This article is written by John Halamka, M.D., president, Mayo Clinic Platform, and Paul Cerrato, senior research analyst and communications specialist, Mayo Clinic Platform.
If you ask health care executives what keeps them up at night, many would sum up their worries in one word: ransomware. By one estimate, 56% of organizations suffered a ransomware attack in the last year. While there are countless ways in which a cyberthief can penetrate a facility’s computer network to block access to essential data, one avenue that gets too little attention is through wearables and related medical devices. A growing number of providers are now allowing patients to send data from blood glucose monitors, blood pressure cuffs, bed sensors, and portal EKG devices to their networks. And during the COVID-19 pandemic, many more clinicians are working remotely using their own laptops, tablets and smartphones to access a hospital or office EHR system. All these connections are potential opportunities for hackers to infiltrate your computer network. And the word potential doesn’t fully capture the danger.
In 2019, for instance, FDA issued an alert to health professionals warning about a cybersecurity vulnerability affecting Medtronic implantable cardiac devices (ICDs), programmers and home monitors. The agency found the vulnerability in the wireless telemetry technology used to communicate between the ICDs, clinic programmers and home monitors. Similarly, the company that makes the OneTouch insulin pumps contacted patients using the device of the possibility that it could be hacked and reprogrammed, which could have life-threatening consequences.
During a recent conversation with Leon Lerman, CEO of Cynerio, a cybersecurity solutions firm, he explained that once a hacker infiltrates a computer network, often through a phishing scam and malware, medical devices become easy targets. That’s the case for several reasons, including inadequate segmentation and outdated operating system. Virtual local access networks (VLANs) are one way to address the issue because they limit the number of users allowed to have access to a specific part of the network. Unfortunately, a study sponsored by Forescout, a security firm, found “only 49 percent of medical devices were deployed across 10 virtual local access networks (VLANs) or fewer ….”
Outdated operating systems, an easy access point for hackers, remain a persistent problem for health care providers, as are outdated software applications. An international survey involving 600 health care IT professionals in 2019 found more than 1 out of 4 organizations were still running Windows 7 on their medical devices. The danger posed by this practice may not be immediately obvious to most clinicians, but because many older OSs are no longer supported by their manufacturers, security patches are no longer available to block newly designed digital threats. Of course, health care providers running currently supported operating systems can also fall victim to cyberattacks if they fail to install security updates as soon as they become available. That’s how the infamous WannaCry ransomware worm was able to penetrate the NHS and numerous other networks; it affected more than 200,000 computers worldwide in 150 countries. Microsoft had already issued a security patch before the WannaCry incident, but many organizations had neglected to install it in time.
One of the challenges in keeping operating systems up to date is the restrictions that hospital IT teams face when they try to address the issue. Most devices are black boxes in the sense that the manufacturer does not allow users to touch the software; doing so without the company’s permission usually voids the warranty. That makes it virtually impossible for a hospital or medical practice to install security updates to legacy OSs, even when they are available. If the device manufacturer is cooperative, it may be possible to have their technicians do these updates. When that’s not an option, segmentation becomes all the more important.
Fortunately, many device manufacturers are now beginning to realize that their reputations depend upon developing machinery that is not just clinically functional but hardened to cyberattacks. Many new devices come with a Manufacturer Disclosure Statement for Medical Device Security (MDS2) that spells out the security protocols used on the device, whether anti-malware software has been installed, and whether it should even be connected to the Internet.
The adage about necessity being the mother of invention certainly applies to the Internet of Medical Things. As the health care ecosystem experiences more cyberattacks, we learn to adapt, and out of necessity, develop creative tools to defend our networks and most importantly we learn more effective ways to protect our patients—our number one priority.