Internet Hackers Targeting Medical Devices

A new poll by Deloitte & Touche found that more than one-third (35.6 percent) of healthcare IT professionals say they have had a medical device hacked by cybercriminals in the past year.

The survey asked IT professionals about their Internet of Things-connected medical device ecosystem. Typically vulnerable devices are:

• Implantables which communicate with other devices
• Implantables with high-bandwidth wireless links
• Neurostimulators
• Pacemakers
• Implantable pumps
• Implantable spine stimulators
• Diagnostic devices
• Imaging systems
• Interconnected capital equipment

According to the Deloitte poll, identifying and mitigating the risks of fielded and legacy connected devices presents the industry’s biggest cybersecurity challenge (30.1 percent of poll respondents).

Russell Jones, Deloitte’s Risk and Financial Advisory partner explains why this has become such an urgent issue: “Legacy devices can have outdated operating systems and may be on hospital networks without proper security controls. Connected device cybersecurity can start in the early stages of new device development, and should extend throughout the product’s entire lifecycle; but even this can lead to a more challenging procurement process. There is no magic bullet solution.”

The Poll’s Result in PowerPoint

Three Recommendations

Scott Read, a principal in Deloitte’s Risk and Financial Advisory group, pointed out that these issues are only going to grow in urgency if hospitals and clinics don’t start addressing this issue now.

“As regulatory, litigation, and internal investigation activities start to focus on post-market cybersecurity management, leading organizations are taking a more forensic approach to discerning the timeline and size of cyber incidents so the impact to intellectual property, client data and other areas can be addressed more quickly. Forensic analyses responding to regulator, litigant, or whistleblower concerns may even help predict the next moves of cyberattackers.”

The strategy? A three level, layered approach:

• Implement a document hierarchy. Formalize, organize, and structure medical device cybersecurity activities and governance to ensure patient safety and respond more quickly to regulators, legal matters, or internal investigations. Beyond the typical education and training standards and operating procedures, these hierarchies should also include work instructions and templates for each unique device that maps to each component of the product security program. Documentation of quality management system (QMS) protocols and procedures should also be centralized and regularly updated.
• Conduct annual—at minimum—product security risk assessments. Treat cybersecurity risk assessment procedures as ongoing, iterative processes that are repeated at least annually and when business changes occur, such as supplier changes, acquisitions, or divestitures. They’re utilized throughout the entire lifecycle of connected medical devices—including their related apps—to identify cybersecurity threats that often fall outside of what minimum medical device security requirements address.
• Take a forensic approach to incident response. Establish the incident timeline, detect anomalous behavior, and figure out what data was accessed and exposed. Forensic analysis can help your organization uncover facts as well as assist in determining what future actions you need to take in your response and remediation.

The Poll’s Methodology

Deloitte polled more than 370 professionals whose organizations operate in the medical device/IoT ecosystem during a May 23, 2017 webcast titled, “Medical devices and the Internet of Things: A three-layer defense against cyber threats”.

Responding firms included medical device or component manufacturers (i.e., 31 percent); health care IT organizations (i.e., mobile app/software developers; 22 percent); medical device users (i.e., health care providers, device monitoring; 36 percent); and regulators (10 percent).