When it comes to medical device security risk, hospitals are largely in the dark. By deploying medical devices without a Software Bill of Materials (SBOM) and/or an MDS2, they have no good way to know their actual vulnerability to cyberattacks, at least not without a lot of manual effort.
When it comes to medical device security risk, hospitals are largely in the dark. By deploying medical devices without a Software Bill of Materials (SBOM) and/or an MDS2, they have no good way to know their actual vulnerability to cyberattacks, at least not without a lot of manual effort.
In October, CISA (Cybersecurity & Infrastructure Security Agency) released a cybersecurity advisory warning of an imminent cybercrime threat to healthcare providers. Since the warning was released, there have been a wave of cyberattacks on hospitals. In October alone, attacks on hospitals increased by 71%.
Some of these recent cyberattacks have ended up as national news, with the reporting of the aftermath focused on the immediate impacts on patient safety. For example, turning away patients due to compromised systems can have an immediate impact on the probability of survival for that patient. You can refer to our recent post on the Dusseldorf Hospital fatality for details. However, there are some less obvious, and longer-term, patient health impacts of these cyberattacks.
Take for example, the cancer center that is part of the University of Vermont Medical Center, which suffered an attack in late October. Due to the unavailability of their systems, including patient records, the clinicians were forced to turn away cancer patients. Without knowing the precise care regimen, and not wanting to try to work from memory, the clinicians really had no other good option. Not getting the needed treatments in the necessary timeframe will have an impact on a patient’s treatment outcome.
Cyberattacks targeting patient data systems, like Electronic Health Records, on average, cause 15 days of patient data system disruption. In some attacks, clinicians were without system access for much longer. For example, the Universal Health Services attack, that we summarized and posted recently, left hospital crew without access to patient data for more than three weeks.
While the Healthcare industry will continue to remain a primary target for hackers, with the global pandemic confounding the ability to respond, there are some actions that hospital security can take that can provide some protection. The first step is to make sure all of your systems are properly maintained and patched. Of course, with medical devices, this is not a straightforward exercise, and will require security documentation from the vendor. Specifically, the vendor should be able to provide an MDS2 (Manufacturer Disclosure Statement for Medical Device Security) along with a Software Bill of Materials (SBOM) for their devices. Sometimes vendors will make the MDS2 available on a website for download. In most cases, SBOMs have to be requested.
In addition to obtaining the proper security documentation from your medical device vendors, also remember that Vigilant Ops is here to help protect your deployed medical devices, and we are available for a free cybersecurity consultation anytime. Please reach out using any of the contact information below.