Healthcare News & Insights

Medical device security: How hospitals must tackle threats

Medical device security is a hot topic for hospitals. Most ransomware attacks target vulnerable computer equipment running older operating systems and software programs. Hacking devices may appeal to cybercriminals because they’re difficult to update. A new report shows that hospitals need to do more to protect their devices. 

For the report, security vendor Synopsys and the Ponemon Institute surveyed professionals at hospitals and other healthcare providers, as well as medical device manufacturers, to find out what they’re doing to make sure devices are secure.

Right now, more effort is needed from both hospitals and vendors to ensure devices are up-to-date and free from malicious software. Per the report, only about 5% of facilities and 9% of vendors test medical devices on a yearly basis to make sure they’re working correctly and are free from security leaks.

This is true despite awareness of the potential threats that arise from a compromised medical device. Most device makers (67%) and healthcare facilities (56%) believe attacks on at least one of their medical devices is likely to occur in the near future.

Even worse: 31% of device manufacturers and 40% of healthcare providers are aware of similar incidents that happened with devices they use or maintain. In these situations, 38% of healthcare organizations said an insecure medical device caused patients to receive inappropriate or incorrect treatment. And nearly 40% of device makers said hackers managed to gain unauthorized access to their devices.

Improvement needed

A handful of hospitals (15%) and device manufacturers (17%) are taking significant steps to address these problems and prevent cyberattacks, but most aren’t moving in that direction for various reasons, including lack of support and resources.

However, in an age where advancements like the Internet of Things (IoT) and cloud storage are changing the way devices transmit and save protected health information, making sure they’re secure is more important than ever.

While some aspects of medical device security are complex and require financial investment, others are easier to implement. In an article from Healthcare IT News, Kevin McDonald, the director of clinical information security at the Mayo Clinic, suggested that hospitals:

  • create an inventory of hardware and software
  • install local firewalls and anti-virus programs
  • “whitelist” applications that are allowed on the network (and ban all other traffic), and
  • prohibit the use of nonexpiring or default passwords to access systems and devices.

Hospital IT departments should also make patching, testing and vulnerability assessments a regular part of their workflow to ensure medical devices are running with the most up-to-date versions of software. This helps ensure they’re less vulnerable to the newest types of malicious programs.

  • Jayden

    I know this is an old article, but this is something I am very concerned about and found on Google Search, and would like to raise some awareness to the issues so hopefully security, and policy can be improved.

    The problem is most doctors offices, and Hospitals have very little to no security at all in fact there is one hospital with no name given due to legal purposes which I visited years ago and I actually logged into one of their networks using the modems default password which is the same password mine used, and allowed me access into their network and settings. ( I let them know about it and they fixed it.) Just happened to have my own network configuration page open at the same time and saved to my auto login.

    But this isn’t the only problem, many hospitals and facility are actually able to be hacked there are many forms of hacking, when people talk about hacking they think about computers, but there is also social engineering involved, and many other tactics which are behind the scenes.

    What is more alarming to me is “Identity Theft” and (RAT’s) or (Remote Access Tools) on a USB stick, many people are unfamiliar with these, but any time a hospital staff, or any facility in the world for that matter containing sensitive information leaves the area patient, or other people alone with a networked computer a person can drop a USB stick into the computer which can install ransomeware, or give remote access to hackers or many things. (This can be learned about on YouTube.)

    What is even worse is physical security of some facility I have seen it’s minimal, and many facility are using RFID chips to quickly move around in a facility, however the problem with this is someone can duplicate these, and someone who has bad intentions could easily take advantage of this.

    You can look up all this information freely on YouTube, there are documentary’s explaining all this stuff, as well as hacker con’s showing how its done.

    Also it’s often at many facility in the real world that I see a doctor walk out of a room leaving patients records on the screen without closing them after they call you back to the room it’s there on the screen, even seen some where a person can cycle through other peoples stuff even make changes in them because it’s still logged in, in fact people have walked out of the room leaving my own information on the screen too (and this is how identity theft happens.)

    Obviously I have never done anything illegal, just been witness to stuff like this, and would love to see security, and procedure improved to prevent this type of stuff in the future, not talking about any one specific place.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.