Medical device security: why it matters, and how to get it

Internet-connected medical devices open tremendous opportunities for healthcare providers to monitor and treat patients more effectively. But they also create opportunities for threat actors to execute cybersecurity attacks designed to steal highly personal information or disrupt treatment efforts.

Having a cybersecurity defense plan for medical devices is critical for any organization that uses the internet of medical things, or IoMT, to assist in healthcare operations. This article explains which types of cybersecurity threats impact medical devices, why medical devices can be especially difficult to secure, and which steps organizations can take to address cybersecurity needs for medical devices.

What is medical device cybersecurity?

Medical device cybersecurity refers to the tools and practices that prevent attackers from gaining unauthorized access to or control over medical devices and the data they generate.

You may think of medical device cybersecurity as a subcategory of IoT cybersecurity. However, there are some key differences between IoT security in general and medical device cybersecurity in particular.

The most important difference is that the information generated by, or stored on, medical devices is often so personal that it poses an especially great risk to the patient or the healthcare organization. It’s one thing for an attacker to be able to access your IoT thermostat and learn which temperature settings you use; it’s another for a threat actor to access data about a patient’s heart rate or blood pressure, or take control of a medical device embedded in a patient.

Certain information may be subject to compliance rules like HIPAA. Personally identifiable information (PII) is any health information that allows the patient to be identified. Protected health information (PHI) is individually identifiable health information that is stored in electronic form. Organizations that fail to secure such data may be subject to fines.

Differences in the way medical device networks operate, the longevity of medical devices, and the difficulty of applying security patches or upgrades, also distinguish medical device security from IoT security in general. These topics are discussed at greater length below.

Who would try to attack medical devices, and why?

The data that medical devices store or generate represents high-stakes information. If threat actors gain access to it, they could leverage it to harm the reputations of affected individuals by, for example, disclosing that they suffer from certain medical conditions.

Likewise, attackers could potentially hold medical device data for ransom by removing it from medical devices and forcing hospitals or other organizations to pay a ransom in order to restore their access to it.

Because of the potential payoff of cybersecurity attacks against medical devices, adversaries may invest significant time in carrying out such attacks. They could be multi-phased, multiyear efforts executed by large, well-funded teams of threat actors. Because attacks may occur slowly, with no sudden event or change of behavior by medical devices to tip off users or managers, being able to locate and continuously monitor all medical devices is especially important.

IoMT benefits

Despite the cybersecurity risks associated with medical devices, devices within the IoMT offer a range of important benefits, including;

  • Improved treatments: By tracking the impact of medical interventions in real time, medical devices help healthcare providers determine what is working and what is not, thereby improving the outcome of treatments.

  • Precise diagnostics: Medical devices can collect a large range of data about a patient, which gives doctors more information to work from when diagnosing health issues.

  • Patient monitoring: By monitoring patients continuously no matter where they are, medical devices allow healthcare providers to track patients more thoroughly than they would be able to do if they relied on manual monitoring methods.

  • Automated control: Medical devices can be configured to change their behavior automatically in response to certain conditions. For example, an insulin pump could modify dosage based on readings from a patient’s glucose monitors.

  • Centralized reporting and monitoring: Connected medical devices allow healthcare providers to track patients and their health data from a central location, even if the patients themselves are spread out across a large area.

Healthcare providers likely will continue to rely on connected medical devices regardless of the cybersecurity challenges they face; indeed, the IoMT market is projected to reach a compound annual growth rate of 28.9 percent by 2026. This means that cybersecurity teams must learn to manage medical device security effectively, because expecting healthcare providers and users to avoid connected medical devices is not realistic.

Medical device cybersecurity challenges

Securing medical devices requires addressing a range of different threats that are common in the context of the IoMT:

  • Critical nature of medical devices: As noted above, medical devices contain highly personal information that, when in the wrong hands, poses special risks to medical device end-users and the organizations that support medical devices.

  • Mass production of medical devices: Medical devices are manufactured on a large scale, with only basic testing and inspection before they ship. This increases the risk that a defect could lead to a security breach.

