Taking greater cybersecurity measures to protect medical devices is more important now than ever. For more than a decade, healthcare has been the largest target for data breaches. Breaches of data in a healthcare setting can have severe implications, as patients’ lives can be in danger from outdated and unprotected medical devices. For example, if computed tomography (CT) or magnetic resonance imaging (MRI) equipment is tampered with, it could result in incorrect diagnoses or even incorrect or unnecessary medical procedures.
The American Hospital Association’s senior advisor for cybersecurity and risk recently stated that many medical devices used in hospitals today are legacy devices. These older medical devices are at a higher risk of ransomware attacks and rely on systems that no longer support security patches and updates. Such devices were not built with security in mind, which leads them to be more vulnerable. In fact, medical devices see an average of 6.2 vulnerabilities for each device, and many critical devices such as pacemakers and insulin pumps have been recalled by the US Food and Drug Administration (FDA) because of security issues. In addition, more than 40% of medical devices are too outdated for security updates or patches, while 83% of medical imaging devices are legacy systems that are too outdated to update.
Given that experts are aware that healthcare data is the most commonly breached data type, there should be an effort to combat this security risk. There needs to be a greater understanding of where the threats are coming from and how to stop them. In addition, the knowledge that many of the most critical devices are legacy devices and too old to update is concerning. The ability to update a device could be crucial to ensuring cybersecurity. As such, one way to reduce data breaches in healthcare could be to invest in newer devices.
As well as understanding how these data breaches are possible, it is helpful to know where they are coming from. Last year, the Healthcare Information and Management Systems Society conducted a survey that discovered a total of 89% of initial compromises in hospitals occurred via email, while 57% of cyberattacks in healthcare began through trusted insiders.
In addition to providing hospitals with new devices that can receive security updates, another idea is to use predictive technology such as ‘breach likelihood’, which is available in other fields and would provide the probability and consequences of a breach happening based on a device. This kind of technology may provide visibility, which is especially necessary among the legacy medical devices