Thanks to the Internet of Things (IoT) tech, medical devices are increasingly capable of delivering innovative patient care, with monitoring and support around the clock. However, internet-enabled medical devices are also a prime target for hackers who use malware techniques to compromise functionality. The disruption of medical devices through acts of cybercrime not only puts the privacy of healthcare data at risk it can also endanger a person’s safety.
Ransomware is one of the top healthcare IT safety concerns as IoT-enabled medical device adoption increases. Through its connectivity to the internet, IoT has placed healthcare data closer to the edge at various local hosting sites that transmit data to and from healthcare data centers. This has increased the attack surface size of heatlthcare IT infrastructure.
However, the closer to the edge of networks that information is processed, the greater the risk involved. Data is fast coming far and wide from IoT-enabled medical devices disaggregated for scalability and performance. The emergence of 5G technology will also drive the increase in IoT-enabled devices for healthcare applications.
But enlarging of the attack surface makes it more difficult to manage risk. Additionally, complex systems including robotics are making their way onsite, e.g. robotic devices that will pose a significant threat to patient safety.
Ransomware Payouts a Huge Draw for Hackers Looking to Make Quick Cash
One of the biggest threats to medical devices, ransomware, is a tactic deployed by hackers with the understanding that, with patient safety at risk, cybercrime victims will be quick to pay the ransom. Hospitals and other facilities cannot afford medical device downtime, such as is the case with heart rate monitors. Attacks will increase in frequency, as cybercriminals target indiscriminately. In 2020, ransomware will continue to threaten IT infrastructure and applications, and increase risk within healthcare and other verticals.
There is an increase in interoperability between medical devices and systems. Additionally, an uptick in healthcare mergers and acquisitions (M&As) is calling for the integration of disparate systems. Hackers will likely target M&A infrastructure, which become a porous attack surface hotbed for invasions. For example, hackers may look for unpatched IoT endpoints to exploit.
Healthcare Ranks Cybersecurity Low on the Priority List Despite Inherent Dangers
Unfortunately, cybersecurity is not a top priority for healthcare facility workers. Therefore, healthcare personnel are particularly susceptible to social engineering attacks. The healthcare handles a lot of sensitive data and, therefore, are particularly susceptible to the damaging blows of a cyberattack, including fines and penalties for failure to achieve compliance to external regulating bodies.
Hackers are aware of this and use tactics to target healthcare facilities and medical device manufacturers. One particularly damaging threat is when hackers steal private, sensitive and/or confidential data and leak it when organizations don’t pay the ransom demanded of them. Hackers now have the ability to decrypt data, which is a big concern to facilities that fall under scrutiny by HIPAA. To prevent hackers gaining access to sensitive data, facilities need to have a backup, with offsite data that users can quickly restore.
FDA Increasing Involvement in Securing Medical Devices and Patching Vulnerabilities
On January 23, the FDA issued a public statement asserting that they will allow “devices to be marketed when there is a reasonable assurance that the benefits to patients outweigh the risks.” The FDA has created content that guides medical device manufacturers to implement adequate cybersecurity measures, while effectively communicating security issues that may place patient safety at risk. The FDA has become increasingly vigilant about assessing medical devices to keep the public informed of any threats and vulnerabilities.
The FDA is beginning to work more closely with manufacturers, healthcare providers, security researchers and government agencies to address security issues throughout the product’s entire product lifecycle. Most recently, the FDA warned against a vulnerability in GE devices, and issued information to patch them. Read more in the FDA document Postmarket Management of Cybersecurity in Medical Devices and FDA Fact Sheet: The FDA’s Role in Medical Device Cybersecurity – Dispelling Myths and Understanding
Shadowhammer Cyberattacks Distributes Malware through System’s Automatic Software Update
A more recent form of cyberattack, known as Shadowhammer, also poses potential threat to medical devices. In March of 2019, ASUS, a manufacturer of laptops, netbooks and other tech devices, released news that they were targeted by hackers who used Shadowhammer to infiltrate its Live Update tool. Bad actors created legitimate-seeming software updates that distributed malware on customer notebooks. It was reported that a threat entity named Barium implanted malware in digitally signed files. Hackers then pushed them to ASUS devices. More than 1 million devices were impacted between June and September of 2018.
Shadowhammer can be considered an Advanced Persistent Threat (APT) because they are:
- Difficult to detect
- Capable of infecting a large number of devices at once
How to Counter New and Emerging Cyber Threats
To counter Shadowhammer and other cybersecurity threats, facilities and consumers will have to adopt a zero-trust approach that restricts access, enforced by stringent identity verification for anyone requesting access to device resources. It doesn’t matter where the person with respect to the private network. Security leadership will need to get up to speed with emerging threats that come with new technologies. Other strategies include:
- Identifying vulnerabilities along the attack surface
- Patching vulnerabilities, updating application software and making bug fixes
- Investment in people, processes and technology
Healthcare Must Seek Ways to Secure Against Dangerous Hacks By Using ThreatModeler
Threat modeling is a way to visualize an attack surface, and understand where threats may compromise security vulnerabilities. ThreatModeler is paving the way for medical device manufacturers and healthcare facilities to build more secure IT infrastructure. The platform has already created templates for Pacemaker, Pacemaker Device and X-Ray Machine. In addition, ThreatModeler has a Healthcare Cyber Physical System already built out to help healthcare organizations secure their IT ecosystem and ensure cybersecurity policy is met, such as HIPAA.
The FDA recommends that healthcare organizations threat model to improve on their security posture. To learn more about how ThreatModeler can help you to identify, prioritize and mitigate threats, we recommend scheduling a live demo. You can also contact us to speak with a threat modeling expert.