Healthcare-focused ransomware attacks have become increasingly common in the U.S., causing major disruptions to patient care. Ransomware attacks have crippled the access to patients’ electronic health records (EHRs), shut down critical communication channels within hospital networks, and even rerouted emergency vehicles. Recent ransomware attacks have also been allegedly linked to the deaths of patients. When left unprotected, healthcare tools that are used to save lives can have the opposite effect if hacked. Unpatched medical devices, or legacy devices that have been around for years, can lack adequate security measures and are increasingly vulnerable to cyberattacks. In September 2022, the FBI issued an industry alert, titled Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities, that warns the healthcare industry of this life-threatening issue.
These known risks spurred the Healthcare Cybersecurity Act of 2022, which is a collaborative effort between the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Health and Human Services to reduce cybersecurity attacks and data breaches in the healthcare industry. According to the bill, CISA will conduct a study of cybersecurity risks facing healthcare, provide training on these risks, and identify cybersecurity workforce shortages. But are these steps enough?
Lives are at Stake
Healthcare-focused ransomware attacks on medical devices are causing major disruptions in hospitals and clinics. This first “alleged” ransomware death in the U.S. occurred at a hospital in Alabama. Medical staff were unable to use fetal heartbeat monitors in 12 delivery rooms after the devices had been hacked.
The healthcare industry has become a hot target for hackers, who realize the hospital’s executive team will pay ransomware demands in order to save lives. Couple this with the already depleted staff many hospitals have after Covid-19, and the situation becomes dire. Even short delays in access to medical equipment and patient data can be deadly.
Stepping In
The following legislative movements are in place to evaluate and help remedy the crisis of medical device cybersecurity risks:
- In March 2022, the Patch Act was introduced to the Senate, which would require medical device manufacturers to disclose a device’s security and any vulnerabilities, plus a documented process for receiving updates and patches prior to going to market.
- In April 2022, the FDA issued a draft guidance on medical device security, which is “intended to provide recommendations to industry regarding cybersecurity device design, labeling, and the documentation that FDA recommends be included in premarket submissions for devices with cybersecurity risk.”
- In May 2022, the Strengthening Cybersecurity for Medical Devices Act was introduced to require the FDA to regularly update cybersecurity guidance related to medical devices. The Senate is currently considering this bill.
- In May 2022, the House passed the Food and Drug Amendments of 2022, which gives the FDA authority in a variety of areas, including ensuring cybersecurity throughout the lifecycle of a medical device.
While all of these proposed bills and regulations will help strengthen the security around the healthcare industry as a whole, none have been passed. Action is needed by each independent healthcare facility to safeguard its own networks, data, and devices.
Safeguard Devices, Safeguard Patients
In light of the growing number of ransomware attacks on hospitals, health systems need to begin by evaluating current risks and building a remediation plan. A good place to start is the National Institute of Standards and Technology’s Cybersecurity Framework. This framework includes five functions: Identify, Protect, Detect, Respond, and Recover.
Until future legislation is passed, it’s up to each autonomous healthcare system to proactively evaluate and upgrade inadequate medical devices that could, if hacked, harm their patients.
Learn How ProcessBolt Can Help Secure Medical Devices
Watch our on-demand webinar, Healthcare Organizations Under Attack—Securing Medical Devices on Your Network, to learn how ProcessBolt helps Allina Health monitor and secure critical operating systems utilizing our unique third-party risk software platform.