The first ransomware attack on a medical device was reported on a precision appliance during the 2017 WannaCry attacks. Since then, cybercriminals haven’t slowed down. Over the past 12 months, ransomware perpetuators have been relentless in their efforts to solicit payments from unsuspecting victims, even going as far as threatening to publish data if the ransom is not paid.
This new tactic, in addition to the emergence of newer and prolific ransomware variants like Ryuk and Sodinokibi, has proven to be successful, too. In Q4 2019, the average ransomware payment increased by 104 percent from the previous quarter. And, healthcare organizations often find themselves in the crossfire, as cybercriminals know these companies will pay handsomely to have this information safely returned so they can care for patients and avoid having to pay a penalty for a HIPAA violation.
All of this presents new challenges to medical device companies, which often store loads of sensitive patient information and whose technology is used daily to deliver critical care. As these organizations gear up for another year of battling ever-evolving cyber threats, it will be critical that medical devices are designed with security in mind, that the facilities using them are adhering to security best practices, and that backups are also protected with the same level of tenacity as the rest of the IT environment.
Securing Medical Devices
Medical device companies must perform risk assessments of their solutions so they can issue patches for their systems, strengthen password security, and confirm data is being encrypted. Beyond that, they must constantly test devices to identify backdoors cybercriminals may be able to take advantage of. While these seem like basic best practices, many medical device providers still have a long way to go in making sure they’re taking these steps on a consistent basis, and many are now consulting security experts to help solve this problem. This is good progress, but more time and resources must be allocated toward matching the cybersecurity innovations of medical devices to that of cybercriminals.
Hospitals, healthcare centers, and clinics that use these devices often vary in their security processes and protocols as well. Bigger hospitals with robust IT teams will implement strong security, but smaller facilities that don’t have access to the same resources struggle to keep up with the pace at which cybercriminals are innovating their attack methods. This can leave medical devices open to a myriad of different threats, especially if staff hasn’t received cyber awareness training and are falling into old security faux-paus—like clicking links in phishing scams or using simple passwords—that have plagued organizations for years.
There are clearly several layers to this security challenge in that medical device providers not only need to test and design their solutions with security in mind, but healthcare providers must also proactively protect these devices from cybercrime. According to the 2019 HIMSS Cybersecurity Survey, just over 15% of significant security issues were initially started through either medical device problems in hospitals or vendor medical devices. Further, 33% of respondents reported they had embedded unsupported operating systems in medical devices—which is a huge no-no. To stop these attacks, there needs to be coordination between the two parties, and both need to stay on top of the latest emerging threats. Only in a shared responsibility model can patient data remain safe, and not adopting one can have fatal consequences. A recent study from Vanderbilt University’s Owen School of Management found that after data breaches, there are as many as 36 additional deaths per 10,000 heart attacks annually. So, it’s more important than ever before to make this a priority.
Why Data Backups Are Equally Important
While many medical device companies are shoring up their cybersecurity defenses, they must not forget to 1) implement backup, business continuity, and disaster recovery processes so they can recover data and systems when/if they do fall victim to an attack and to 2) make sure their backups are protected with the same level of intensity as the rest of the IT infrastructure. Not only have hackers started to publish data, but they’ve been routinely going after backups, as they know that medical device companies and healthcare providers will lean on them during recovery. If this data is unavailable, these organizations will be left with no option but to pay. To avoid having to shell out, IT teams at these organizations should integrate their cybersecurity plans with their data protection protocols by:
- Deploying signatureless anti-ransomware technologies that can detect both known and unknown malware to protect backups.
- Keeping data backups on separate devices and use offline storage where they can’t be reached by infected devices.
- Using the 3-2-1 rule, in which they would create three different copies of data, store it on two different locations, and make sure one of them is offsite. They should also use a system that allows them to create and store multiple versions of backups so if a copy of the backup has been infected, they’ll have a clean one to restore.
- Routinely testing backups to confirm data integrity and testing business continuity and disaster recovery processes to affirm they can be executed seamlessly. This includes testing both technology and people so the IT team has a holistic view of any potential problem areas within the remediation plan.
Taking these steps can help restore systems with clean, uninfected data, which allows healthcare providers return to their most important job—taking care of patients. As our world becomes more interconnected, we should expect cybercriminals to evolve their attack methods and look for new ways to collect ransom payments from victims. If medical device companies and healthcare providers continue to make security and data protection a priority, they can mitigate the chance they’ll fall victim to such attacks and reduce hackers’ ability to compromise critical data.