Medical Devices Can Lead to Data Breach at Healthcare Organization

by Sarah Harvey / July 1st, 2015

The terms “data breach” and “healthcare organization” aren’t strangers in headlines as of late, but recent studies and investigations done by cybersecurity professionals in the industry have found that cyber hackers are beginning to use medical device vulnerabilities as an intrusion point into the entire organization’s network. It’s quite common for medical devices to run outdated, thus vulnerable, software, and are difficult to mitigate vulnerabilities, putting millions at risk.

Recent reports are noting that several medical devices are now being targeted by hackers as a way to infiltrate an otherwise secure network. These networks likely have an IDS, firewall, antivirus, etc. to safeguard information, however, the lack of security in these devices presents a huge threat to patient information. At an increasingly growing rate, more and more Americans are using medical devices and/or equipment that supports a direct connection to the hospital’s network. According to research by the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team, they found and reported that roughly 300 medical devices from approximately 40 vendors, are vulnerable due to passwords that are unchangeable.

The types of medical devices that are possible targets for a cyberattack include, but are not limited to, devices such as blood gas analyzers, X-ray machines, pacemakers, insulin pumps, and heart monitors. These wireless and Bluetooth enabled devices can allow hackers to create a backdoor into the network’s security infrastructure, gain access to patient records (healthcare information, social security numbers, date of birth), and plant malware on employees computers through malicious websites.

As manufacturers struggle to find a quick solution to properly securing every medical device from potential threats going forward, several entities are urging manufacturers, healthcare organizations, and users to follow best practice security guidelines to protect against a possible cyberattack. As the FDA continues to implement software security guidelines for manufacturers, healthcare organizations can begin protecting themselves from potential threats by following these best practices:

1. Use Strong Passwords

Do not use default passwords set by vendors. These become easy targets for hackers. Use strong passwords and utilize a strict password management program to ensure that network security is maximized.

2. Policies and Procedures

Be sure you have a fully documented and enforced set of policies and procedures, specifically, dictating your network security program. Who has access to what? How do we detect intrusions in our network? What are our firewall and antivirus policies? Updating these to reflect the secure culture of your organization can help defend against an attack.

3. Annual External and Internal Penetration Testing

Network and application security is critical to your organization. Engage in regular testing to help identify and mitigate any weaknesses and vulnerabilities in your organization’s security before someone else does.

The healthcare sector continues to be a major target of hackers. According to a recent study by the Ponemon Institute, breaches cost the healthcare industry around $6 billion a year. Defending ourselves from the threat of cyberattacks must continue to be a group effort as we educate and empower each other to greater levels of security.

For more information on ways to improve network security at your organization or for tips on how to safeguard your PHI, contact us today!