The incredible advancements that have turned what were once standalone pieces of medical equipment into IoT devices do enable better care for patients, but at the same time open these devices up to cyberattacks, warned the National Institute of Standards and Technology (NIST), working with the National Cybersecurity Center of Excellence (NCCoE), in a new report.
While the report, "Securing Wireless Infusion Pumps," focuses on a specific piece of gear, it also contains lessons and tips that can help protect what it calls Internet of Medical Things (IoMT) devices. The threats facing infusion pumps and the galaxy of IoMT products includes unauthorized access to protected health information (PHI), changes to prescribed drug doses, and interference with a pump's function, the report stated.
To counter the problem specifically with the pumps, the NCCoE has developed "NIST Special Publication 1800-8: Securing Wireless Infusion Pumps," by using standards-based, commercially available technologies and industry best practices to help healthcare delivers strengthen the security of the wireless infusion pump ecosystem within health care facilities.
The NIST publication covers how to secure against a variety of cyberattacks, including those specifically targeted against the device, APT intrusions, DoS and DDoS and malware, as well as unintentional insider threats.
It also looked at some of the inherent vulnerabilities that come with operating this type of equipment, such as not updating devices with security patches, lack of encryption of private/sensitive data at rest or upon transmission, hard-coded or factory-set login credentials, allowing unauthorized changes or device calibrations, insufficient data backup, lack of capability to de-identify private/sensitive data, lack of data validation, using removable storage devices and media, and lack of physical tamper detection.
NIST and the NCCoE recommended healthcare organizations take several immediate steps to help alleviate the problem. The first is to form a Medical Device Security Committee composed of staff members from biomedical services, IT, and infosec departments that would report to the C-suite. The committee would manage security for all network-connected devices and be responsible for maintenance during the devices' lifetimes, including keeping the software patches up to date. Finally, creating and separating from the IT office a formal cybersecurity department that will report to a CISO, not to the CIO.
Another step is to ensure such devices are stored in a secure space when not in use and only allow personnel with a valid need to have access to this area. The equipment should be included in a comprehensive inventory that is actively managed, and hospitals should consider using RFID or real-time location systems to keep tabs on everything.
The last step would be to create a cybersecurity response plan that includes medical devices and makes certain WPA2 and not WEP encryption is used.
This guidance is arriving just at the right time as more cybercriminals are targeting IoT devices, said Bugcrowd CTO Casey Ellis.
“Trendwise, these people are turning their attention to IoT, ranging from consumer products to medical to automotive,” he said, adding that he expects a ransomware component to be involved in future attacks.
The return on investment of such an attack that would hold a critical medical device hostage is clear, Ellis said, noting that the decision to pay a small ransom to regain use of a lifesaving device or even a home's thermostat would be an easy one for the caregiver to make.
