Cyber criminals target medical devices to exploit healthcare industry
Medical devices are under threat from cyber criminals and this only adds to the healthcare industry’s ongoing challenge to improve its cyber security posture.
Martin Potgieter, technical director at Nclose, says the increasing use of connected devices, remote work and BYOD policies mean healthcare organisations need to urgently secure their endpoints from cyber attacks that could compromise patient data and safety.
“Criminals looking to steal sensitive data and potentially sell this on the dark web are constantly on the prowl for weaknesses in hospital systems,” says Potgieter.
Nclose points out that medical devices are not only used to collect and transmit patient data, but also to regulate and administer patient treatment. For example, a medical device could monitor a patient’s vital signs or deliver a dose of medication.
But these devices are often not treated like normal PCs that are used by staff or administrators, Potgieter explains. “They have special software and hardware that may not be compatible with standard endpoint security solutions. Moreover, they may not be updated or patched regularly due to regulatory or operational constraints. This makes them vulnerable to cyber attacks that could tamper with their functionality or data integrity.
“Medical devices are very much like operational technology devices similar to what they use in manufacturing, except medical devices are probably a little more sensitive. These devices not only feed information into another system, but also potentially get information from the system to regulate a patient’s treatment.”
Nclose says to secure medical devices, healthcare organisations need to consider other controls besides installing endpoint security software.
One possible solution is network segregation, which means creating a separate network for medical devices as opposed to normal devices. This can prevent unauthorised access and reduce the attack surface.
“Another possible solution is using specialised software and solutions that are designed for the medical industry. However, these solutions are not widely adopted in South Africa or in the rest of the world,” Potgieter adds.
Medical device management is not the only cyber security worry for the healthcare industry: it also has to consider the impact of personal devices belonging to – and used by – healthcare professionals at hospitals or other areas of healthcare.
Potgieter explains that these devices are often used to connect to a hospital’s network, which can be a concern. “Doctors often have their own equipment, such as laptops or tablets, that they use to access patient records or other information. Yet, they may not want to install any endpoint security software or follow any security policies imposed by the hospital.”
They may also have insufficient security controls on their devices or lose them accidentally. This creates a risk of data leakage or malware infection.
Potgieter continues: “The nature in which hospitals work is that there is the hospital group and then there is a doctor that has a practice in the hospital, and they have their own equipment, but they need to connect to the hospital network, and the doctors are relatively protective or controlling – like ‘you are not going to put anything on my device, this is my device’.”
Nclose advises healthcare organisations to implement a BYOD policy that defines the rules and responsibilities for using personal devices in the hospital network.
They also need to educate doctors and staff on the importance of endpoint security and the potential consequences of not following best practices. Furthermore, they need to monitor and enforce compliance with the policy using endpoint security tools that can detect and remediate threats.
The cyber security firm says endpoint security is also an ongoing process that requires constant vigilance and care. To maintain a high level of endpoint security hygiene, healthcare organisations need to regularly update their software, scan their devices for vulnerabilities and conduct risk assessments to identify and address any gaps or weaknesses.