Four Steps to Securing Your Medical Devices

Keep your medical devices safe from cyber attacks and social engineering. 

Read the white paper How to Secure Your Medical Devices.

Did you know attackers could gain access to your medical devices? I’m not talking about things like computers, but devices like MRI machines, dialysis machines, and medical ventilators. This leaves the criminals only a few steps away from access to your electronic medical records system. That’s when things start to get scary.

Attackers can even hijack these critical systems and hold them ransom. Imagine having someone threatening to shut down life supports in a hospital. Scary, right? This makes medical device security critical to your organization.

Unfortunately, many healthcare organizations aren’t properly securing their medical devices, leaving them open to cyber attacks.

SEE ALSO: SecurityMetrics Audit for SANS Top 20 Critical Security Controls for Cyber Defense

Why are medical devices vulnerable? 

There are a few problems in healthcare that lead to compromised medical devices. One problem is the issues with the device manufacturers.  According to the FDA, manufacturers are responsible for securing their devices through various measures (user authentication, strong password protection, physical locks, etc.).

Unfortunately some manufacturers may not take this responsibility seriously. Some limit their cyber security efforts due to time constraints or low budgets. For example, they may set a default password that can’t be changed in their device, making the manufacturing process easier, but also making the device more vulnerable.

As a result of manufacturers limiting cyber security options, the healthcare IT teams often don’t have access to a medical device’s system. This means they can’t install further security tools on these devices because most security tools don’t run within the medical device.

Another problem is the rise in social engineering and the lack of workforce training against it. Armed with the right credentials, a data thief can walk into a healthcare facility, gain access to a device, install malware or steal any information on that device, and walk out in a short amount of time without detection.

SEE ALSO: Social Engineering Training: What Your Employees Should Know

So how do you protect your medical devices?

Here are four steps to better secure your devices.

Tweet

1. Fix current medical devices

If you have networked medical devices, you may have some HIPAA violations. These devices are potentially vulnerable to leaking data. Make sure you update your devices regularly and patch any existing vulnerabilities. These updates may take time, so plan ahead.

You’ll also want to make sure each device has a secure password, which should contain a minimum of ten characters and have numeric, alphabetic, and special characters. Remember, the more difficult the password, the longer it will take for an attacker to break it.

SEE ALSO: How to Do Passwords Right: Password Management Best Practices

2. Revise your process

Consider buying medical devices only from vendors that value cybersecurity. Make sure you have devices where you can modify passwords.

Monitor physical access to medical devices. Also be sure to train your workforce against social engineering since that’s becoming a common way for hackers to compromise medical devices.

3.  Understand your security status

You need to know the weaknesses in your security, and it’s difficult to find them all on your own. Some additional services you may want to consider are:

• Internal and external vulnerability scans: automated testing for weaknesses in your network.
• Penetration tests: live, hands-on testing of your system’s weaknesses, inside and out. 
• Intrusion Detection Systems: a monitoring system that detects and reports malicious activity. 
• File Integrity Monitoring: a way of checking software, systems, and applications to warn of malicious activity. 

4. Implement HIPAA compliance 

Designate a HIPAA compliance officer or team member. Lay out their responsibilities, and train workforce members in HIPAA.

To protect your PHI, you need to know where it is. Here are some common places PHI data may be stored:

• EHR/ EMR systems
• Databases
• Reception desks
• Workstations
• Servers
• Laptops
• Email system
• Files shares
• Ticketing systems
• Mobile devices

You’ll want to conduct an annual HIPAA risk analysis to understand your organization’s vulnerabilities, risks, and threats. Identify your top weaknesses, and begin to resolve those issues.

Set some time aside to work on HIPAA compliance and security; keep it in the forefront of employees’ minds by holding regular training meetings.

SEE ALSO: Implementing HIPAA: A 12-Month HIPAA Plan to Get Compliant

Secure your devices

Today, we can’t afford to have vulnerable medical devices. Leaving these devices open to attack can cost you your data, your patients, and even your organization.

Making sure your medical devices are secure protects your PHI, your patients, and your organization from attackers. By following these four steps, you’re on your way to better protection and security.

For more information, read our white paper How to Secure Your Medical Devices.