Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness. Increasing connectivity of those devices to computer networks and the convergence of technologies has exposed vulnerable devices and software applications to incidents. The need to protect patient data from cyber-attack is now well understood. However, the potential impact on clinical care and patient safety is raising concerns for healthcare organizations, regulators and medical device manufacturers alike. Control of a medical device could also be compromised.
There has been exponential growth in types of medical devices, often connected to smart devices such as mobile phones, tablet computers and wearable devices, which also run medical applications/software. These devices are already found in homes today. Risks are set to increase further with adoption of the Internet of Things (IoT) by healthcare organizations and consumers. The convergence of networking, computing technology and software has enabled increasing integration of Hospital Enterprise Systems/Information Technology (IT) and Clinical Engineering (CE), and suppliers through remote connectivity. This will be revolutionized by cloud based services and the use of ‘big’ data analytics.
Who are the adversaries to healthcare and what are their motivations?
Threats come from a variety of different sources including; adversarial, natural (including system complexity, human error, accidents and equipment failures) and natural disasters. Adversarial groups or individuals, also known as threat actors, have varying capabilities, motives, and resources:
• Attackers (includes those known as ‘Hacktivists’) – undertake attacks for thrill seeking, the challenge or to further an agenda. Tools have become more sophisticated, easier to use and freely available, leading to a dramatic increase in attacks from less technically knowledgeable individuals;
• Bot-network operators – take control of multiple systems to perform attacks and distribute phishing schemes, malware and spam. Services may be sold on for denial of service attacks or for relaying spam and phishing attacks;
• Criminal groups – organized criminals attack systems for monetary gain, these include spam, phishing schemes, spyware/malware attacks to commit identity theft and online fraud. Industrial espionage, ransomware and extortion with threatened cyber-attack are potential threats from criminals. Access as a service to networked systems could be sold on to third party criminals;
• Insiders – employees and vendors who have unrestricted or less restricted access to systems and may be disgruntled or unintentionally introduce malware or undesirable changes;
• Phishers – individuals or groups that perform phishing schemes in order to steal identities and information for monetary gain;
• Spammers – send unsolicited email, possibly containing hidden or false information, conduct phishing schemes and denial of service attacks;
• Spyware/malware authors – produce and distribute malware for malicious purposes, often for monetary gain;
• Terrorists – seek to disrupt, destroy or exploit critical infrastructure to threaten national security. Terrorists may use spyware/malware and phishing schemes to fund activities;
• Industrial spies – seek to gain intellectual property and knowledge using clandestine methods. It is widely reported that some nation states and their proxies are very active.
The inherent security risk with medical devices is that they can potentially expose both data and control of the device itself. This raises a tension between safety and security, which requires greater stakeholder collaboration to address, particularly in design and regulatory approaches. These stakeholders now include regulators, device manufacturers, healthcare organizations, IT suppliers, and patients themselves.
Threats and vulnerabilities cannot be eliminated; therefore, reducing cybersecurity risks is especially challenging. The heath care environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks.
ALFATEC Group offers Entrust and its technology partners to deliver complete solutions that secure medical device manufacturing, ensure trust in their deployed ecosystems, and protect data privacy and integrity.
With increasing cyber-attacks, data privacy regulations and the use of smart devices, healthcare organisations and medical device manufacturers need touchless access and secure connectivity. Entrust nShield HSMs provide the root of trust for device and user authentication, data privacy and encryption, ensuring secure device credentialing and cryptographic operations.
New approaches to dealing with increasing cybersecurity threats have recommended all parties collaborate to identify and assess cyber risks and threats, plan mitigations and appropriate incident response to ensure patient safety and security.
Ask us for more information about Healthcare security and Entrust solution!