Connected medical devices pose significant cybersecurity risk for hospitals

Connected medical devices pose a far greater cybersecurity risk in hospital networks

Unlike business systems, hospital networks have been designed to facilitate ease of access from different networks, posing a far greater cybersecurity risk, according to the International Electrotechnical Commission (IEC). The COVID-19 pandemic has led to the rise of connected medical devices across hospitals networks, which has accelerated the convergence of the once separate domains of IT and operational technology (OT).

In an IT environment, a cybersecurity strategy aims to protect the confidentiality, integrity and availability (CIA) of information systems, IEC said in a post on Monday. For IT-led organizations, one of the initial lines of defense is shutting the entire system down. However, hospitals using life-saving medical devices must be able to run permanently to ensure patient safety. In addition, medical devices need to be able to communicate freely throughout the hospital.

The convergence of IT and OT technologies in hospitals through connected medical devices focuses on protecting the safety, integrity, availability and confidentiality (SIAC) of a range of traffic, from life-critical patient data requiring immediate delivery and response, to general administrative data. Hospitals and other critical systems place greater emphasis on availability, IEC said.

IEC International Standards, such as ISO/IEC 27001, IEC 80001 and IEC 62443, help in testing and certification for a holistic cybersecurity program that includes people, processes and technology. Such an approach increases confidence among stakeholders by demonstrating use of security measures based on best practices, besides implementation of the measures by organizations efficiently and effectively.

IEC 80001 standard addresses how medical devices can be connected to IT networks to achieve interoperability without compromising the organization and delivery of health care. It deals with the safety, effectiveness and security in the implementation and use of connected medical devices or connected health software.

The newly updated cyber security standard IEC 80001-1 defines roles, responsibilities and activities necessary for the risk management of IT networks incorporating medical devices, while dealing with safety, effectiveness, and data and system security.

The scope of the standard is in the context of healthcare organizations, manufacturers of medical devices and providers of other information technology. It specifies general requirements for organizations in the application of risk management before, during and after the connection of a health IT system within a health IT infrastructure, by addressing properties of safety, effectiveness and security, whilst engaging appropriate stakeholders.

The ability to compromise devices and networks and the possibility of monetizing patient data have led to an increase in the number and sophistication of cyberattacks targeting healthcare delivery organizations in recent years, according to data released by Forescout Research Labs in its 2020 research report.

Based on its research, Forescout recommended that healthcare delivery organizations (HDOs) made up of hospitals and clinics must adopt best practices to reduce security and operational risk in healthcare networks, Forescout Research said. Its analysis reveals that while HDOs have taken some meaningful steps to better secure their connected devices and networks, there are still several cybersecurity gaps and risks that need to be addressed.

HDOs will have to contend with medical devices running legacy operating systems for the foreseeable future. Hence, it is imperative to identify and mitigate this risk, it added. HDOs are complex organizations where a range of IT, Internet of medical things (IoMT), OT, and Internet of Things (IoT) devices are increasingly interconnected.

Heavy industrials face unique cybersecurity challenges, given their distributed, decentralized governance structures and large OT environment, which  does not lend itself readily to traditional cybersecurity controls, McKinsey said in its 2019 report on ‘Critical infrastructure companies and the global cybersecurity threat‘.

Furthermore, “many heavy industrials have invested in becoming cyber mature, as have other at-risk industries, such as financial services and healthcare. The investment gap has left most heavy industrials insufficiently prepared for the mounting threats,” the analyst firm added.

“From the early days of COVID-19 to the current rollout of the vaccine, we’ve seen healthcare professionals form the backbone of the global response to this pandemic, and crucially, hold up a standard of excellence no matter what challenges they’ve faced– whether that’s increasing cyberattacks, limited resources, or a rapid shift to remote care,” wrote Jonathan Langer, CEO and co-founder of Medigate in a blog post earlier this year.

Earlier this month, the ISA Global Cybersecurity Alliance (ISAGCA) recommended the inclusion of the ISA/IEC 62443 series of cybersecurity standards in global policies that intend to improve critical infrastructure cybersecurity this year, and publish a fully detailed, auditable cross-referencing guide that maps the ISA/IEC 62443 standards to other cybersecurity standards across multiple industries.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on whatsapp

Author

Join over 5,000 Industrial OT & Cyber professionals

Weekly Newsletter direct to your inbox