- Medical devices are increasingly facing cybersecurity threats, as explained by Patrick Maw, a cybersecurity expert in medical devices at the University College London Hospitals NHS Foundation Trust.
- A wide variety of medical equipment is now connected to healthcare networks, making them vulnerable to attacks especially if they run on outdated operating systems or are incapable of supporting antivirus software or patches.
- To mitigate cyber risks, healthcare organisations need to implement firewalls, intrusion systems, and network segmentations. Outdated systems might require isolation.
- Regulatory compliance of medical devices is crucial in mitigating risks and ensuring functionality. However, regular recertification might be necessary following any changes.
According to Patrick Maw, cybersecurity threats facing medical devices have significantly increased due to the rise in the use of Internet of Things (IoT) technologies in the healthcare sector. A wide range of medical equipment, including infusion pumps, CT scanners, and mobile devices running medical apps, now connect to healthcare networks. Consequently, the existence of outdated operating systems and lack of ability to support antivirus software or patches makes these devices vulnerable to cyberattacks.
The healthcare sector experienced a taste of these threats in 2017 during the WannaCry ransomware attack that disrupted NHS trusts. Over 140 known hacking groups could potentially pose similar threats. Patches for the Windows-based medical devices were received six months after WannaCry hit, he says, and he is hoping suppliers will be more prompt in the future.
Common vectors for attacks include phishing emails, malware infections, and targeted attacks on third-party software vendors to compromise supply chains. To balance connectivity and security, Maw suggests that healthcare organizations install network intrusion systems, firewalls, and implement network segmentation to create protected zones for medical devices. If they are too outdated to harden, they should be isolated.
Regulations on medical devices have evolved with technology, but it is essential for healthcare systems to adhere to these performance and safety standards. They vary based on the risk posed by the medical device. However, any change to the regulated medical equipment may require recertification.
Increasing connectivity in medical systems is driven primarily by the need for comprehensive electronic health records. However, the shift to unified systems needs to go hand in hand with robust cybersecurity measures, to protect both the medical systems and the patient health data.