The Hidden Crisis Within Today’s Healthcare Crisis

The Healthcare Crisis of today – or, perhaps more accurately, over the past two years — has been never-ending waves of COVID-19 variants.  With “Alpha” starting in 2019 to the current “Omicron” & “BA.2” mutations, our hospital systems have been stretched to the breaking point.  This crisis has forced administrators to deal with huge patient volumes, staffing and resource shortages, implementation of new vaccine protocols, and the like. 

Unfortunately, this is not the only crisis that Healthcare systems face.  The new year brought news that “more than half of the connected medical devices in hospitals reportedly pose security threats due to critical vulnerabilities that could potentially compromise patient care.”  This “Hidden Crisis” associated with hospital cybersecurity started well before COVID-19 and, unlike COVID-19 whose threats appear to be diminishing, the healthcare cybersecurity crisis seems to be gaining in both scope and severity.

Like COVID-19, cybersecurity attacks are invisible. Yet, unlike COVID-19, cybersecurity attacks can be latent for months or even years before hackers launch a zero-day onslaught to healthcare systems.  IT Administrators, the guardians against hospital cyber-attacks, often don’t know what they don’t know.  Administrators typically become aware of their vulnerabilities only after a breach has been detected and then they focus on solving the problems they see — not the latent ones brewing in the background.  It would likely be a revelation to them – or at least an unwelcome reminder – that last month’s security report revealed 73 percent of infusion (IV) pumps have some type of vulnerability and represent almost 40 percent of a hospital’s IoT devices.

IV pumps are only one of several types of “legacy” medical devices, including MRIs and ventilators, that are responsible for most hospital cybersecurity attacks. This equipment was not built with security in mind and has typically been connected to networks with minimal protections built in.  Their collective threat surface is a huge welcome mat for hackers who can compromise patient safety and launch zero-day attacks against hospital operations.

Legacy medical devices running on vulnerable networks can sometimes be protected by installing intermediate ethernet gateways, a shield of sorts, to maximize usable life of the device while still protecting it from network injected malware. Newer connected medical devices – and especially those that can be controlled by smartphones — have their own set of challenges. Rather than depending on vulnerable mobile operating system security, all system communications for these devices must be protected at the application layer. Each system element must be trusted using authentication. And the connectivity channels between smartphone apps, IoT devices and the cloud must be secured and always available. While this may sound complicated, it can easily be accomplished using a modular, multi-layered approach that adds only a few cents per unit in incremental cost.

As this month’s report highlighted, healthcare is a top target for cyberattacks. The risks have escalated and range from ransomware attacks that interrupt a hospital’s COVID-19 case rate reporting to cybercriminals who compromise the normal operation of IV pumps or want to take over a smartphone-controlled Continuous Glucose Monitor (CGM) or insulin pump. Thirdwayv offers easy-to-implement solutions across the full range of attack scenarios, protecting healthcare organizations and their patients against existing threats while enabling them to stay ahead of new ones.

Related Posts

Popularity of Remote Patient Monitoring Skyrockets — Is it Secure?

A recent report from commercial intelligence platform provider Definitive Healthcare revealed that remote patient monitoring insurance reimbursement claims rose 1,294% from January 2019 to November 2022. It’s likely that a desire to minimize contact during the pandemic drove much of this demand.  But remote patient monitoring claims continued to grow even after people resumed face-to-face…

Countdown to Safer Medical Devices

A six-month clock started ticking late last year, counting down to the FDA’s new deadline for updating its public-facing guidance for improving the cybersecurity of medical devices. This requirement became law on Dec. 29, 2022, as part of a $1.7 trillion Omnibus Appropriations Bill that also includes new rules for submitting applicable medical devices to…

Getting Real about Real-Time Location Systems

Real-Time Location Systems, or RTLS, emerged in the 1990s for use by government and military entities. The technology has been adopted in manufacturing, logistics and aerospace applications for years. Now it is coming into its own in a growing variety of other applications, from healthcare consignment inventory management to retail item tracking. It’s time to…