A vulnerability in medical infusion pumps could have cost the lives of countless patients recently. Time to boost medical technology hypervigilance!

In Q2 of this year, healthcare was one of the most targeted sectors for cloud threats, second only to financial services, according to the data of McAfee Enterprise.

By holding the keys to a treasure trove of patient data, the healthcare sector has long been a prime target for cybercriminals. However, rapid adoption of Internet of Things (IoT) devices and the rise of supply chain hacks in recent years have tipped the scales ever so slightly in the favor of cybercriminals.

With each smart device and every stakeholder across the value chain serving as potential entry points for hackers, the extensive digital network in the modern healthcare industry has created a cybersecurity challenge that is growing ever more complex and precarious.

Cutting down supply chain risks in healthcare

In the healthcare industry, cybercriminals prey on potential weak links such as entry points to a supplier’s network, an outdated firmware or mobile app, in order to make their way through the supply chain.

Recently, for instance, the personal details of over 400,000 patients in Singapore were stolen due to a security breach in the third-party vendor of a private healthcare group. The country also saw one of its worst cyberattack unfold in 2018, where 1.5 million patients had their personal details leaked. Investigations later revealed that the healthcare organization in question had been “overly dependent” on its IT vendor, and both parties were eventually dealt a combined financial penalty of S$1m.

Notably, healthcare organizations can still be held accountable for data breaches that are traced back to third-party vendors. Therefore, to cut down supply chain risks, healthcare organizations need to scrutinize the cybersecurity controls their vendors and suppliers implement. Clearly, their ecosystem must evolve alongside new cyber threats, moving from a culture of complacency to one of ‘hypervigilance’.

Networked medical devices: double-edged swords

The accelerated adoption of smart technology has left organizations (healthcare organizations included) highly vulnerable to cyberattacks. Networked medical devices have the potential to transform a patient’s life but can also endanger patient privacy and threaten their safety.

For instance, McAfee teams recently discovered critical vulnerabilities in medical infusion pumps that could be maliciously exploited to deliver potentially lethal doses of medication to patients.

One of the key challenges to securing medical devices is that advances in digital healthcare often happen at a much slower pace than other technologies due to the rigorous design and approval processes mandated. Cleaning up the security systems of medical devices is also a lot more challenging.

It is therefore not surprising that many devices, much like the industrial control systems industry, tend to run legacy operating systems and are rarely updated in a timely fashion. Furthermore, such legacy devices could even be using obsolete operating systems no longer protected by the latest security patches.

More strategies for cyber healthcare

Tightening healthcare industry hypervigilance of cyber risks has to be a whole-of-industry effort by diverse stakeholders including government agencies, manufacturers, healthcare institutions and users of medical devices. In addition:

  • Establishing a collective cybersecurity consciousness in the healthcare industry is the responsibility of every individual across the entire value chain.
  • Internet access for all employees must be strictly controlled and monitored, and accessed via a virtual browser, web application firewall and related internet surfing separation technologies.
  • Manufacturers of medical devices must take effective cybersecurity strategies to address all risks, starting from developing medical devices with robust in-built security features to actively addressing new vulnerabilities immediately.
  • Hospitals and healthcare systems should also consider replacing ageing medical technology devices and ensure that the operating software of all smart devices is regularly updated.
  • With the changing nature of networks and increasing sophistication of cyber threats, the zero trust model must prevail across the entire healthcare supply chain.

Planning ahead for emergency cyber resilience

In today’s rapidly evolving threat environment, security vulnerabilities in the healthcare sector pose significant threats to the privacy and well-being of patients. The severity of a cyberattack must not be underestimated, and medical institutions that remain complacent will put themselves at risk of not only reputational damage, but also significant financial losses.

More can and must be done to secure critical healthcare data and integrated care systems. With no easy or convenient solutions to be found, stakeholders across the healthcare value chain will need to work together to put cyber hygiene as a priority in their day-to-day operations.