As medical devices become increasingly connected to the internet and, therefore, the Internet of Things (IoT), Forrester Research, said in a report that there are four types of attacks healthcare organizations need to aware of, especially after coming off the worst year for data breaches in healthcare:
- Denial-of-Service or ransomware attacks. Ranked by Forrester as a high risk attack with a high likelihood of occurrence that often involves demands for ransom payment
- Therapy manipulation attacks. At medium risk of happening, this type of attack is when an attacker gains access to a connected medical device and can manipulate a patient’s treatment
- Patient data theft attacks. Using malware or a software exploit an attacker can gain access to an EHR and steal patient data
- Asset damage attacks. When an attacker sets out to destroy or damage a medical device
Four healthcare IoT security action steps
Step 1: Categorize existing devices based on risk.
According to the Cambridge, Mass. research firm, there are five key factors that contribute to a connected medical devices’ risk rating:
- Potential impact on patient safety
- Network connectivity
- Data sensitivity
- Likelihood of attack
- Vendor security service level agreement
Forrester recommends using healthcare industry assessment guidelines, standards and expertise.
Step 2: Implement a clinical risk management framework.
Forrester said this will also help healthcare organizations determine the risk levels of medical devices, mitigate and control the risk, and bring the risk exposure of the hospital network to acceptable levels. Forrester warned that following this framework is a major undertaking and requires a thorough review of day-to-day processes. Even so, it’s worthwhile considering the serious implications of connected medical device risks.
Step 3: Follow basic security hygiene.
“Your first step toward reducing threats calls for a campaign to raise security awareness and change employee behavior,” the report said. “Use frequent, relevant, and engaging communication to ensure your workforce doesn’t miss security messages.”
Forrester added that another fundamental security control is reviewing and updating password policies.
Step 4: Apply a zero trust networking architecture.
- Acknowledge that your connected medical devices are vulnerable
- Monitor medical devices for infections
- Make sure manufacturers are aware of security risks
- Develop a detailed incident response and recovery plan