How to Optimize Medical Device Cybersecurity in 2023
Looking back at medical device cybersecurity headlines in 2022, it’s clear that protecting medical devices from cyber threats is an increasingly demanding and critical priority for healthcare leaders.
A research report released in January found that 50% of connected hospital devices have critical risks. Next, a large-scale study published in March showed 75% of infusion pumps have at least one cybersecurity vulnerability. April saw the FDA's release of new draft guidance for cybersecurity in medical devices. Then a September study by the Ponemon Institute found that 89% of participating healthcare organizations experienced an attack almost every week over one year. Alarmingly, that study also found a link between cyberattacks and increased patient mortality.
At the very end of the year, President Biden signed the omnibus bill, known as the Consolidated Appropriations Act of 2023, into law. Section 3305 of this bill grants the FDA the authority to impose cybersecurity standards on original equipment manufacturers seeking pre-market approval for new medical devices. OEMs must also develop processes to ensure the security of medical devices and associated platforms, including providing software updates and patches.
That's good news for new devices, and it should help galvanize the healthcare industry into taking cybersecurity seriously. Nevertheless, healthcare administrators continue to face an ongoing dilemma created by the rapid digitization of healthcare: how can we protect a baroque technology ecosystem in which equipment of varying ages and sophistication plays a vital role in patient care and safety?
Tackling such a complex challenge will look different for every organization. However, experts have emphasized 5 key areas as imperative for optimizing medical device cybersecurity in 2023. Let’s explore them.
1. Reducing the attack surface with micro-segmentation
Network segmentation refers to a tiered system in which perimeters with firewalls protect isolated sub-networks. This approach reduces the "attack surface," or the number of unprotected areas an attacker can exploit. It means a hacker who gains access to one sub-network cannot reach other segments or the parent network.
Most healthcare organizations have implemented some degree of segmentation at this point. However, threat actors are growing more sophisticated, and healthcare continues to digitize. Traditional segmentation no longer offers sufficient protection.
With micro-segmentation, cloud environments and onsite data centers can be broken down into individual workloads. Micro-segmentation provides more granularity in reducing the attack surface than traditional segmentation and offers organization-wide visibility of all data flow and communications. It's also automated and less error-prone than previous solutions.
2. Implementing zero-trust access
In a zero-trust model, access to network resources and devices always requires identity validation, without exception. The model also requires ongoing enforcement of access controls throughout the session. Zero-trust models require micro-segmentation to operate.
The zero-trust approach acknowledges that network perimeter security measures– firewalls, VPNs, intrusion detection systems–can't protect against all types of threats.
3. Securing IoMT devices
Connected healthcare devices belong to an intricately woven web of communication. Hospital IoMT devices include everything from smart pumps to diagnostic imaging, defibrillators, anesthesia machines, surgical robots, and fall detectors.
In hospitals, most connected devices now integrate with EHR, a primary target of cybersecurity attacks. Having so many devices communicating over the network increases the attack surface. According to research by the Ponemon Institute, 12% of cyber attacks against healthcare organizations targeted IoMT devices in 2020-21.
Tactics for protecting IoMT devices include:
- Network segmentation
- Strong, unique passwords
- Multi-factor authentication
Robust inventory management is the most crucial aspect of securing IoMT devices. Without an accurate inventory, missing or undocumented equipment will remain a vulnerability.
4. Protecting the healthcare cloud
Cloud technologies enable the flow of information across the care continuum, provide AI-enhanced patient engagement, support data-informed medicine, and many other applications. It's not surprising, then, that cloud adoption is rapidly increasing across the healthcare sector.
Cloud computing comes with the added benefit of built-in security infrastructure managed by the cloud services provider. But the growing prevalence of cloud adoption in healthcare also makes cloud applications more attractive to threat actors.
Last fall, Cloud Security Alliance (CSA) released a report warning of an increasing threat of ransomware attacks targeting the healthcare cloud.
The report recommends several security measures, including:
- Installing endpoint protection
- Scanning all emails sent and received for threats
- Boosting network segmentation
If a threat is identified, the best response is usually to disable user accounts, isolate affected systems, and locate the ransomware source, according to the report.
Depending on the threat, CSA recommends that organizations disable user accounts, isolate systems, and identify the source of the ransomware. The cloud services vendor should integrate their response with the healthcare organization. Even if the attack didn't originate within or affect the cloud, the vendor still needs to respond defensively.
5. Educating and including team members in security protocols
Education and awareness among staff are a key defense against cyber attacks. Ensure that clinical, operations, admin, and other staff understand how threat actors exploit insecurities and how security protocols prevent that exploitation.
At the same time, be sure to give team members a seat at the table when developing cybersecurity strategies that affect them. If multi-factor authorization is tripping someone up during patient care, it makes sense to find a different solution. BMETs can beef up IT security efforts, both in strategizing and implementation.
