Ransomware and other cyberattacks on healthcare organizations are growing rapidly in numbers and scope. To better protect their high-value data, organizations need to look at the vulnerability of their medical devices which are increasingly becoming a path of attack. An important step in securing those devices is having an accurate risk profile for each of them.
More Connected Devices
The number of connected devices has exploded in recent years and is expected to continue to grow at an accelerated rate. What we are seeing is the rise of the Internet of Medical Things (IoMT) where devices are connected to each other and to clinical applications including EMRs.
Fortune Business Insights forecasts the market will grow to $446.52 billion USD by 2028, a 5-fold increase over the market size in 2021 ($89.07 billion). There are several factors driving this growth and none of them show any signs of abating:
- The need for real-time data by clinicians
- Increased adoption of Remote Patient Monitoring
- Integration of devices with AI
- Continued investment in Telehealth and Care-at-Home
More Attacks
According to Jonathan Langer, Co-Founder & CEO at Medigate – an IoT security provider and makers of a platform that uses a data-centric approach to security – there are three key reasons for the increasing number of cyberattacks in healthcare:
- Attackers know the attack surface in healthcare is large and expanding
- Attackers know that the healthcare is vulnerable and their actions are highly disruptive
- Attackers know that PHI has a long shelf-life and that in addition to ransoms, it can be monetized in other ways
Unlike laptops and desktop computers, medical devices cannot be updated with a simple push of a button. “It requires working with the manufacturer and clinical engineering and biomed departments – the teams that are responsible for deploying and maintain medical devices,” explained Langer. “The process is tougher which makes it less likely that it will be done properly or on a timely basis.”
An Accurate Risk Profile
An important first step in securing medical devices is to get an accurate risk profile of each one. This is exactly what Medigate helped Parkland Hospital to do. After installing their platform, Parkland was able to see the patch version of each device and which ones needed to be updated.
But just identifying the risky devices is not enough. “The tricky part about healthcare security is that you need multiple parties to cooperate in order to remediate vulnerabilities,” said Langer. “You need to get the clinical engineering team involved.”
To that end, Medigate worked to integrate their platform with Parkland’s computerized maintenance management system (or CMMS), which was a product from Nuvolo. The CMMS is the “goto tool” for managing a hospital’s devices.
By integrating, Medigate made it easy for the clinical engineering team. They did not have to change their processes or workflows. Instead, they could continue using their familiar system, only now augmented by the detailed visibility provided by Medigate.
PHI on Devices
Another important aspect of the risk profile of each device is identifying those that store and/or transmit Personal Health Information (PHI).
“The challenge is discerning between the devices that store + transmit PHI and those that don’t,” said Langer. “Typically this is done manually by reading the device manuals and noting it in the CMMS. Medigate is able to automate this process by analyzing the traffic from the devices to identify those that are sending PHI.”
In other words, Medigate uses a data-based approach to identifying security vulnerabilities. This was the approach they used to help Yale NewHaven Health and the results were impressive:
- The medical devices that store/transmit PHI were automatically identified and risk scored;
- Existing vulnerabilities were identified and correlated to all potentially impacted devices;
- Alerting on unauthorized device communications (internal and external) were provided;
- System generated remediation instructions were delivered in an actionable, clinical context;
- Never-before-seen utilization metrics are now used to improve PAR levels
Not Just for Hospitals
Langer was quick to point out that device security is not just something that hospitals need to do. His company is seeing growing interest from physician practices.
“The challenge in physician practices and outpatient clinics is a little different,” commented Langer. “While there may be fewer connected devices, they are more distributed than in an acute care facility. For example, our client, CDI [rebranded recently as Rayus Radiology], has over 130 imaging clinics. That’s a lot of sites to manage. The architecture and the software that gives you a holistic view of the devices must also be more distributed.”
For Rayus Radiology (CDI), Medigate had to integrate their platform with Rapid7 – a system that actively detects vulnerabilities in assets. By bringing passive and active systems together, Medigate was able to identify which devices were scannable, which were low risk and which needed to be monitored. This information helped Rayus Radiology simplify and safely expand its use of Rapid7.
The Need for Security
The life and death nature of healthcare makes it a prime target for ransomware attackers who are looking to extort $$$. If clinicians and staff are cut off from critical clinical systems, patients will be negatively impacted.
This exact situation happened in 2020 when a German woman had to be diverted away from the Dusseldorf University Hospital that was experiencing a ransomware attack. She died after being re-routed to a hospital more than 30km (18.5 miles) away.
Watch the full interview with Jonathan Langer to learn more about Medigate’s data-driven approach to security.
To find out more about Medigate, visit them at https://www.medigate.io/
Listen and subscribe to the Healthcare IT Today Interviews Podcast to hear all the latest insights from experts in healthcare IT.
And for an exclusive look at our top stories, subscribe to our newsletter.
Tell us what you think. Contact us here or on Twitter at @hcitoday. And if you’re interested in advertising with us, check out our various advertising packages and request our media Kit.
Medigate is a supporter of Healthcare Scene.
