How IT Teams Can Protect Health Care Data
By Karen A. Frenkel
Medical devices have become key pivotal points within health care networks for cyber-attackers. They are the hardest area to remediate even when attacker compromises are identified.
Because medical devices and electronic medical records are being deployed quickly across doctors’ practices and hospitals due to government incentives, this community has connected the most vulnerable devices with the highest valued data.
X-ray machines, picture archives and communication systems and blood gas analyzers are vulnerable.
The report found that Nova Biomedical and its Critical Care Express units contain Zeus and Citadel malware. Hackers used the devices, which were several years old, to find passwords within the hospital. TrapX studied these devices to understand and illustrate MEDJACK.
The report suggests 13 ways to safeguard medical devices and data, including that medical institutions rapidly integrate and deploy software and hardware fixes provided by medical device manufacturers and have senior management and QA teams track them.
Procure medical devices only after reviewing with the manufacturer their cyber-security processes and protections. Review these quarterly.
Many devices are probably already infected and creating unknown risks to institutions and patients, so review and remediate them now.
Many medical devices have been in service for years and should be retired, especially if they have no strategy against malware.
Although updating support and maintenance that specifically address malware remediation may increase expenses, it is necessary and prudent. Manufacturers should offer documented test processes to determine whether devices are infected and standard process to remediate them.
You may find exfiltration of patient data. Compliance and IT must work together to document such incidents, and provide notice and follow-up in accordance with the law.