In the U.S., the FBI has found hundreds of vulnerabilities in medical devices following recent Cybersecurity and Infrastructure Security Agency (CISA) alerts. These medical devices, including insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps, all too often run outdated software and lack adequate security features.
As an example, the CISA has called out vulnerabilities in the Contec Health CMS8000 Vital Signs Patient Monitor. This is a device that’s designed to monitor a patient’s heart rate, oxygen saturation, temperature, and other vital signs.
As a result, hackers are able to take over the devices and change readings, administer drug overdoses and threaten patient health.
To understand the risks more fully, Digital Journal caught up with Sally Vincent, Senior Threat Research Engineer at LogRhythm.
Vincent begins by outlining some of the recent issues that have impacted upon healthcare in general: “Cyberattacks against healthcare organizations have increased significantly in recent years. In the last month alone, the French Hospital Center Hospitalier Sud Francilien (CHSF) and CorrectHealth have fallen victim to cyberattacks.”
Turning her attention to medical devices, Vincent finds: “The FBI has recently discovered hundreds of vulnerabilities in medical devices such as insulin pumps, intracardiac defibrillators, mobile cardiac telemetry, pacemakers and intrathecal pain pumps.”
The problem is that as most technology has moved on, a lot of the software controlling medical devices or collecting information has remained static. Here Vincent notes: “Many of these devices are over 30 years old, run outdated software and lack adequate security features.”
This leads to the risks, which Vincent summarizes as: “These findings shed light on the potential dangers of security inadequacies in the healthcare sector, including threats to healthcare organizations’ credibility and, more importantly, to patients’ lives and data.”
Risks take other forms too. According to Vincent: “The cost of a cyberattack is highest in the healthcare vertical, which makes it imperative for healthcare organizations to keep cybersecurity controls top-of-mind—investing in more modern medical devices is only the first step.”
To redress this, measures need to be taken. Vincent recommends: “It is essential for organizations to adopt specific cybersecurity measures to ensure their patients’ safety, including strengthening their incident response plans to quickly and efficiently mitigate the effects of a breach.”
Vincent also advises: “Healthcare organizations must also implement password hygiene, threat detection capabilities and preventative and response controls that can thwart malicious cybercriminals, protect patient data and ensure that the day-to-day processes of IT systems continue to run without disruption.”
By taking this advice, success can be achieved as Vincent notes: “With these changes, healthcare organizations will be allowed full visibility into their IT environments, ultimately better protecting their patients and keeping valuable data secure.”