If you’re like most people, you probably think of cyberattacks as something that only happens to large corporations or governments. Truth is, cybercriminals are increasingly targeting medical devices. Why? Because medical devices contain a wealth of sensitive data that can be used for identity theft, fraud, and other malicious activities including, but not limited to, ransomware attacks.
What’s more, medical devices are often connected to hospital networks, which means that a successful attack on a medical device can lead to the compromise of an entire network. In 2020, the University of Vermont (UVM) Medical Center was the target of a ransomware attack, resulting in employees being unable to use electronic health records (EHRs), payroll programs, and other vital digital tools for nearly a month.
In this blog post, we will explain what medical device penetration testing is, what cyber risks medical devices are facing, how a penetration test for medical devices can help improve security, and what cybersecurity best practices apply to medical devices. If you’re responsible for the security of medical devices, it’s important to understand the risks they face and how to protect them. Simulating various types of attacks on your devices through medical device penetration testing is an effective way to fix your vulnerabilities before an attacker exploits them.
What is medical device penetration testing?
Simulating an attack or performing a penetration test on your medical devices is trying to access them without proper authentication or to inject malicious code into it. The goal of penetration testing is not to damage your devices, but rather to identify its weaknesses that could be exploited by a real attacker.
Having a medical device penetration test performed can also help you meet compliance requirements, such as the following:
- The Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
- The Food and Drug Administration (FDA) guidance on cybersecurity for medical devices.
- The National Institute of Standards and Technology (NIST) 800-53 security controls for medical devices.
Penetration testing for medical devices is also considered a best practice by the National Institute of Standards and Technology (NIST). This best practice came as an imperative as medical devices are increasingly connected to the Internet and often share data with other devices, making them more vulnerable to attacks.
What cyber risks medical devices are facing?
Medical devices are facing several key cyber risks, including the following:
An injection attack is when malicious code is injected into a medical device to take control of it or steal data from it. This can be done through several methods, such as accessing the device without proper authentication or exploiting a vulnerability in the device’s software. Injecting malicious code into a medical device could result in the device malfunctioning or providing incorrect results, which could be deadly in some cases.
A data breach is when sensitive information, such as patient data, is accessed without authorization. This can happen if a medical device is hacked or if an employee accidentally exposes data. Data breaches can lead to identity theft, fraud, and other malicious activities. A recent report by the Ponemon Institute found that nearly 60% of healthcare organizations have experienced a data breach in the past year and that medical devices were the cause of nearly 30% of those breaches.
A DDoS attack, or Denial-of Service attack, is when an attacker prevents legitimate users from accessing a medical device. This can be done by flooding the device with requests or by taking it offline. Denial-of-service attacks can cause disruptions in care and may even result in death if critical medical devices are affected. In 2017, a hospital in the United Kingdom was forced to cancel surgeries and turn away patients after its medical devices were hit by a denial-of-service attack.
A Man-in-the-Middle attack is when an attacker intercepts communications between two parties. This can happen if a medical device is not properly configured or if the attacker has physical access to the device. Man-in-the-Middle (MITM) attacks can lead to data breaches, as well as disruptions in care. MITM attacks are among the main cyber risks associated with public Wi-Fi and private Wi-Fi networks as well. In 2016, a hospital in the United States was hit by a Man-in-the-Middle attack that resulted in the theft of patient data.
A ransomware attack is when an attacker encrypts data on a medical device and demands a ransom to decrypt it. This can happen if a medical device is not properly protected or if the attacker has physical access to the device. Ransomware attacks can lead to disruptions in care and may even result in death if critical medical devices are affected. According to an NCC Group report, ransomware attacks have increased by nearly 300% in 2021.
Some other risks that medical devices are facing include the following:
- Lack of security updates and patches.
- Insecure communications.
- Insufficient security controls.
- Use of default or weak passwords.
How can penetration testing help secure medical devices?
Penetration testing can help secure medical devices by identifying vulnerabilities that could be exploited. To protect medical devices from these risks, it is important to understand how they work and what vulnerabilities exist. A penetration test can help you do this by simulating an attack on your medical devices. This will allow you to see what steps need to be taken to mitigate the risks and protect your devices.
A penetration test can also help you secure your medical devices by identifying weaknesses in your security controls such as your policies, procedures, methods, action plans, and tools. These tools can include firewalls, surveillance or monitoring systems, and antivirus software, but also some of the best practices to help secure a website. By testing your controls, you can ensure that they are effective and can withstand an attack. Security controls are important because they can help you prevent, detect, and respond to attacks.
What cybersecurity best practices apply to medical devices?
Some of the best practices for securing medical devices include the following:
- Implementing strong access control measures.
- Encrypting data at rest and in transit.
- Applying security controls at all levels of the device lifecycle.
- Conducting regular security testing and monitoring.
- Reviewing and updating security policies and procedures regularly.
- Implementing strong physical security measures.
- Restricting access to medical devices to authorized personnel only.
- Disabling unused ports and features on medical devices.
- Configuring medical devices to log all activity.
By remediating your identified vulnerabilities and implementing these best practices, you can help to reduce the risk of a cyberattack and keep your medical devices more secure.
A cyberattack on any of your medical devices could have serious consequences for patients, namely disruptions in care and even result in the loss of patient data. It is therefore important to take the steps to secure your medical devices from cyberattacks. Medical device penetration testing is a critical step in ensuring the availability, confidentiality, and accessibility of your medical devices, and should be performed regularly.
Contact us if you need help securing your device security.