Skip to main content

Medical device manufacturers against healthcare malware and ransomware

(Image credit: Image Credit: Photo_Concepts / iStock)

Dealing with cybersecurity in the contemporary healthcare environment is undoubtedly challenging, and some aspects of this can even be overlooked by those familiar with the field. One such issue is the dangers of medical devices being hacked and used to penetrate company systems. And this will become an ever-increasing threat as the Internet of Medial Things becomes prominent, and health devices are connected to the Internet.

Increasing problems

Indeed, this is already becoming an issue. A survey conducted by the College of Healthcare Information Management Executives (CHIME) discovered that nearly 20 per cent of provider organisations had experienced their devices being subjected to malware or ransomware in the past 18 months. This is more than a major annoyance; such incidents threaten network security and even continuity of care.

So securing medical devices should be a priority for all organisations in the healthcare industry. Yet this can be difficult to achieve, with the level of systems knowledge on such devices less prevalent than for other more conventional computing equipment. Safeguarding these devices often requires support, particularly as the risk grows exponentially due to the increasing levels of interconnectedness.

When dealing with security breaches, the reality is that manufacturers of medical devices are often to blame. Indeed, a study conducted by CHIME found that 96 per cent of providers pointed to manufacturer errors as being central to data breaches and device-related security issues. This may be a sobering reality, but no matter how much healthcare providers may be reassured that devices are secure, they need to start out from a point of assuming that they are, in fact, vulnerable.

Active partnerships

Yet even the possession of this knowledge may not be enough to form active partnerships with device manufacturers, as many healthcare organisations already find that their existing IT resources are stretched. In the CHIME study, 76 per cent of providers concluded that their resources were “insufficient and too strained to adequately secure medical devices.”

Nonetheless, there is some room for optimism. This may be a relatively new field, but already established security companies are coming forward to assist with eliminating malware from medical devices. McAfee is one of the big names involved, and the esteemed company is already working closely with medical device manufacturers in an attempt to thwart attacks and comply with an increasingly strict regulatory environment.

With this in mind, devices are now being produced with a variety of different security measures built-in. These can include application control, whitelisting, anti-virus and anti-malware protection, device security management, advanced data protection, and encryption. Aside from this, device manufacturers are working on ensuring that device management is more streamlined, providing less potential for ransomware and malware to be installed in the first place. With customisation also possible, the design requirements for all medical devices can be ably met by both manufacturers and malware protectors.

Siemens Healthineers has recently spoken out on the dangers of malware and ransomware in the medical environment, and how medical practitioners need to be ready to meet this threat. Siemens has become a leader in diagnostics and medical equipment and has recognised that system security can be compromised by vulnerable medical devices. Thus, the company has worked closely with McAfee in order to craft a suitable solution.

And the Siemens Ultrasound System Security is the result of this collaboration, providing an antivirus solution that is powerful and highly flexible. And the RapidLab1200, also developed via a partnership between the two organisations, uses McAfee whitelisting to secure the device, preventing any unauthorised applications that may do damage from running on medical devices.

Pooling resources

This early partnership is indicative of the fact that safeguarding medical devices will require a joint effort from the provider organisations and device manufacturers. There is no silver bullet nor easy answer at this point in time, rather medical experts in both the hardware and software departments will need to pool their resources over a period of time.

However, the good news is that many companies and organisations in the healthcare environment are beginning to get on top of the problem. At least, this is the case according to Adam Gale, president of KLAS Research, whose organisation recently authored a major benchmarking report. “Many providers have the basic building blocks for a general security program in place and are making progress, although it is difficult and time-consuming, toward developing a mature program. We also are seeing some manufacturers being more proactive and accountable,” Gale observed, suggesting that clinical partners can begin to solve the malware issue in the foreseeable future.

Another influence on securing healthcare devices from virus influences will be the legislative environment created by governance. In this regard, government oversight will play a critical role in improving security, and in this area, there is definitely room for improvement. When CHIME spoke to manufacturers of devices on the subject of government regulation, several noted that regulations from the US Food and Drug Administration (FDA) actually hinder security by making certain necessary changes legally impossible.

The FDA has already implemented measures in an attempt to improve the situation, with a memorandum of agreement having been inked between the organisation and the Department of Homeland Security. This is intended to secure a framework, which will enhance coordination and information sharing about potential medical device vulnerabilities, according to Suzanne B. Schwartz, the FDA’s associate director for science and strategic partnerships.

Simple steps

In the meantime, ensuring that devices are updated regularly, that all patches are applied as soon as possible, recruiting experts in the security field, and layering security solutions can help protect systems and medical devices, even hackers do manage to exploit a particular vulnerability. As the use of the connected medical devices continues to expand, the battle between hackers and device security is only just beginning.

Julie Cole, (opens in new tab)
Image Credit: Photo_Concepts  / iStock

Member of cybersecurity experts team with over 10 years of experience reviewing password managers, VPNs, email providers.