Here is a paragraph from a recent article, “Fears of hackers targeting US hospitals, medical devices for cyber-attacks”:
“The popular TV show “Homeland” included a scene where the president’s pacemaker was hacked, and [cybersecurity] researchers say that threat is very real. So much so, that former Vice President Dick Cheney revealed on CBS's "60 Minutes" in 2013 that he had the wireless capability on his pacemaker turned off.”
In today’s environment where hospitals face significant cost pressures, allocating budget to adequately secure the medical devices without a credible business case over other hospital priorities is challenging. In a recent study by Ponemon Institute indicated that 59% of 262 healthcare providers’ respondents believe that “only a serious hacking incident of the medical devices would influence their organization to increase the budget to improve the security of medical devices in absence of new regulation.” Hopefully no one thinks we need any more reminders to raise awareness after the WannaCry or Petya ransomware attacks that shut down more than 65 hospitals globally, impacting not only computers but also storage refrigerators and MRI machines.
The business justification for budget allocation here should be around patient safety. Do we really need to wait till someone, let alone a VIP/celebrity, to be adversely impacted by an insecure medical device?
Infographics below highlights the potential patient safety risks from insecure medical devices:
Here is what we are wrestling with in our minds:
A patient goes to a hospital to improve her/his health. Shouldn’t the patient only think about her/his current health concern(s)? S/he is having to think of whether the underlying medical devices are vulnerable to cyber-attacks feels burdensome.
How much awareness should patients and clinicians have about the potential risks from insecure medial devices and associated clinical networks? What role(s) can they play in ensuring the cybersecurity? This is especially true when wearable devices or clinicians’ own mobile devices with clinical applications move between hospital networks and personal/home WiFi networks, for example, or have external open USB ports.
When certain hospitals know that up to 50% of medical devices have significant vulnerabilities, how do we help them secure budget to put adequate measures in place?
The graphic below demonstrates severity of the patient safety concerns if vulnerabilities were exploited.
We recommend everyone to be aware and make others aware around potential risks from insecure medical devices and clinical networks. Awareness is the first step towards building an appropriate preventive mechanism.
MediTechSafe has developed a proprietary solution to help hospitals manage their cybersecurity, medical devices and clinical networks related risks. If you are a healthcare provider (or a biomed services provider) interested in learning more about the solution, you could reach us at firstname.lastname@example.org.