Keeping Medical Devices, Services and Data Safe from CyberAttacks
By Alan Grau, VP of IoT/Embedded Solutions, Sectigo
In the last few years, hospitals and medical facilities have been successfully targeted by cyber crooks looking to exploit or wreak havoc on the healthcare sector and its patients. Emboldened by the industry’s slow progress in adopting technologies that harden medical devices and data systems, criminals have upped their game.
HealthITSecurity.com reported that this year, at least six health care providers have been victimized by ransomware attacks. In June 2019, NEO Urology was attacked and ended up paying $75,000 to regain access to their system and data. In February 2019, a ransomware attack on the Southeastern Council on Alcoholism and Drug Dependence resulted in them having to notify 25,148 patients that their data was potentially breached. These are just the attacks that have been reported; experts assume that many other attacks have occurred but kept confidential.
Patient’s personal medical data can also be accessed, sold and used for nefarious purposes. According to CBS News and Protenus, in 2018, 222 medical companies reported hacking incidents, affecting more than 11 million patient records. HIPPA compliance becomes the least of a patient’s privacy worries when their medical records and credit card data are being sold on the dark web.
The cost of inaction, starting with something as obvious as email security, can be steep for healthcare organizations. According to Security Intelligence Magazine, the FBI in 2017 found that BEC (Business Email Compromise) and email account compromise represented the highest reported losses—costing 15,690 business victims a collective $676 million.
It’s also becoming more critical to outsmart cybercriminals by protecting connected medical equipment. For example, according to HealthcareIT News, the FDA said that several Medtronics’ insulin glucose pumps (now recalled) could have been remotely be taken over and induced to mis-perform, leading to dangerous healthcare consequences. Hardening these devices needs to start on the assembly line, and continue throughout the supply chain, from the processors and components inside the devices, to the software updated over the air.
Medical devices need to be protected against cyberattack, from original manufacturer assembly lines to updates in the field.
Cybersecurity risks extend to patient safety as well. For example, if an iWatch or similar personal health monitoring device falsely indicates that a person’s heartbeat is too slow or too fast, the worst that can happen is that the patient may get needlessly worried. However, if a pacemaker gets hijacked, it is possible to either speed up or slow down readings of the electrical pulses regulating the heart, impacting the behavior of the pacemaker. In the case of a glucose monitor used for diabetic patients, a false indication of blood sugar levels, combined with the incorrect “automatic” dosage of insulin, could become deadly.
How can the medical community immunize to prevent attacks?
We are living in a dynamic Internet of “Things” world where every ‘thing’ has some form of connected computer. By building security controls and policies into every device, medical manufacturers can not only prevent attacks that originate over the Internet, but also ensure that their equipment is not carrying a hidden malware payload injected during the manufacturing process.
To start: better knowledge and practices for website, network and database security using digital certificates and online security policies can ensure that medical organizations that use the internet to transfer and store information, conduct online transactions, and provide personal data, are secure from most common hacking attempts. By ensuring that every website, server, mobile device, application, and piece of equipment has a digital identity that is authenticated (enabling encrypted communications), companies greatly deter hackers. Keeping hackers out of the IT networks reduces risk of attacks against medical devices and other systems inside the network.
Advancements in email security, such as using Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates to secure email communication, provide protection against phishing attacks and BEC attacks—safeguarding from having employees inadvertently open malicious emails from fraudsters. Securing emails closes one more door to hackers, who would otherwise gain access to networks housing personal and financial data or cripple and hold systems ransom.
Equally important is building security into a device. This requires security features that protect the device from attack, protect the integrity of the device, and enable device identity. The good news is that manufacturers, suppliers, and developers in the sector are increasingly adopting best-practice technologies for connected device security, including:
- Secure Boot – Provides embedded software APIs that ensure software integrity from the initial “power on” to application execution and enable developers to securely code sign boot loaders, microkernels, operating systems, application code, and data.
- Device Identity Certificates – Injecting digital certificates into devices during manufacturing, enabling devices to be authenticated when installed on a network and before being able to communicate with other devices in the system. This ensures devices cannot be spoofed and provides protection from counterfeit devices being introduced into the network.
- Embedded Firewall – Works with Real Time Operating Systems (RTOS) and Linux to configure and enforce filtering rules, preventing communication with unauthorized devices and blocking malicious messages.
- Secure Element Integration – OEMs and medical device manufacturers should integrate a variety of Secure Elements, such as Trusted Platform Module (TPM) compliant secure elements to provide secure boot, PKI enrollment using key-pairs generated within the secure element, and device attestation.
- Secure Remote Updates – Validate firmware is authenticated and unmodified before permitting installation of firmware updates, ensuring components have not been modified and are authenticated modules from the original equipment manufacturer (OEM).
The medical device developers and manufacturers that have implemented these security protocols and technologies have made huge strides in preventing remote attacks from infecting their devices and networks with malware, or inviting ransomware attacks. By adopting these modern security solutions, the industry ensures that the sub-assemblies and components, sourced from all over the world, as well as the various processors, boards, sensors, etc., built into their medical systems, are also safe from hacking.
Keeping medical devices and information safe from cyberattack is not simple and will never be perfect. It’s an ongoing battle. Cyber criminals are always improving their methods and developing new, clever attack vectors. However, by staying up to date with the latest cybersecurity trends and using smart security procedures and software, manufacturers, medical facilities—and their patients—can gain the best preventative immunization available.
About the Author
Alan Grau has 25 years of experience in telecommunications and the embedded software marketplace. He is VP of IoT, Embedded Solutions IoT at Sectigo, the world’s largest commercial Certificate Authority and provider of purpose-built, automated PKI solutions. Alan joined Sectigo in May 2019 as part of the company’s acquisition of Icon Labs, a leading provider of security software for IoT and embedded devices, where he was CTO and co-founder, as well as the architect of Icon Labs' award-winning Floodgate Firewall. He is a frequent industry speaker and blogger and holds multiple patents related to telecommunication and security.
Prior to founding Icon Labs, Alan worked for AT&T Bell Labs and Motorola. He has an MS in computer science from Northwestern University.
Sectigo provides award-winning, purpose-built and automated PKI management solutions to secure websites, connected devices, applications, and digital identities. As the largest commercial Certificate Authority, trusted by enterprises globally for more than 20 years, and more than 100 million SSL certificates issued in over 200 countries, Sectigo has the proven performance and experience to meet the growing needs of securing today’s digital landscape. For more information, visit www.sectigo.com.