In the last few years, hospitals and medical facilities have been targeted by hackers who exploit or wreak havoc on the healthcare industry and its patients. The industry didn’t do itself any favors by being slow to harden its medical devices and databases against cyberattacks, giving criminals ample time to up their game.
This year, at least six healthcare providers were attacked by hackers who had planted bugs in their software and threatened to effectively delete or shutdown those hospitals’ and clinics’ patient records and other vital information unless the thieves were paid off—a so-called ransomware attack. For example, this past June, NEO Urology, a urology clinic, ended up paying $75,000 in ransom to regain access to its system and data. And in February, an attack on the Southeastern Council on Alcoholism and Drug Dependence forced the organization to notify 25,148 patients that their data was potentially breached. These are just the attacks that were reported; experts assume many others have also taken place but were hushed up to avoid bad publicity.
Patient’s medical data can also be accessed, sold, and used for less-than-righteous purposes. In 2018, for example, 222 medical companies reported hacking incidents affecting more than 11 million patient records, according to CBS News. HIPPA compliance is the least of a patient’s privacy worries when their medical records and credit card data are being sold to crooks.
By not increasing security, including adopting measures as simple as instituting some e-mail security, hospitals and clinics can pay a steep price. The FBI in 2017 found that e-mail theft cost 15,690 businesses at least $676 million.
It’s also becoming critical to outsmart hackers by protecting networked medical equipment. For example, the FDA said several Medtronic insulin glucose pumps (now recalled) could have been remotely taken over and forced to malfunction, putting patients in mortal danger. Hardening medical devices must start at the first stages of design and continue throughout the entire supply chain, from the processors and components inside the devices to software updated over the air.
Cybersecurity risks extend to patient safety, as well. For example, if an iWatch or similar personal health monitoring device falsely indicates a person’s heartbeat is too slow or too fast, the worst that can happen is the patient may get needlessly worried. However, if a pacemaker gets hijacked, it could speed up or slow down the electrical pulses from the heart, changing the output of the pacemaker with dangerous consequences. In the case of glucose monitors for diabetic patients, a false indication of blood-sugar levels, combined with an incorrect “automatic” dosage of insulin, could be lethal.
By building security controls into every device, medical manufacturers can prevent attacks that originate over the internet and ensure their equipment is not carrying hidden malware injected during design or manufacturing.
To start, companies should establish better practices for websites, networks, and database security using digital certificates and online security policies. They can help ensure that medical organizations using the internet to transfer and store information, conduct online transactions, and provide personal data, are secure from most common hackers. By ensuring every website, server, mobile device, application, and piece of equipment has a digital identity that is authenticated (enabling encrypted communications), companies greatly deter hackers. And keeping hackers off the IT networks reduces the risk of attacks against medical devices and other systems inside the network.
Advancements in e-mail security, such as using Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates to secure e-mail communication, protect against phishing attacks and business e-mail compromise (BEC) attacks. They also guard against employees inadvertently opening malicious e-mails from fraudsters. Securing emails closes one more door to hackers, who would otherwise gain access to networks housing personal and financial data, or else cripple and hold systems ransom.
Equally important is building security “into” a device. This requires security features that protect the device from attack, protect the integrity of the device, and enable device identity. The good news is that manufacturers, suppliers, and developers in the medical sector are increasingly adopting best-practices for authenticating and securing connected devices. These include:
Secure boot. This provides embedded software APIs that ensure software has not been tampered with from the initial “power on” to application execution. It also lets developers securely code sign-boot loaders, microkernels, operating systems, application code, and data.
Device identity certificates. Adding digital certificates to devices during manufacturing lets devices be authenticated when installed on a network and before communicating with other devices in the network. This protects against counterfeit devices being introduced into the network.
Embedded firewalls. By working with real time operating systems (RTOS) and Linux to configure and enforce filtering rules, these firewalls prevent communications with unauthorized devices and block malicious messages.
Secure elements. OEMs and medical device manufacturers should use secure elements, such as trusted platform module (TPM) or an embedded secure element, for protected key storage. Secure key storage allows secure boot, PKI enrollment using key-pairs generated within the secure element, providing high levels of protection from attacks.
Secure remote updates. It is important to validate that device firmware is not modified before it is installed. These updates make sure components are not modified and are authenticated modules from the OEM.
Medical device developers and manufacturers that use security measures have made huge strides in preventing remote attacks from infecting their devices and networks with malware or inviting ransomware attacks. By adopting these modern security approaches, the industry makes the sub-assemblies and components safe from hackers.
Keeping medical devices and information safe from cyberattack is not simple and will never be perfect. It’s an ongoing battle. Cyber criminals are always improving their methods and developing new, clever attack tactics. However, staying current with cybersecurity and using proven security procedures and software means manufacturers and medical facilities—and their patients—get the best hacker immunization available.
Alan Grau is vice president of IoT/embedded solutions at Sectigo, the world’s largest commercial Certificate Authority and provider of purpose-built, automated PKI solutions. For more information on Sectigo and cybersecurity, click here.