Connecting medical IoT devices such as infusion pumps to point-of-care medication systems and Electronic Health Records (EHRs) can help improve healthcare delivery processes. However, using a medical device’s connectivity capabilities can also create cybersecurity risk, which could lead to operational or safety risks. A medical IoT cyber risk IS a patient safety risk!
Biomed devices such as wireless infusion pumps and others are challenging to protect, for several reasons. They can be infected by malware, which can cause them to malfunction or operate differently than originally intended, and traditional malware protection could negatively impact the biomed device’s ability to operate efficiently. In addition, several types of biomed devices contain a maintenance default passcode. If organizations do not change the default passcodes when provisioning, and do not periodically change the passwords after devices are deployed, this creates a vulnerability. Furthermore, information stored in the biomed device must be properly secured, including data from drug library systems, PHI or PII.
Additionally, like other devices with operating systems and software that connect to a network, the biomed device ecosystem creates a large attack surface (i.e., the different points where an attacker could get into a system, and where they could exfiltrate data out), primarily due to vulnerabilities in operating systems, subsystems, networks, or default configuration settings that allow for possible unauthorized access. Because many biomed devices can be accessed and programmed remotely through a healthcare facility’s network, this vulnerability could be exploited to allow an unauthorized user to interfere with the biomed device’s function, harming a patient through incorrect drug dosing or the compromise of that patient’s PHI.
These risk factors are real, exposing the biomed device ecosystem to external attacks, compromise, or interference. Digital tampering, intentional or otherwise, with a biomed device ecosystem (e.g. the network, and data in and on the device) can expose an organization to critical risk factors, such as malicious actors; loss of data; a breach of PHI; loss of services; loss of health records; the potential for downtime; and damage to an organization’s reputation, productivity, and bottom-line revenue.
Complimentary! ecfirst and culinda, a medical IoT cybersecurity firm, have established a partnership with focus on medical IoT cybersecurity. Talk to ecfirst about accurately identifying your medical IoT assets, threats, and vulnerabilities. Once the assessment is completed, you can apply security controls to the biomed devices, to create a defense-in-depth solution to mitigate cybersecurity risks.
For a white paper on medical IoT cybersecurity, email Ali.Pabrai@ecfirst.com. Control your excitement!
Date: April 23, 2019