March 31, 2022
Consider the following healthcare telerobotics scenario:
A woman collapses at the family dinner table from a stroke. Emergency medical technicians arrive, place the woman in an ambulance and begin assessing and monitoring her condition as they speed to the nearest hospital.
At the hospital, the woman is admitted to the ER and assigned an RFID wristband. Doctors and nurses perform triage and quickly discern that the stroke patient is a candidate for the hospital’s remote-controlled robotic surgical device. They contact a neurosurgeon at one of the hospital’s remote sites and prep the woman for surgery.
The neurosurgeon, seated at a console in the distant location, with a high-resolution 3D image of the surgical field in the hospital operating room, remotely commands the robotic device and successfully clears the arterial blockage that caused the woman’s stroke.
While not yet mainstream, this type of telerobotic surgery represents only one slice of increasingly internet-connected patient care. The healthcare value chain is much larger. For example, in the fictitious scenario above, connected devices and technologies in a variety of transportation, building, IT and medical systems intersect in the patient’s care. Along with the wireless technology and systems that enable the robotic surgical device, medical telemetry and hospital communications are transmitted from the ambulance, building management and location systems activate upon entering the hospital and back-office systems process the patient’s admission. Plus, many Internet of Things (IoT)-connected devices control systems throughout the hospital, such as lighting, heating and cooling.
Indeed, a single hospital network comprises hundreds, or more often thousands, of connected devices. The potential for critical security vulnerabilities in these devices is immense, and every member of the healthcare value chain may be impacted.
Increasing attack surface
Healthcare organizations are particularly vulnerable to cyberattacks like ransomware and malware because they house patient personal and financial information that cyber thieves will pay a premium for on the dark web. 2020 saw one of the largest hospital cyberattacks in the U.S. when a ransomware demand shut down phone and patient care systems at all 400 Universal Health Services hospitals and clinics. Online systems were locked down, surgeries postponed and emergency patients rerouted to other hospitals. After a month offline, IT systems were finally restored. The healthcare giant suffered about $67 million (USD) in lost revenue.
Cyber thieves prey on hospitals with obsolete IT systems, legacy hardware and software, and medical devices with weak or no security protection. As in all other industries, thieves also seek unpatched software.
While connected medical and IoT devices can revolutionize patient care, they greatly expand the attack surface for bad actors. According to a 2022 report from Cynerio, an IoT attack detection and remediation solution provider, 53% of connected medical and other IoT devices in hospitals have a known critical vulnerability that, if attacked, will impact patient safety, service availability or data confidentiality.
Healthcare facilities rely heavily on third-party services, further exposing them to supply chain vulnerabilities. Visibility into the cybersecurity practices of third-party vendors can be limited, and actively monitoring and assessing third-party cybersecurity practices often goes unprioritized. In its 2021 report on the state of healthcare privacy and security, CynergisTek cybersecurity consulting firm found that 76% of healthcare systems failed in securing their supply chains. The consulting firm measured the systems against the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF).
Framework for cybersecurity quality
Regulators such as the U.S. Food and Drug Administration (FDA) mandate that medical device manufacturers have some form of a quality management system (QMS), unlike many members from other industries in the healthcare value chain. In every industry, connected device cybersecurity should be viewed as a function of quality. Cybersecurity needs to be assessed and managed at every stage of the device life cycle — from design and development to implementation and ongoing monitoring in the field.
If your connected device contains third-party components, it’s up to you to inquire about the security posture of your suppliers. Additionally, protecting and monitoring firmware should be integral to securing your connected device.
Whatever your role in the healthcare value chain, security platforms such as UL’s SafeCyber can help you enhance the security and compliance posture of your connected device. These platforms can help you analyze cybersecurity strengths and challenges to better manage risks and minimize vulnerabilities, and helps monitor firms’ conformity to current cybersecurity legislation and best practices.
The future of connected healthcare depends on solid, holistic device security throughout the healthcare value chain. By embracing comprehensive cybersecurity practices and strengthening your security posture, you can increase patient safety and, potentially, improve patient outcomes.