Connected medical devices can improve patient care and operational efficiency. However, they also introduce new privacy and security risks. Healthcare providers should rethink their privacy and security practices in light of these new risks.
According to the Office of the Australian Information Commissioner’s (OAIC) latest Notifiable Data Breaches (NDB) report, the health sector accounted for 21 per cent or 54 of the 150 breaches reported between 1 October 2018 and 1 December 2018.
In addition, the global Internet of Things (IoT) healthcare market is expected to grow by 37.6 per cent between 2015 and 2020, opening up more devices to attack. That’s a frightening statistic considering that the healthcare industry already ranks second in data breaches.
Healthcare organisations face two major security challenges:
- They are prime targets for hackers
- Their attack surface expands every day as more and more medical devices are connected to networks.
When it comes to cybersecurity in the healthcare space, there is a need to recognise that information security and medical device cybersecurity are different, and need to be protected in different ways.
This means taking a visibility-first approach when it comes to medical devices and ensuring that the cybersecurity in place to classify and protect these devices is specifically designed to support them.
According to the Therapeutic Goods Administration (TGA), the Australian regulatory framework for medical devices already captures cybersecurity. Manufacturers have been considering security in their design, and the TGA has been assessing and regulating the security of medical devices through the Essential Principles.
However, as the number of networked devices is growing, the risk profile is changing and public awareness of cybersecurity as a risk is increasing.
This changing landscape has created new challenges for regulators of medical devices, including poor or unclear standardisation, sharing information, publication of vulnerabilities and exploits by users and security researchers, and poor transparency of expectations between stakeholders.
Clinical devices such as glucometers, electrocardiograms and drug infusion systems are potential targets for hackers despite the efforts of manufacturers to secure their products. Considering the essential role these and other devices play in delivering critical care to patients, extra measures need to be taken to protect them.
For example, in any patient care scenario, there is a mix of physical and virtual IT endpoints including IoT assets that often can’t accept agents for technical or regulatory reasons, building automation devices that are overlooked, and clinical devices that have legacy operating systems, or applications that don’t meet typical security standards.
The main considerations for healthcare providers when it comes to security include:
- An increased number of medical devices on networks, often using outdated operating systems or uncommon firmware
- Mobile devices, which are harder to track and secure
- A wide variety of people connecting to and disconnecting from the network, meaning healthcare personnel, office staff, patients, guests and maintenance teams, all require different policies
- Ensuring the integrity and security compliance of a mix of IT, IoT, medical and environmental devices without disrupting operations
- Clinical engineering teams receiving mixed priorities about what they can do to their legacy equipment to maintain regulatory compliance without impacting patient care
- Protecting patient records from loss and cyber incidents to maintain the integrity and confidentiality of electronic information
- Third-party vendors and service providers accessing the healthcare network need oversight to prevent security missteps.
Healthcare organisations need to be able to safely expand network access to clinicians, caregivers, research organisations and contractors while securely embracing agentless medical devices.
This means finding a platform that lets them discover, classify, assess, and continuously monitor devices, including personally-owned and agentless medical devices; enforcing security posture and regulatory compliance policies; notifying users, restricting or blocking access, and automating network segmentation; as well as orchestrating and automating security among third-party security tools.
With the volume of networked devices growing and the risk profile increasing, it has become clear that medical device security standards in Australia are lacking, while public awareness of security is growing.
This means that healthcare providers need to take a proactive approach to medical device classification to mitigate the risk and prepare for potential future requirements.
Steve Hunter is the Senior Director for Asia Pacific and Japan at Forescout.