Medical devices can be your best asset and your worst nightmare. X-ray machines, defibrillators, and other medical electronics are life-saving technologies, but they can also be easily hacked if not protected.
For example, last year, St. Jude hospital spent months dealing with the ramifications of malfunctioning Merlin@home Transmitter medical devices. The discovered vulnerability allowed remote attackers to access or influence communications between Merlin.net and transmitter endpoints. This meant an attacker, if skilled enough, could change the intended function of devices ranging from pacemakers to defibrillators.
The threat is very real, but still many medical facilities are still behind the curve when it comes to medical device cybersecurity.
When hacks happen to medical devices, terrifying repercussions follow. And ramifications worsen when medical devices connect to a hospital network.
Medical device cybersecurity should be among the top concerns for healthcare organizations — starting with the C-Suite and the hospital CEO in particular — because the ever-growing prospect of a breach not only represents a significant clinical risk, but a financial risk too.
Medical Devices Are the Keys to your Network
Medical equipment such as MRI machines, X-ray machines, and patient monitors are directly connected to hospital networks. These devices are usually accessed via staff login credentials. If hackers are able to obtain login information for medical devices, they have found their backdoor and can run rampant network-wide.
With a path to the entire network, cybercriminals can access and sell protected health data for a handsome profit. Worse still, hackers can attack networks with ransomware which can disable a hospital’s technical capabilities, halt patient care, and raise compliance risks.
Once a computer is hacked, there is little a hospital staff can do. For instance, when the WannaCry attack happened in 2017, hospitals saw computers go down one-by-one as the attack overtook their equipment. The entire staff lost access to computers and medical devices which halted patient care and financial gains. Additionally, data was lost and reputations were damaged.
If this example isn’t enough to convince you of the importance of medical device cybersecurity, maybe the following repercussions will be.
What Are the Repercussions of a Hack?
Upper management and hospital administrators should be concerned over the threat of a medical device security breach because hacks cause far-reaching issues that can be difficult to clean up.
Rebuilding from a Medical Device Security Breach is More Expensive Than Preventing One
In 2017, the Petya attacks caused the Princeton Community Hospital in West Virginia to scrap its entire fleet of computers. According to the Wall Street Journal, officials were unable to restore services and found there was no way to pay a ransom for the return of their system.
The number of computers in a hospital or medical facility can range greatly, so you do the math for your facility. How much would it cost to replace your entire fleet of computers, and how much time would you lose?
And, spending money on a data breach happens all too often.
According to Becker’s Health IT and CIO Report, healthcare companies spend an average of $12.47 million on cybercrime-related expenses each year, making healthcare the fifth most costly industry.
Lost Trust And Credibility
Patients at healthcare facilities are incredibly vulnerable. They must share sensitive personal and financial information with their medical facilities in order to receive care. Most people assume their medical facility has proper security measures in place to protect their data. So, it can be unforgivable when the patient learns their medical facility put their identity at risk.
One of the biggest points of impact a cyber-attacker can affect is a loss of patient trust. If trust is broken at one facility, patients will look other places for medical treatment.
Additionally, if services are halted or slowed due to a breach, medical facilities may experience a drop in their patient care functions. A report conducted by IBM on the impact on reputation from IT risks concluded that when businesses are disrupted for a substantial period of time, it will cause the most damage to the company’s reputation. And, we already know halted patient care is one of the most significant repercussions of a breach.
Patient’s Lives Are at Risk
When patient care is halted, medical facilities are unable to perform to the best of their standards.
Hacking a device like a networked MRI machine allows access to the entire Wi-Fi network. With unlimited access to a hospital’s network, patient safety is a risk. Attackers have the ability to interrupt care by:
- Holding electronic health records hostage
- Breaching protected, private health information
- Taking down the system entirely
And most alarming, causing devices to malfunction.
If hackers have access to medical devices, they have the opportunity to manipulate intended operations of the device.
For example, in 2017, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), released a warning after vulnerabilities in a syringe infusion pump by the manufacturer Smiths Medical were discovered. The security flaw allowed skilled hackers to take control of a pump, and manipulate the quantities of medication administered to a patient. If attackers wanted to, they could administer fatal doses.
The host of issues associated with a medical device security breach are abundant, but none worse than the risk of killing or seriously injuring a patient as a result.
Compliance Shortcomings are Costly
Healthcare breaches are among the costliest because of fees for breaking HIPAA compliance laws. In fact, healthcare breaches cost about 2.5x the amount of similar attacks in other industries, according to the Ponemon Institute.
A recent study conducted by Ponemon Institute calculated the average healthcare data breach costs to be $380 per record. And this can add up quickly. Consider the 2015 Anthem Blue Cross hack where 78,800,000 records were compromised.
In 2017, SSM Health in St. Louis faced heat after medical records from around 29,000 patients were put at risk after they were inappropriately accessed by a customer service call center employee. And, when a similar breach happened to 21st Century Oncology in Fort Myers, Florida, they eventually agreed to pay a $2.3 million fine for putting more than 2.2 million patient records at risk.
Investing in a strong security platform that can protect your medical devices should be a major concern for your organization.
5 Reasons Every Hospital CEO Needs to Prioritize Medical Device Cybersecurity
- Medical devices are the key to an entire, sensitive network
- Cyber attacks are expensive
- Reputations are at risk
- Patient care is halted or compromised
- Compliance issues are created
- Financial implications can be devastating