Health IT, Hospitals

How are hospitals with vulnerable connected devices rethinking their cybersecurity strategy?

Vulnerable devices could provide doorways into hospital networks, breaching confidentiality or locking up the system entirely.

cybersecurity, lock, digital, cyberattack

Hospital devices are loaded with features to make them more user-friendly, increase safety and better monitor patients, but they’re also potential security risks. As cyber attacks multiply, hospitals, government agencies and manufacturers are taking a long hard look at security. But how vulnerable are these connected devices?

“If we knew the answer to that, we would know what to do,” said Patrick Schaumont, professor in the Bradley Department of Electrical and Computer Engineering at Virginia Tech, in a phone interview. “With the features being designed into these devices, security isn’t always integrated from the start. I think one of the hard problems we are facing is understanding all the risks that result from interconnecting everything.”

Interconnectivity offers advantages for patients and hospital staff, but it also boosts complexity and risk. Networking protocols, wireless standards, data encryption and other software may require occasional updates.

“You get many more features because you have software in the loop,” said Schaumont. “But because it’s software and has potential for security flaws, your system becomes that much more vulnerable.”

The consequences are manifold. Vulnerable devices could provide doorways into hospital networks, breaching confidentiality or locking up the system entirely. In addition, an insecure system is potentially an untrustworthy one.

“For devices, you rely on the data they provide,” said Schaumont. “Once you have the uncertainty of security risks — the device crashes or the data is corrupted — it’s not only the software that is being corrupted, it’s the whole system.”

These are the risks that keep hospital IT people up at night. Their mission can be summed up with the acronym CIA — confidentiality, integrity, availability — but the bottom line is patient safety.

“IT is the underlying infrastructure that supports almost every patient care service,” said Jeanie Larson, chief information security officer at UC Davis Medical Center in a phone interview. “Imaging, diagnostics, everything is done that way. You can’t build any electronic system that has a computer logic chip that is not hackable.”

The key to survival is taking a comprehensive approach: network firewalls, intrusion detection systems, aggressive patching schedules.

“The way hospitals do business is workflow,” said Larson. “You can take something that’s secure and put it in an insecure workflow, and it’s at risk. We have a layered line of defense. We separate critical life systems from other systems. If something does get in, at least they’re isolated as much as we can isolate them.”

Devices pose a particular challenge because they have embedded systems that can be labor-intensive to patch. Until recently, manufacturers were also concerned software updates might invalidate their FDA approval.

“The FDA released guidance for device manufacturers: You will patch these and do the postmarket care and feeding or enable that to occur,” said Larson. “Prior to that, it was difficult to get vendors to release patches.”

In addition to the FDA, organizations like the National Health Information Sharing and Analysis Center and the Medical Device Innovation, Safety and Security Consortium are working with hospitals and device makers to head off the next attack. The challenge is ongoing.

“It’s like an arms race,” said Larson. “They’re deploying this new technique, and we have to deploy a new defense measure.”

Photo: Getty Images