Connected medical devices have become one of the largest, fastest-growing segments in the modern healthcare network, which has forced organizations to consider medical device security measures. These devices run some form of an operating system, connect to the corporate network, and gather/store/communicate information. According to a HIPAA Journal article, 82% of healthcare organizations have experienced a cyberattack on their IoT devices. Still, most organizations don’t view them as the endpoints they are, with the security and privacy risks they hold. In fact, the facilities department typically manages these devices, with little-to-no oversight or involvement by the information technology (IT) or security teams.
Healthcare has an ingrained IT problem that stems from the fact that medicine has been in practice for some 25,000 years. Healthcare is not viewed as a modern enterprise, and the same holds true typically for its IT network. However, it is one of the most complex environments centered on its vital electronic healthcare record (EHR) systems. Considering the strict data privacy requirements with HIPAA and other compliance regulations, these hundreds of connected, and often unaccounted-for, devices suddenly become critical open doors for data leaks or additional security and privacy risks. One glaring example of the case for medical device security that is often ignored but vulnerable is the imaging suite.
The modern hospital, and most smaller healthcare providers, have some form of an imaging suite. Regardless of size, this suite typically contains some massive and expensive imaging devices like x-rays, CT and MRI scanners, and similar devices. These devices are rarely, if ever, owned by the organization using them. More often than not, hospitals lease these machines with restrictions on what the user can change or update, such as admin passwords, default services, vulnerabilities, and a myriad of other things. These weaknesses led to the major disruptions to NHS and other healthcare systems in 2017 by the WannaCry ransomware, which still is affecting just under half of healthcare organizations today.
To combat the lack of control over these connected medical devices in the imaging suite, many organizations implement medical device security via network segmentation to segregate them from the rest of the network. But, these devices produce, process, store, and transmit crucial health information. That information needs to get into a system or back into the EHR to be useful to providers. Despite the segregation that is logically in place, it is not uncommon to find numerous services freely communicating with the rest of the network and the internet. The open communication this allows is antithetical to acceptable security practices and negates the network segmentation’s effects.
As with most world problems, collaboration, open-mindedness, and perspective can drastically improve the position and reduce most healthcare organizations’ overall risk. First, there can be no real separation between the facilities team (or whichever team is responsible for deploying and maintaining connected medical devices) and the IT or security groups who are responsible for medical devices security. Collaboration between these teams and a fundamental change in how these endpoints are viewed can significantly increase security and lower overall risk. The necessary sea change is to stop viewing these connected devices as anything other than an endpoint. All connected devices, be they an infusion pump or an IP connected camera, are endpoints. They are connected to the network, gathering, storing, transmitting, and processing information, meaning they are decidedly as much of an endpoint as a workstation or server.
Share This Blog
Technical Product Manager