Many would think that the healthcare sector would be highly protected when it comes to their cyber structure, however large volumes of confidential data together with a network of connected medical devices – or otherwise known as healthcare IoT, make healthcare organisations a prime target for cyber criminals.
There is an urgent need for investment in cyber security training for nurses so they can help protect the critical devices which they use as part of the patient’s journey within hospitals.
Training nurses will help medical teams spot the vital signs and understand the cyber risks that they are faced with, which could affect those devices that provide at times critical care for patients.
So, before we talk about the types of threats that can affect these critical medical devices let us first explore how critical they are to an acute setting.
These devices include everything from infusion pumps used to administer drugs to patients, to large imaging systems used for diagnosis, to radiological cancer treatment systems used to shrink tumors.
The use of healthcare IoT is booming with the market projected to grow from $30.79 billion in 2021 to $187.60 billion in 2028.
Within the NHS the Interim CIO at NHSX has said there are 21 million items of malicious activity blocked every month.
Not a surprise from the largest employer in the world. The NHS is a target due to the value of medical data. Across the world 30% of the world’s data is generated by the healthcare sector and this is due to increase to 36% by 2025.
Medical device criticality should not be underplayed. Even basic healthcare functions such as scheduling medication in these hospitals have been affected by ransomware in the past.
Technology is used for scheduling operations, patient appointments and if a device is affected it is not like a standard PC where you can clean or rebuild it and get on with your day.
These medical devices would require calibration and checking to make sure the integrity of the device is established.
Hospitals aren’t just concerned about confidentiality – disruption of services from impacts to availability or risks to patient care stemming from data integrity failures can be immensely.
For hospitals running an EPR this becomes even more painful as all these medical IoT devices are interconnected feeding into the patient record and even tasks such as dispensing medicines are done electronically.
In a situation where the IT goes down there is only a certain amount of time operating on paper before there isn’t time to ever put that data back into the system.
The nurses are on the front line with these devices and therefore play an essential role in cybercrime prevention.
They are the eyes and ears of patient safety, constantly managing and monitoring vital medical and other healthcare IoT devices, used to diagnose, monitor, manage, and treat patients.
These systems are often connected directly to the patient on one side and to hospital networks on the other.
There could be an impersonation attack – these are very clever these days and someone could pretend to be a doctor or from IT to have the device manipulated.
Also, medical devices often can’t be locked down as standard PC’s so if a nurse was reading a malicious email or a website is compromised this could directly affect this device.
Of the 777 email compromised incidents managed last year by the National Cyber Security Centre, 40% were aimed at the public sector.
Part of the issue is the devices themselves.
These devices have very-long lifespans – some eight to -15 years – and they may have had five to six years in development before being approved, so you end up with medical devices potentially 21 years of age being plugged into hospital networks and providing life-sustaining or diagnostic services to patients.
These devices are CE Marked which means they are compliant to meet EU’s legislations for safety, health or environmental requirements.
For a medical device this often means: –
· Critical updates and patches are delayed as they need to be thoroughly tested to make sure they do not interfere with the function of that device.
· Vendors will not allow the typical security found on a PC to be used on the device.
· A medical device can easily be twice the age of a PC so often is the weak line and with the least protection.
The challenge is that these medical devices cannot be managed in the typical way you would your PC’s and should not be directly scanned. Instead, they need to be passively monitored, to get the same depth of protection as a PC but without affecting the device.
This is where certain specialist cyber security technology, designed specifically for medical IoT and devices, comes into force.
By creating a system which accurately identifies the medical devices, it shows exactly what the devices are doing, points out anomalies and has depth of information and accuracy due to use of its “Digital Twin” which allows direct scanning of a clone of the device.
It will even configure the segmentation for you (which is critical to accurately limit where the device can talk to).
Crisis Simulation training for NHS Trusts and nurses can also help by showing the impact of these attacks and how the decisions that the people on the ground such as the nurses, can affect the cyber attack.
Training and awareness together with effective device monitoring and good coverage of IT security to give visibility on the potential threats across the network are all critical to supporting nurses and healthcare professionals who may be exposed to a cyber attack.
There is no way you would fire up a 21-year-old laptop and log into your bank account, yet we do far more risky things, with far-greater impact, in our hospital systems which needs proper preventative methods in place to keep healthcare staff and patients safe.