  • Security is not prioritized: Most patients and healthcare professionals who deploy medical devices are not IT experts, so device designers tend to prioritize ease-of-use above all else. Often, devices designed and built with tight security protocols are cumbersome or difficult for healthcare providers or end-users to use, which means that device manufacturers often make security a low priority.

  • Security patches and upgrades are difficult to implement: Unlike standard IT devices, which typically can be managed via a central software-upgrade system, medical devices often lack built-in tools for upgrading their software when a security patch or upgrade is available. Also, medical devices cannot come offline for patching when they are allocated to a patient.

  • Long-life devices: Some medical devices are deployed for many months or even years. This longevity gives attackers a wide window for launching attacks against devices. It also increases the chance that, during the time a device is deployed, a known security flaw will be announced, making it easy to breach the device if it is not upgraded to address the flaw.

  • User-deployed devices: Patients or individual healthcare providers who set up medical devices on their own may not be aware of, or may not follow, security best practices, such as changing default access settings to the device.

  • End-users cannot monitor the “health” of the device: Medical devices typically offer patients and healthcare providers little or no opportunity for monitoring the state of the device. Unlike a traditional computer, medical devices provide no way of logging in to check status information or to see who has accessed the device.

For all of these reasons, medical devices may be especially difficult to secure, even for professional IT teams who are accustomed to working with other types of devices and are not versed in the security challenges that impact IoMT specifically.

Security requirements for medical devices

The FDA offers guidelines to help cybersecurity teams manage medical device security. The European Union Agency for Cybersecurity (ENISA) offers similar guidance in Europe. Although the FDA’s guidelines are not formal compliance requirements, they are a useful starting point for meeting IoMT cybersecurity demands.

Beyond the FDA’s guidelines, key security requirements to address when managing medical devices include:

  • Integrate security into device: The first line of defense against cyberattacks is the IoMT devices themselves. Where possible, devices should be configured to allow minimal access. Any access-control tools available on the devices should be enabled, and default usernames and passwords should be changed so that they are unique.

  • Customize security to each device: Every medical device is different, and there is no one-size-fits-all IoMT security strategy. Instead, security processes must be tailored to each device that an organization is responsible for securing. These processes should reflect the device’s security posture (which tools are available on the device to secure it?), as well as the type of data the device produces (how sensitive is the data?).

  • Protect firmware: Firmware is the software that is built into physical devices. Because firmware security flaws can lead to unauthorized access, device managers must be aware of which firmware runs on all devices in their network, and upgrade it if device manufacturers announce a security flaw in their firmware.

  • Secure data stored in device: Data that remains on medical devices (as opposed to data that is forwarded to another device or server immediately after it is collected) should be secured via encryption and access controls.

  • Secure communication among devices: Whenever data leaves a device, it should be encrypted to prevent access by network eavesdroppers. In addition, networking protocols used by IoMT devices must be secure in order to prevent attackers from exploiting protocol flaws in order to gain unauthorized access.

  • Protect from cyberattacks: Cyberattacks against medical devices can take many forms, from data theft attacks designed to go undetected, to ransomware attacks in which adversaries announce that they have compromised IoMT devices and demand a ransom in order to restore access. Continuous monitoring for all types of cybersecurity attacks is critical for ensuring that breaches are detected early, before attackers can cause significant damage.

Given the many variables at play in IoMT security, there is no simple way to secure all medical devices against all types of threats. However, a basic first step is to ensure that you know which medical devices exist on your network, as well as which types of threats may impact them.

How to continuously monitor all medical devices on your network

Ordr Systems Control Engine (SCE) can enable visibility and security of all your connected medical devices. It can discover every connected device, profile device behaviors and risks, and automate action for all medical and IoT assets in your healthcare organization.

Ordr SCE uses machine learning to monitor and analyze the behavior of every device on your network in order to detect malicious communications. Ordr provides risk scores that help cybersecurity teams know which threats require the greatest attention and mitigation, even on networks that include thousands of medical devices. You can profile behavior and communications of every connected device, and generate policies to only allow the sanctioned communications, using your existing network and security infrastructure, without touching or modifying the devices.

Finally, you can maximize the utilization of all of your connected medical devices.