Just how cyber-risky are modern medical devices?

Patients and medical professionals alike tend to assume that medical devices are secure, particularly given regulations governing healthcare data such as HIPAA, general data privacy laws such as GDPR, and government guidance by agencies like the U.S. Food and Drug Administration. But that often isn't the case.

"More and more medical devices are being connected using vulnerable network stacks or old web server packages, which cannot be easily patched, as it would jeopardize the device's certification for medical use," says Dirk Schrader, global vice president of security research at New Net Technologies, now part of Netwrix.

The risk is increasing in terms of vulnerabilities and attacks. Recently, a study from Forescout Research Labs and Medigate found "13 new vulnerabilities in software [the Nucleus TCP/IP stack] used in medical devices like patient monitors, allowing for remote code execution, denial of service, and information leaks." The researchers estimate that about 2,233 medical devices in Forescout's IoT security monitoring network are potentially at risk from this single set of vulnerabilities.

Where the risks lurk

Unfortunately, medical device vulnerabilities persist despite increasing security risks and renewed efforts to secure them.

"This issue highlights security risks that exist even in newer models of medical devices. A sizable portion of medical IoT devices unfortunately still rely on legacy software that isn't easy to maintain," says Dominic Marcellino, director of strategy and business development at Kajeet.

Although legacy software is a huge problem, it's not the only danger looming out there.

Please read: The battle to secure healthcare data is taking place behind the scenes

"The problem mainly lies in the legacy software that hasn't been upgraded according to the new guidelines, the ambiguity of the regulations for particular kinds of devices like thermometers and vital monitors, and the sheer number of devices, each with a customized interface, which makes it difficult to track what each one of them is doing," explains Inga Shugalo, a healthcare industry analyst at Itransition.

Other areas that present pronounced vulnerabilities are rampant in medical devices in hospitals, "particularly those in the radiological departments, which can be in service for well over a decade," and in newer COVID-induced technologies like telehealth, says Amir Magner, founder and president of healthcare security company CyberMDX. "Third-party remote connection solutions potentially make the system both more attractive and susceptible to attacks if not secured properly."

The list of vulnerable medical devices is long because "the majority are vulnerable," according to Shugalo, and includes such seemingly mundane items as "insulin pumps, smart pens, cardiac implants, and temperature-sensing appliances."

Sometimes the fault lies in oversights more so than in specific technologies.

"In theory, these devices are offline, meaning a ransomware strike would miss an MRI machine or records tablet. But a standard IT ransomware attack could shut down a hospital's critical functions without having to touch the devices," says Sean Tufts, a former NFL linebacker turned critical infrastructure security leader who is currently practice director for the OT and IoT business at Optiv.

Meanwhile, criminals are making off with valuable patient data like bandits. "Unfortunately, medical IoT devices are vulnerable to these new threats, and it's what makes healthcare such a high-value target for hackers. Unlike other industries, where the theft of customer data is among the worst outcomes, in healthcare, lives are at stake—and the hackers know this," says Magner.

Turning the tide in favor of healthcare orgs

As dire as the current situation is, it's not all bad news.

"The state of medical IoT is on the mend, but there is a lot to be done. Healthcare institutions are doing what they need to do for the most part, but there is a lot of variation across the country," says Tom Mustac, senior director of cybersecurity for Mount Sinai Health System. Larger institutions with better financial resources are doing better in this regard, but smaller ones continue to struggle. "This is no different than every other aspect of their operations," says Mustac.

Meanwhile, health organizations can take some proactive steps to further turn the tide in their favor. Perhaps the biggest and most important step is to hold manufacturers accountable for baked-in security—or the lack thereof.

Please read: Cloud to the rescue: EHR as a service drives future of healthcare

"For healthcare systems, it begins during procurement. It's important to fully understand the security vulnerabilities of the devices being purchased. We are seeing many healthcare organizations change procurement language to require certain security controls and best practices," says Mike Nelson, vice president of IoT security at DigiCert.

"Using a healthcare organization's purchasing power to drive better security is a great way to improve security throughout the industry. The Mayo Clinic and other large healthcare systems have done this," Nelson adds.

Securing systems at the core of the threat can make a significant difference as well.

"The main threat here is that cybercriminals can exploit the points of devices' connectivity to the cloud and reach the 'brain' of the IoT system to take control of sensitive medical data," says Alena Nikuliak, senior business analyst and healthcare IT consultant at ScienceSoft, an IT consulting and software development company.

"Hosting a medical IoT system on a HIPAA-compliant cloud is another way to boost security," Nikuliak adds, noting that it provides secure storage, processing, analysis, and sharing of health information through safeguards in identity and access management as well as network and application firewalls, for example.

Please read: Top 6 healthcare IT lessons from the pandemic

Meanwhile, government agencies are still struggling to address security issues. At the end of 2020, a new law was passed to tighten medical IoT devices and implement security standards that must be met for U.S. government purchasing.

But this, too, may prove problematic in securing medical devices while also guarding patient safety. Katerina Megas, who manages NIST's IoT cybersecurity program, said in a briefing that "reactions to NIST's work toward meeting its statutory obligation include concerns that the baseline can't be applied to certain devices which should therefore be exempt, and that NIST's approach would result in splintered federal requirements," according to a Nextgov report.

In the meantime, healthcare organizations are stitching together a hodgepodge of defenses.

"For now, healthcare organizations rely on solutions that help them patch gaps in their IoT device security: automate device identification and monitoring, segment their network, upgrade the software to comply with regulations, and dispose of it securely," says Shugalo. "I think this market segment is going to grow quickly during the next year to help tighten medical IoT security."