help in ensuring that it is protected. Manufacturers of new devices must monitor, identify, and address post-market cybersecurity vulnerabilities. They must also have a plan to identify vulnerabilities on a regular cycle and regularly update and patch software. Expanding HIPAA to apply to medical device manufacturers and to any cyberattack that causes patient harm is one way to incentivize medical device manufactures and healthcare providers to adopt cybersecurity measures. Consider cybersecurity during the design phase of the medical device. By training frontline staff that use and protect medical devices every day, a hospital can significantly reduce its security footprint and create a human firewall. Adaptation of resilient systems that can continue to operate essential services unimpeded even if ransomware gets into the cloud or even if all the firewalls are compromised.?
?
领英推荐
Conclusion:?
Health care is just an amazingly complicated set of subsystems, and they are all interconnected. As many medical device manufacturers are beginning to integrate cloud services into their products, we can expect outages of entire medical device product lines, if they are not resilient to ransomware and other cyberthreats. New legal and regulatory approaches are needed. One approach is industry self-regulation, which could lead to the adoption of industry-wide cybersecurity standards and lay the groundwork for future legal and regulatory reform. Communication networks are a shared responsibility between medical device manufacturers and medical device user facilities. Industry self-regulation is common in the healthcare space and could play an important role in helping to design hospital networks and medical devices that are less vulnerable to cyberattacks Compliance with these standards are often mandatory because states require many healthcare providers to receive accreditation from an organization. In most cases, Adverse event reporting identifies medical device flaws only after patient harm?has occurred. Protecting against intentional cyberattacks requires a different approach than protecting against unintentional medical device defects. The solution is to promote investment in technology to identify the malicious actors behind cyberattacks, improving the deterrent power of laws that imposes liability on these actors. ?
??
References:?
https://www.informationweek.com/cyber-resilience/the-unique-cyber-vulnerabilities-of-medical-devices?
?
?