While connected medical devices can help healthcare organizations provide better care, their increases presence can also make healthcare networks more vulnerable to attack, according to a recent TrapX Labs report. Medical device security is essential for facilities of all sizes that are implementing connected devices, as the data stored within them are top targets for cyber criminals.
Anatomy of an Attack: Medical Device Hijack (Medjack), breaks down how attackers have managed to place malware on critical medical devices, which can give them the ability to remotely control medical equipment. Attackers could also use that access to continue attacks until they have exfiltrated targeted healthcare information, according to the report.
“It is important to note that these vulnerabilities within medical devices may render components of the hospital’s cyber security technology less effective,” the report’s authors explained. “You cannot easily detect malware on a system which you cannot scan. The primary reason for this problem is centered on the fact that medical devices are closed systems.”
Moreover, those systems are FDA certified and are not open for the installation of additional third party software by the hospital staff.
The report also gave several case study examples of how medical device security issues could compromise sensitive information. The report then concluded that this is an issue that healthcare organizations can no longer ignore:
The report’s authors made several recommendations for healthcare organizations to ensure that medical device security remains a top priority. First, facilities should implement a strategy to quickly integrate and deploy software fixes and/or hardware fixes provided by the manufacturer to their medical devices. These fixes should also be tracked and monitored by senior management and quality assurance teams, the authors stated.
It would also be beneficial to implement a strategy “to procure medical devices from any vendor only after a review with the manufacturer that focuses on the cyber security processes and protections.” Quarterly reviews should also be conducted with every medical device manufacturer connected to the organization.
TrapX Security Labs experts also recommended that healthcare facilities implement strategies designed to review and remediate their existing devices, strategies that dictate medical device end-of-life procedures, as well as strategies that update their existing medical device vendor contracts. The contracts should be adjusted for any maintenance and need to address malware remediation, according to the report’s authors.
To view all of the medical device security recommendations, click here.
Working to improve medical device security and cybersecurity is an increasingly popular topic as more hospitals and providers continue to use and implement connected devices. Toward the end of last year, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) and the Technological Leadership Institute (TLI) at the University of Minnesotaannounced that they were seeking feedback on a draft project to improve the cybersecurity of medical infusion pumps.
Networked infusion pumps are automated and can connect to EHRs to check dosages against patient records, the organizations explained. While this ensures that the correct medication is given to a patient, it could also present new safety risks and healthcare security issues that stand-alone devices do not have, NIST explained.
“After the use case is finalized, the NCCoE will invite organizations to participate in developing a practice guide, or a collection of the materials and information needed to deploy an example solution of off-the-shelf products that address the technical security problems,” NCCoE said in a statement. “The guide will describe the hardware, software and configurations the project used to address the issues presented in this use case so that others can replicate the approach.”
View the original content and more from this author here: http://ift.tt/1f0Wpxn
from health IT caucus http://ift.tt/1GaSTcS
via IFTTT
No comments:
Post a Comment