The advent modern technology has paved the way to some ground-breaking medical devices. While many of these devices are responsible for saving lives, there's a hidden risk of cyber attacks that often goes unnoticed. Some people assume that hacking is limited to computers and networks, but this isn't the case. A hacker can often gain access to a medical device just as easily as hacking a computer.
Report: Medical Devices Lack Security
Just last year, Wired magazine published a report on the cybersecurity risks of hospital equipment. Researchers had found that a vast number of medical devices were disturbingly easy to hack, including drug infusion pumps, Bluetooth defibrillators, X-ray machines, medical storage refrigerators and coolers, and even the digital records of patients.
“Many hospitals are unaware of the high risk associated with these devices,” said Scott Ervan in the Wired report. “Even though research has been done to show the risks, health care organizations haven’t taken notice. They aren’t doing the testing they need to do and need to focus on assessing their risks.”
Hospitals and medical practices often turn a blind eye to the potential cyber threats of their devices. When you're busy analyzing your computers, data storage techniques, and other 'obvious' elements, it's easy for forget about your medical devices. And while cases of hacked medical devices are few and far between, experts say it's only a matter of time before a hacked medical device results in a fatality.
How To Protect Your Medical Devices
The first step in determining whether or not a medical device poses a cyber risk is to identify its method of control. Devices controlled locally (e.g. buttons or touchscreen) are the safest, whereas devices controlled remotely (e.g Bluetooth or WiFi) pose the greatest risk of a cyber attack. Unfortunately, many medical devices that are currently being used feature remote control technology, as it allows doctors and nurses to control the device from afar. But if a physician can control a device from a different area of the hospital, so can a hacker.
Doctors and medical practice owners should also check to see if their devices offer data encryption. Using a remote controlled medical device that's not encrypted is just asking for trouble. While the Health Insurance Portability and Accountability Act (HIPAA) doesn't specifically require data encryption, medical practices may still be held liable when data is leaked due to lack of encryption.