If you think that hackers can only infiltrate things like computers, servers, and phones, think again. If something is connected to a network, it can be hacked. This makes medical devices like MRI machines, insulin pumps, x-ray machines, and hundreds of other machines vulnerable to hacking. Imagine if a hacker gains control of a hospital’s network and stops devices from working until a ransom is paid. Medical device cyber breaches are one of the most frightening things that can happen to a healthcare organization and unfortunately, healthcare facilities aren’t doing a great job at securing them.
Security researcher Scott Erven told the DerbyCon security conference that some devices are so weak that patients can hack them themselves. He told of an incident in which two patients who were on morphine were able to hack their drips in order to increase the dosage.
"If you're on morphine and you can figure out how to hack your own pump" then medical device security clearly "isn't very good," Erven said.
While there is no 100% guarantee that medical devices are safe against hackers, there are ways to increase the security.
Update and patch current medical devices. If you already have medical devices that are connected to the network, they must be continually updated and patched in order to be protected against known vulnerabilities. This will help data from being stolen from the device. Also, all devices must have a strong password that contains at least 10 characters, has numbers, and includes special characters.
Be careful when buying new devices. Some device manufacturers don’t value cybersecurity while others do. Be sure to only buy devices that allow you to change the default password. Only purchase devices that give you the capability to install antivirus and anti-malware programs on it. Your healthcare IT professionals, whether they are on staff or outsourced, need to have access to the internal systems of a medical device.
Find your vulnerabilities. You need to get a complete network assessment from an experienced, qualified IT company. We do them for free (fill out the form to the right). During the network assessment, we will scan all devices for vulnerabilities and current malicious activity. We will see if your network is secure and we will tell you what needs to happen to make it more secure as well as more efficient.
Become HIPAA compliant. If you aren’t already HIPAA compliant as a healthcare organization you face thousands of dollars in fines and legal ramifications. It’s not an option. Your main area of concern will be the storage, access, and transmission of patient healthcare data. You will need a professional that has a lot of experience with HIPAA. Luckily, we do at catmandu. After we have helped you become fully compliant, each year you should do a full risk analysis to check for vulnerabilities, risks, and threats.
Reduce your surface area. If you don’t need something connected to the network, don’t connect it to the network. It’s that simple. Also, be sure to limit physical and non-physical access to all devices. Only allow the necessary staff members to use or access the data on the device.