Healthcare News & Insights

Why medical device security should be top priority

While it’s not common just yet, hacking medical devices is poised to be one of the most significant security threats your hospital will face in the near future. And facilities that don’t start protecting themselves now could experience big problems. 

man working on computerDespite what TV shows and movies might have you believe, the worst that can happen if a hospital medical device is hacked has nothing to do with patients’ health.

Dramatic scripted scenes can leave the impression that the goals of hackers are to make an insulin pump malfunction or a pacemaker stop working.

But most troublemakers aren’t looking to hurt patients physically – they’re trying an alternate method to get their hands on valuable protected health information (PHI).

Medical records are chock-full of sensitive data that can be sold for a hefty price on the black market. And because many hospital medical devices are unprotected, they’re an easy way for a tech-smart crook to gain indirect entry into a facility’s IT infrastructure – including an electronic health records (EHR) system.

Dangers of ‘medjacking’

This practice has been dubbed “medjacking” by cybersecurity experts, and it’s growing in popularity, according to an article in Healthcare IT News.

In fact, three different hospitals have recently fallen victim to medjacking attacks.

The first one involved a blood gas analyzer that cybercriminals infected with malware. The device was used to steal passwords to access other hospital systems.

With the second attack, hackers gained access to a hospital’s main network via its radiology department’s image storage system. A third hospital experienced a security breach when criminals exploited a weakness in a drug pump to break into its network.

Response to security issues

Attacks like these are usually caused by hackers exploiting known weaknesses in medical devices – issues recognized by both vendors and the government.

Despite this, however, fixes are slow from manufacturers. Both the Food and Drug Administration (FDA) and the Department of Homeland Security are putting more pressure on companies to address these vulnerabilities.

But for now, the pressure is on facilities, who are still responsible for most of the consequences if their systems are breached through medical devices.

Your hospital’s best bet: Only work with companies and vendors that offer strong security features on their medical devices, including data encryption.

Additionally, it’s important that your IT department is keeping track of any security risks related to medical devices that arise so you can create a risk assessment plan to safeguard the PHI saved in your EHR. Putting tight controls on exactly how much confidential data these devices can access is essential.

All the measures your facility is taking regarding medical device safety should be included in the hospital’s risk assessment plan. There should also be a section mentioning how your facility will react in case a medical device attack does occur, taking all the facility’s different devices into account.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.