The Rising Threat of Medical Device Hacking & How Healthcare Organizations Can Prevent It

Doctors, nurses and other medical workers at Springhill Medical Center arrived on site one day to find something shocking. Many of the center’s medical devices were inaccessible. Hackers had managed to take control of this critical equipment, restricting access until a ransom was paid. Needless to say, the hack severely hampered the center’s ability to assist patients. One patient even alleged that the hack resulted in the death of her child. The hospital then failed to ensure that its staff members were adequately trained to prevent another attack, and just days later, the hospital fell victim to another cyber attack. Sadly, this story is typical of the experiences taking place at healthcare focused organizations across the world on a daily basis.

With the increasing digitization of everyday life, cyber attacks are affecting a larger number of people. Gone are the days when hackers primarily targeted banks and government agencies. In fact, in the present day, organizations most vulnerable to cyber attacks are small businesses and healthcare organizations. Clearly, this indicates that smaller healthcare organizations are the most vulnerable to malicious cyber activities, and they also have the most to lose, as their revenues are typically lower than large healthcare organizations. As a result, a smaller healthcare organization that is hit by a ransomware attack can be devastated by the event. And here’s one final shocking statistic to highlight just how heavily the healthcare sector is bearing the brunt of cybercrime: 89% of healthcare providers have experienced a data breach.

While all cyber attacks on the healthcare industry are vital to address, we at Moraph believe that the most pressing area to mitigate is the hacking of medical devices. The effectiveness of medical devices can mean the difference between life and death when it comes to patient outcomes. And a lesser yet still highly relevant truth is that medical device hacking leads to significant frustrations for those in charge of healthcare focused companies. For instance, when the medical device company DJO Global lost $6 million to a hack, its insurer refused to pay out, resulting in legal action.

To prevent medical device hacking from occurring, this article will highlight how cyber criminals gain access to the devices and what healthcare organizations of any size can do to minimize the risk to their devices. However, it’s also important to remember that cyber crime is a constantly evolving field. Those who work in the healthcare industry who wish to prevent cyber attacks should ensure that they regularly keep updated with the latest developments impacting the cybersecurity industry in general.

How Medical Devices Are Hacked

Hackers gain access to medical devices in a number of ways. However, they can be summarized as the hackers utilizing a vulnerable “back door” into the device. These “back doors” can include unsecured wi-fi networks, which allow hackers to connect to the wider network that the medical device is part of, or they can be accessed by the hacker obtaining and decrypting an internal/external communication, which contains information such as usernames and passwords that allow access to the devices. Another common method is a phishing attack, which often takes the form of a malicious email claiming to be from a bank or other financial centered organization warning a customer that they need to prevent the loss of money by entering information through a provided link. In actuality this link will take the user to a site that will record and steal any information for the benefit of the cybercriminals.

Essentially, the term “back door” applies to hackers accessing medical devices (and a wide range of other systems in various industries) because it can be directly compared to burglars accessing buildings via an entryway other than the, often secure, primary entrance. This analogy also applies to the means in which healthcare organizations can prevent medical device hacking.

How Healthcare Organizations Can Prevent Medical Device Hacking

The building burglary analogy of medical device hacking is incredibly useful for prevention efforts. Many of the same measures that organizations use to secure their buildings from theft directly translate to medical device hacking. Because when an organization such as a warehousing company or a supermarket attempts to secure their premises, they enact measures that also apply to medical device security. Therefore, the core way in which a healthcare organization can prevent medical device hacking is to assume that their employees and (to a lesser but still applicable extent) patients which use medical devices can all contribute to security.

Those in charge of the healthcare organization need to delegate security measures to their employees in much the same way as a supermarket or warehouse would. Certain employees, specifically those who work in the company’s IT department, need to know that they have a responsibility to act as the security guards of medical devices.

The rest of the company’s employees need to support the efforts of these IT security guards by knowing the essentials of network security, such as by being aware of common email phishing attacks that they may encounter. Finally, and this is the most challenging aspect of medical device security, those in charge of a healthcare organization need to understand that the patients who receive the medical devices must have an awareness of how their devices can be hacked. The reasons why this is the most challenging aspect are because healthcare organizations have the least amount of control over the actions of their patients, and the users of medical devices are by far the most likely people to be unaware of the dangers. Essentially, they are often the least “tech-savvy” members of the healthcare organization community, and the fact that they are not paid employees means that they have no obligation to learn about device hacking prevention measures.

However, it is absolutely possible for healthcare organizations to get the message across to the patients on how they can prevent their devices from being hacked. The key is to make the patients aware of the potential dangers as much as the prevention methods. As we highlighted at the start of this article, medical device hacking can lead to death. This fact needs to be communicated to an un-tech-savvy patient in a clear yet compassionate manner.

Based on the above mindset, here’s one practical solution that a healthcare organization can take to ensure that their patients can make an extra effort to prevent medical device hacking. It’s simple yet effective: Issue a small leaflet with any medical device that makes the patient aware of the threat in a clear but non intimidating manner. Highlight within the leaflet that the risk of death from medical devices is small yet not non-existent, and then highlight what the patient can do (i.e. be aware of phishing scams and secure their home wi-fi networks.) And just for good measure, the healthcare provider can ensure that the point of contact for the patient briefly goes over the content of the leaflet. Those are two easy steps that can save the lives of patients, save significant sums of money for the healthcare organization and avoid stress for both the employees and the patients.

The previous paragraph highlights how implementing safety measures for medical devices need not be overly time-consuming or labor intensive. When it comes to training up employees and implementing cyber crime prevention methods, many organizations initially struggle due to their inability to act with the right strategic approach. They fail as they look for “quick-fixes'.' The issue with a quick-fix when applied to the metaphor of comparing cybersecurity to building security is that time and time again it focuses security on the “front doors” and neglects to secure the “back doors.”

Essentially, the exact steps that a healthcare company has to take to secure medical devices are circumstantial to that particular organization. But every company can apply the methodology of making the entire community, from employees to patients, aware of the importance of preventing medical device hacking.

We hope that the above advice leads to healthcare organizations taking steps to secure their devices. The next steps are up to the decision makers within the organization. Of course, we hope that some of those will choose Moraph to lead their medical device security efforts. However, for those who choose to go down a different path, then here’s some final advice for successfully implementing a “secure building” medical device protection program: 1. Begin by creating an overview of which aspects of device hacking specific employees need to become aware of. 2. Research solutions, such as online training modules, that will give your employees the information they need to prevent medical device hacks, and implement those solutions to the workforce. 3. Develop materials/communications that demonstrate to patients the dangers of medical device hacking/the prevention measures they can take, and ensure that those materials/communications are being applied consistently.