Mitigating and avoiding medical device vulnerabilities in healthcare

Medical devices connected to a healthcare organization's network often use weak, old security that can give a hacker access to the organization’s entire system. In 2022, the FBI issued a report confirming that 53% of medical devices had a known vulnerability at that time. Such devices are an attractive entry point for threat actors who want to access and/or steal protected healthcare information (PHI).

Vulnerabilities in medical devices can have serious consequences for healthcare providers, patients, and their PHI. Given that such threats exist today and are being monitored by the government, healthcare organizations need to understand more about medical device vulnerabilities and how to avoid the threat and/or the aftermath in case they do occur.

See also: HIPAA compliant email: The definitive guide

Cybersecurity threats to healthcare

According to reports, the total number of individuals affected by healthcare data breaches from 2005 to 2019 was 249.09 million. Of these, 157.4 million individuals were impacted in the last five years alone. New accounts also show that healthcare data breaches exposed 275 million records in 2024.

Common examples of breaches that result in exposed PHI include accidental disclosure, theft, lost, or stolen devices, hacking incidents, and phishing/ransomware attacks. The two most widespread types of healthcare breaches are hacking/IT incidents and unauthorized internal disclosures or insider threats. No matter the type, a data breach can have far-reaching consequences and can cause serious accountability and responsibility issues for an organization.

Medical device vulnerabilities in healthcare

The healthcare industry relies on medical devices to improve patient care and outcomes. Medical device vulnerabilities occur because of the interconnected nature of these devices, which rely on networks for diagnostics, monitoring, treatment, and communication. Many healthcare organizations do not prioritize medical device cybersecurity, whether due to ability or costs. Attackers exploit such weaknesses to access medical devices and an organization’s network to disrupt healthcare operations.

To further add to these vulnerabilities, some medical devices are “legacy” risks that, due to age, do not have appropriate security and cannot be patched. A recent congressional hearing found that there exists a fundamental “misalignment between the lifecycle of the physical devices (10–15 years) and the software embedded in such devices (3–5 years)” leading to increased risks.

Once in a system, a hacker can hunt for a wide range of sensitive information, starting with medical records that contain patient information, health histories, diagnoses, treatments, and medications. The rapid adoption of technology in healthcare has expanded the attack surface of hospitals, providing more opportunities for cyberattackers to infiltrate health systems.

Examples of medical devices targeted

Medical devices are an integral part of the rapidly expanding Internet of Medical Things (IoMT), creating an increase in backdoors into hospital networks. Such devices and software applications communicate with each other over the internet (or intranet) to provide patient care.

1. Insulin pumps
2. MRI scanners and other imaging systems
3. Implantable cardiac devices (e.g., pacemakers, defibrillators)
4. Radiological equipment
5. Intensive care equipment
6. Blood pressure monitors
7. Wearable medical devices
8. Smart hospital beds
9. Networked surgical equipment
10. Infusion pump
11. Electronic health records
12. Telemedicine platforms

Learn more: Best practices for securing medical IoT devices

Reasons for medical device attacks in healthcare

Many healthcare organizations rely on devices that no longer support, or have never supported, security updates and patches. IoMTs, while necessary for proper patient care but often without proper cybersecurity, have also created too much interconnectedness. These connected medical devices, often designed with functionality in mind rather than strong security, can easily be hacked.

Access through a medical device lets a cyberattacker infiltrate an entire system. These hackers may want to hold PHI for ransom or even sell the data on the dark web. They may also want to get into a system solely for creating havoc. Finally, they may decide that all they want to do is harm individual patients.

The interconnectivity of medical devices, designed to improve efficiency and patient outcomes, creates a large attack surface. Hackers know healthcare organizations rely on these devices for operations, making them prime targets for cyberattacks and cybercrimes.

Read about: The FDA regulation of medical devices

Medjacks attacks

Medjacks, or medical device hijackings, are an often-unseen threat in the healthcare industry that looks for medical devices to infiltrate. Once a vulnerable device is identified, attackers use various techniques to exploit its weaknesses. This could involve using known exploits for unpatched software, leveraging default or weak passwords, or exploiting communication protocols that lack encryption.

