The market for connected medical devices was valued at $18.9 billion in 2018, and is forecasted to reach $63 billion by 2024. The growth of this market has not escaped the notice of cyber criminals, lured by the temptation of easy access to patient PII. Consider the scope of the issue - the average hospital room currently contains 15-20 connected medical devices, meaning there could be up to 85,000 medical devices in just one large hospital. Each of these devices represents a potential entry for a malicious attack.
The US government has demonstrated that it considers the security of medical devices to be a priority. In fact, the FDA has entered into several Memoranda of Understanding (MOUs) with the intention of opening communication channels regarding known vulnerabilities in medical devices and helping medical device manufacturers (MDMs) better understand and use the Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST).
Cyber Attacks in the Healthcare Industry
The healthcare industry is a frequent target of ransomware, and a recent report indicated that cyber attacks cost healthcare organizations $1.4 million on average. Numerous proof-of-concept attacks have demonstrated the cyber vulnerability of medical devices. In one example, security researchers placed malware on a patient’s pacemaker. Other proof-of-concept attacks have demonstrated the ability to steal or modify patient medical information, or place ransomware on devices and render them unusable. In one such attack, demonstrated at the 2019 RSA Conference, researchers stole patient data by hacking into an ultrasound image.
Cybersecurity Challenges for MDMs
As MDMs race to improve the security posture of their devices, they are facing the same issues that plague the entire Internet of Things (IoT) industry. In general, these devices contain vast amounts of sensitive information and are connected to the Internet, but often lack the same level of cybersecurity by design and the same level of cybersecurity protections and vulnerability patching as traditional computers. Securing Internet-connected medical devices requires locking down their Internet connection. If a device does not have IP whitelisting or other built-in cybersecurity protections, an attacker can exploit the Internet connection to gain access to the device. If the device has an unpatched vulnerability or uses default or hardcoded credentials, the attacker can exploit this connection to compromise the device. In this way, medical devices connected to a healthcare system may be used as entry points into the organization’s network.
Solutions like IP whitelisting and Virtual Private Networks (VPNs) can be effective in securing connected devices, but these additional security measures are rarely employed by MDMs. MDMs struggle with finding an affordable solution that will address the complex issue of securing medical device data in each stage (data at rest, data in use and data in transit). To further complicate matters, most healthcare organizations have a high number of legacy IoT medical devices that have long since been phased out by their manufacturers and therefore are no longer supported. These legacy devices represent a large investment for the organization but are “unpatchable” and vulnerable to cyber attacks. A recent survey revealed that approximately one-third of all managed connected medical devices in healthcare facilities fall into this category.
Securing Connected Medical Devices
While MDMs work to improve the security posture of their connected devices, healthcare providers need a security solution that can be rolled out immediately to protect legacy connected medical devices. Attila’s GoSilent is a plug-and-play solution that requires no special configuring or set-up. It is small (about the size of a TicTac container), and plugs into any Internet-enabled device. In addition, GoSilent is a readily available off-the-shelf solution and its affordable price point makes it scalable for larger organizations. A security solution like GoSilent will dramatically decrease the exposure of connected medical devices to cyber attacks. Learn more about Attila Security’s cybersecurity solutions for enterprise applications.