June 6, 2017
Cyber attacks have been all over the news, with a great deal of focus on the most recent WannaCry ransomware. We urge you not to put your blinders on and think these attacks are only aimed at PC’s – medical devices are also predicted to experience cyber attacks within the next year. For example, Siemens (a well-known medical device manufacturer) had their files compromised during the WannaCry epidemic. If you are a healthcare provider, you need to be aware of how this may affect your patients and your operation.
A recent study by Synopsys found 67% of medical device manufacturers and 56% of healthcare delivery organizations believe medical devices could be a target of cyber attacks within the next 12 months. While those percentages are disturbingly high, the percentage of manufacturers that have taken steps to prevent cyber attacks on their devices is alarmingly low – sitting at only 17% of manufacturers and 15% of Health Delivery Organizations.
What’s even more alarming is that security researchers found they can successfully manage to remotely control medical devices including defibrillators, pacemakers, and insulin pumps that are controlled by a hospital’s network.
How can healthcare providers protect their patients and systems from this kind of attack? While there isn’t a 100% fool-proof plan yet, we feel these tips are an excellent start:
- Advise patients with remotely accessible devices to secure their home wireless networks or contact an IT service provider to do so.
- Be sure your internal systems are updated and secure. This is critical if you are remotely managing any patient devices.
- Maintain software patch updates on a regular basis.
- Limit inbound and outbound remote access to only those who require it to perform their jobs.
- Design any remote access to medical devices to operate using network and security systems which are separate from your internal network, whenever possible.
- Educate your employees on good basic security concepts, such as suspicious emails and attachments.
- Ask your device manufacturers their security policies and how their programming protects devices from cyber attacks.
- Check to see if your medical device manufacturers are members of the Information Sharing and Analysis Organization (ISAO) under the FDA. This organization shares details about security risks and attacks. The FDA recommends these manufacturers report potentially dangerous issues that haven’t caused harm to the end user within 30 days, the problem fixed within 60 days, and information shared through the ISAO for other manufacturers to help fix or prevent the same type of problems.
Be diligent my friends, and if you should have any network security needs, we would love to be your partner.
Want to do more reading on this subject? Here are links to some great articles:
- Best Practices for Medical Device Cybersecurity Management
- The FDA's Role in Medical Device Cybersecurity
- Medical Device Security
- Dellinger, AJ. (2017, May). “Medical Device Makers Expect Attacks Within Next Year, But Aren’t Prepared.” Retrieved from www.newsweek.com.
- Dellinger, AJ. (2016, December). “Medical Device Security, Privacy: FDA Issues New Guidelines On How To Protect Gadgets From Cyber Attacks.” Retrieved from http://www.ibtimes.com