The idea is to take control of a device and the system the device is on. The risk of Medjacks is that they can compromise patient safety by altering device functions, stealing sensitive medical data, and disrupting hospital operations. This form of attack is especially common in healthcare because many medical devices run on outdated software and lack strong security features.

Consequences of medical device vulnerabilities

The impact of medical device vulnerabilities on the healthcare industry can be devastating, from loss of data to loss of patients. The damage can go beyond monetary costs (e.g., loss from a ransom or cyberattack recovery), with other costs including:

• Hacked, changed, and unusable devices
• Loss of confidence from patients and stakeholders
• Compromised healthcare data
• Patients targeted with changes to their medical devices
• Patients hit by identity theft or blackmail themselves
• Disruption of services

The FBI has even warned that unsecured medical devices “could impact healthcare facilities’ operations, patient safety, and the confidentiality and integrity of medical information,” creating a major security issue. Devices designed to save lives may also expose a hospital network to a cyberattack.

The aftermath: Mitigating a medical device vulnerability

Healthcare providers need to continuously monitor their systems after a breach for anomalies and/or strange behavior. If an organization suspects that its system has been breached, it should identify and confirm the situation, then take steps to stop the leak of PHI.

Healthcare organizations can begin to reduce the impact of such breaches by updating and then implementing more rigorous security measures. That more than likely means removing a medical device from a network. Organizations must also employ measures to halt potential harm, such as retrieving sensitive information and providing training to staff.

They should also conduct thorough security audits and compliance reviews to identify vulnerabilities further. After detection and investigation, organizations must follow the Breach Notification Rule and notify affected individuals, the government, and the media. Swift and transparent communication helps lessen the fallout and indicates an organization’s commitment to rectifying a breach and ensuring it does not occur again. Proper mitigation after a breach can keep more patient data from being exposed and protect a healthcare organization from committing a HIPAA violation.

Avoiding medical device vulnerabilities in healthcare with HIPAA compliance

HIPAA compliance involves continuously updating security measures to protect sensitive health information and to avoid breaches. One of the first steps toward HIPAA compliance is conducting a risk assessment. This assessment helps identify vulnerabilities and develop strategies to address them. Other steps to avoid medical device vulnerabilities include:

1. Establishing up-to-date policies and procedures
2. Using business associate agreements (BAAs) when working with third parties
3. Creating a program to identify and install needed updates and patches
4. Using continuous employee awareness training, including connected devices
5. Ensuring proper technological safeguards, such as data encryption
6. Employing extra firewalls and endpoint security
7. Utilizing strong access controls
8. Keeping devices (physically) in secure, controlled locations
9. Connecting devices only to private and encrypted networks
10. Creating data backup and disaster recovery plans in case of an incident
11. Regularly auditing and monitoring systems
12. Having an incident response plan ready in case it is needed

HIPAA compliance regulations aim to protect patient and employee health information. Adhering to HIPAA standards helps providers protect patient privacy, leading to strengthened relationships and better patient outcomes.

Further info: How does HIPAA apply to medical devices?

FAQs

What is a medical device?

A medical device is any instrument, apparatus, machine, or implant used to diagnose, prevent, or treat medical conditions.

What types of medical devices are covered under HIPAA?

All medical devices that collect, store, or transmit electronic PHI, such as wearable health monitors, imaging equipment, and connected devices, fall under HIPAA regulations.

Do medical device manufacturers need to comply with both HIPAA and FDA regulations?

Yes, medical device manufacturers are required to comply with both HIPAA and FDA regulations. They must ensure that their devices meet FDA safety and effectiveness standards and also adhere to HIPAA’s privacy and security rules when handling protected health information.

Are third-party applications used with medical devices subject to HIPAA?

Yes, third-party applications that process electronic PHI from medical devices are also subject to HIPAA regulations and must implement appropriate safeguards to protect patient information.

What should healthcare providers and covered entities consider when using medical devices in terms of HIPAA compliance?

Healthcare providers and covered entities should ensure that the use of medical devices complies with HIPAA regulations, especially when these devices involve the collection, storage, or transmission of protected health information. They must also consider the security and privacy implications of integrating medical devices into their health IT systems.