min reading time
Cybersecurity professionals have been alarming the healthcare industry about the threat of exploitation of smart healthcare devices and the doctors’ over-dependence on them until sadly, their warnings became reality, and a person lost her life in a ransomware attack in a German hospital last year.
How the ransomware paralyzed the Duesseldorf University Hospital?
According to the official reports, the internal system of the hospital crashed gradually. First, the hospital staff couldn’t access the data of the hospitalized, then, they got to a point where they couldn’t even perform life-saving operations due to the lack of necessary data and the availability of smart equipment.
Additionally, readers could follow the unfortunate events of the WannaCry cyberattack in 2017 via media, which shut down major healthcare systems, like the NHS in the United Kingdom. Luckily no deaths occurred due to the attack, though it drew the attention of healthcare professionals and smart device creators to the main underlying issue.
Are we threatened by the cybersecurity issues of healthcare devices in any other way?
From patient records and lab results, radiology equipment, hospital elevators to personal wearable tracking devices and mobile applications, healthcare professionals, and individual tech users are increasingly reliant on smart devices that are connected to the Internet. Even though this interdependence facilitates easy data access, data sharing, or user/patient engagement, it contains the risk of data theft, malicious data alteration, denial of access to crucial data, or blackmailing.
In early 2019, researchers in Israel announced that they’ve created a virus that is capable of adding malicious tumors into CT and MRI scans, which proves to be a powerful weapon in order to trick doctors into misdiagnosing their patients.
Talking about wearable tracking devices and applications: they also pose a growing security risk, as their measurement system and statistics become more subtle and real-time. Sadly, these devices are not an exception to vulnerability exploitations. “When you’re looking at the ‘brain’ of one of these devices, if the software isn’t designed to protect itself and it’s not designed without design flaws and without vulnerabilities and implementation bugs in it — which we’ve seen — then it will be attacked,” said Gary McGraw, CTO of software firm Cigital.
How can we avoid such cybersecurity exploitations?
In the healthcare sector, two new regulations have been passed on 25 May 2017, which introduce new safety regulations for medical devices within the EU. As a result, manufacturers can keep building revolutionary, state-of-the-art smart devices, although they will need to abide by the new principles of risk management.
Common Criteria Evaluation is an international standard for computer security certification. By thoroughly evaluating the manufactured devices, let them be healthcare smart tools, or anything else, we can make sure they comply with international regulations, and most importantly, they are built with cybersecurity in mind.
At CCLab, apart from Common Criteria Evaluation, we provide cybersecurity consultation, penetration testing, cybersecurity relevant risk management services and support the security of your product lifecycle management and information security management processes, in order for your medical devices to fulfill the expectations of professionals, and private individuals alike, who are cautious about their personal data.
According to Cynerio, a healthcare IoT cybersecurity company, 53% of connected medical equipment in hospitals has a known critical cybersecurity vulnerability. A third of bedside connected devices used in healthcare settings have an identified critical risk, which is definitely more worrying in terms of patient safety. This is just one of the many reasons why on 5th April 2017, the European Parliament voted to adopt the awaited Medical Device Regulation (MDR) and In vitro Diagnostic Regulation (IVDR). One of the most critical goals of the new Regulations is to strengthen medical device cybersecurity.
min reading time