Cybersecurity: Understanding Telemetry System Vulnerabilities
According to a 2022 report on the security of IoT healthcare devices, patient monitors are the second most common connected device used in hospitals after infusion pumps. Connected telemetry monitoring systems record and transmit the vitals data of ambulatory patients to a remote hub, integrating cardiac data with electronic health records to provide patient-specific information in near-real-time.
Among other benefits, telemetry makes up-to-date, comprehensive health information accessible to clinicians remotely at any time. Furthermore, clinicians can configure telemetry monitors to individual parameters, enabling personalized alerts and precision insights that enhance diagnosis, ongoing care, and the early detection of cardiac events.
However, the ubiquitous nature of telemetry devices, and their access to private patient information, makes telemetry systems an attractive target for cybercriminals. So far, there aren’t any known instances of cyber attacks on telemetry equipment. Nevertheless, concerns regarding a potential attack are growing. Recently, the FBI mentioned mobile cardiac telemetry in a September 2022 alert regarding the dangers presented by insecure medical devices.
The healthcare industry saw a 94% increase in ransomware attacks from 2021 to 2022; hackers breached 72 hospitals affecting 3.2 million patient records in 2021 alone. The simple fact is that hospital administrators, biomedical equipment managers, and technicians can’t afford to ignore vulnerabilities in widely used equipment such as telemetry devices.
Medical device vulnerabilities provide a gateway for hackers
A primary reason why cyber criminals target healthcare organizations is the personal nature of patient data. Trading in illegally obtained private data on the dark web is big business, and medical records can sell for as much as $1000 each. Patient records include both private medical information and identifying details (names, addresses, social security numbers, etc.). Access to this information gives criminals the power to embarrass, steal identities, or manipulate–with a high price tag attached for the victim.
Medical devices are vulnerable to various types of cyber attacks, including:
- Data breaches: an attack in which sensitive, confidential, or proprietary data is stolen.
- Ransomware: an attack that takes over the local network or system, holding it “hostage” until the healthcare organization pays a ransom fee. Patient data is often stolen during ransomware attacks as well.
- DoS: A denial-of-service (DoS) attack floods the network with so much traffic or data that it shuts down.
Hackers could potentially compromise the function of devices such as telemetry monitors, putting patient lives at risk as part of a criminal scheme.
Understanding telemetry system vulnerabilities
The closer a device is to the patient, the more vulnerable it is to cyber attacks because those devices directly affect the patient’s care and safety. Mobile telemetry equipment is physically connected to the patient, transmitting vital signs data that’s integral to safe cardiac care. Additionally, telemetry systems offer criminals a point of access to data-rich servers.
In 2018, the McFee Threat Research team successfully hacked a model version of the data stream between patient sensors and a central monitoring hub. They were able to falsify patient vital signs recordings, including heart rate, blood oxygen levels, and blood pressure. Altering patient data in this way could result in clinicians failing to deliver proper care or administering unneeded care or medication which could cause harm to the patient.
Cyber attacks occur because criminals take advantage of security gaps, such as:
- Insecure passwords
- Devices operating on older versions of Windows
- Insufficiently randomized network addresses
- Network authentication issues
- Software bugs
Fortunately, investing in cybersecurity hygiene can help reduce the chance that criminals can successfully capitalize on these issues.
5 essential steps to secure telemetry equipment
Interdepartmental collaboration is critical when strategizing cybersecurity for telemetry systems, infusion pumps, and other biomedical equipment. Be sure to involve BMETs and clinicians as well as IT. As a first step, the cybersecurity team should perform a vulnerability assessment on all telemetry devices and the network, servers, and computers that interface with them.
The FBI made several recommendations for securing vulnerable devices in its recent alert, including:
Ideally, protect connection endpoints with antivirus software. If the device or hub doesn’t support this, configure the device to require integrity verification whenever it’s disconnected or reconnected to the network.
Identity and access management
Replace default passwords with strong passwords and unique login credentials. Limit the number of logins permitted on each device per year.
Use an inventory management system that tracks all associated software, operating systems, records of any software patches, functional properties, and maintenance timeframes. This helps identify vulnerabilities, ensure patches are installed, and make plans to retire and replace any legacy devices that can’t be secured with a reliable workaround.
Invest in monitoring and reviewing vendor disclosures, recalls, and alerts. Conduct routine vulnerability scans before installing new devices.
Clinicians and techs need training not only in day-to-day security practices but also in how to identify and report potential cyber threats.
The most important message here is “act now.” Cybersecurity for mobile cardiac telemetry devices is an “all-hands-on-deck” effort. The good news is that, with the right resources and solid training, hospital employees have the power to significantly reduce the risk of cyber attacks.
Elite Biomedical Solutions proudly manufactures OEM quality parts in the USA. To learn more about how those products support exceptional ICU and cardiac care and keep hospital telemetry equipment functioning with optimal safety, contact us today.