By Leon Lerman, CEO and founder, Cynerio.
Data driven medical care with connected devices is now the norm. Patient monitors, IV pumps, MRI machines, and infusions pumps all behave like computers with the ability to monitor patient conditions in real time, share data and even automatically adjust dosages. Although all of these innovations are improving in-patient care, their ability to communicate over internal computer networks has introduced new vulnerabilities to cyber attacks.
The health risks are high. Hackers can infiltrate devices and tamper with doses or even make devices show false data, leading doctors to the wrong diagnosis. Attackers can also hold electronic medical records ransom, causing delays in procedures required to treat patients.
The invisible threat
The biggest obstacle to securing medical devices is the simple fact that many of them are hidden. Hospitals often don’t have full visibility into which medical devices they have, so they aren’t aware of all the vulnerabilities. You can’t tell if your MRI is insecure if you don’t keep a full inventory of all the medical devices and all information necessary to assess the relative security risk.
Some hospitals rely on manual methods such as Excel spreadsheets to maintain an inventory of medical equipment. However, electronic files maintained by humans can’t keep pace with the growing number of the devices, and all the changes and updates that occur on an ongoing basis.
Often medical devices are added to the network without notifying security professionals and going through the necessary cautionary procedures. Many departments add equipment with the noble aim of improving patient care without notifying IT, since they are simply following the doctor’s orders and doctors are king. Something as simple as browsing for a local restaurant at a nurse’s station can put the hospital at risk if the computer isn’t adequately secured.