Connected medical devices at risk, a top target for future malware attacks

When WannaCry ransomware hit in May, the world was bewildered. Who would have thought a Windows SMB protocol exploit would be used in a historical cyberattack that would cripple over 200,000 Windows computers from 150 countries, including 48 NHS hospitals and medical devices in the UK and similar facilities in the US.

Connected medical devices are at serious risk but vendors and companies using them on their networks forget their obligation to protect the devices from both internal and external threats.

How did the NHS solve the problem? They didn’t, but instead decided to spend an enormous amount of money on IT hardware. As much as £150,000 is spent to purchase 233 computers per day, says a survey from memory and storage company Crucial. And all this equipment is worthless if 21 percent of NHS employees can’t scan a computer for malware or, worse, have no idea how to efficiently integrate technology in their tasks (27 percent).

“The NHS is clearly investing in new hardware, spending £260m since 2013 on new PCs, many of these presumably replacing the 219,000 PCs disposed of during the same period. But despite this spend, it’s clear that more training or IT support in using these new systems is needed to help give healthcare workers the means of being productive,” said Jim Jardine, director of DRAM product marketing at Crucial.

“Our study also highlighted the lack of knowledge doing simple tasks like scan for viruses, but with a bit of training, healthcare staff would feel a lot more confident and can make the most of the NHS’s IT investment.”

Chemotherapy stations, X-ray machines, lab equipment, portable insulin pumps, cardio-monitoring machinery used outside hospitals, pacemakers and other implanted devices that communicate via WI-FI or Bluetooth are all part of medical device innovation. The U.S. Food and Drug Administration has even approved an artificial pancreas for sale across the country.

CIOs play a critical role when it comes to cybersecurity strategy, especially if medical devices are involved because the need to secure them is fundamental. A new attack will come, and how will these devices react?

Medical devices must still function properly in case of network connection failure. First of all, healthcare providers should be aware that any external devices may be compromised and, once plugged into the infrastructure, could infect the entire network with malware, including critical medical devices.

As a prevention measure, a solid security solution is vital to detect vulnerabilities and report malware infections without interrupting productivity. Vendors should consider this when bringing new embedded devices to market because smart medical equipment may end up leaking confidential patient records and could contribute to more elaborate cyberattacks. 

Just like other IoT devices, medical appliances also must be regularly updated and patched and, above all, properly researched before acquisition. When lives are at stake, it’s a collective responsibility to ensure the weakest links are properly secured and a full-fledged mitigation strategy is enforced.