How IT Teams Can Protect Health Care Data

Karen A. Frenkel Avatar

Updated on:

How IT Teams Can Protect Health Care Data

How IT Teams Can Protect Health Care DataHow IT Teams Can Protect Health Care Data

By Karen A. Frenkel

The Rise of MEDJACKs: Medical Device HijacksThe Rise of MEDJACKs: Medical Device Hijacks

Medical devices have become key pivotal points within health care networks for cyber-attackers. They are the hardest area to remediate even when attacker compromises are identified.

Devices and Electronic Medical Records ConnectedDevices and Electronic Medical Records Connected

Because medical devices and electronic medical records are being deployed quickly across doctors’ practices and hospitals due to government incentives, this community has connected the most vulnerable devices with the highest valued data.

Types of Compromised EquipmentTypes of Compromised Equipment

X-ray machines, picture archives and communication systems and blood gas analyzers are vulnerable.

Critical Care Units Used for AnalysisCritical Care Units Used for Analysis

The report found that Nova Biomedical and its Critical Care Express units contain Zeus and Citadel malware. Hackers used the devices, which were several years old, to find passwords within the hospital. TrapX studied these devices to understand and illustrate MEDJACK.

RecommendationsRecommendations

The report suggests 13 ways to safeguard medical devices and data, including that medical institutions rapidly integrate and deploy software and hardware fixes provided by medical device manufacturers and have senior management and QA teams track them.

Protections and Quarterly ReviewsProtections and Quarterly Reviews

Procure medical devices only after reviewing with the manufacturer their cyber-security processes and protections. Review these quarterly.

Review and Remediate Devices NowReview and Remediate Devices Now

Many devices are probably already infected and creating unknown risks to institutions and patients, so review and remediate them now.

Medical Device End-of-Life StrategyMedical Device End-of-Life Strategy

Many medical devices have been in service for years and should be retired, especially if they have no strategy against malware.

Update Your Medical EquipmentUpdate Your Medical Equipment

Although updating support and maintenance that specifically address malware remediation may increase expenses, it is necessary and prudent. Manufacturers should offer documented test processes to determine whether devices are infected and standard process to remediate them.

Prepare for HIPAA ViolationsPrepare for HIPAA Violations

You may find exfiltration of patient data. Compliance and IT must work together to document such incidents, and provide notice and follow-up in accordance with the law.

Karen A. Frenkel Avatar