Home Building the Firewall: Addressing Escalating Cybersecurity Threats in Medical Device Networks

Building the Firewall: Addressing Escalating Cybersecurity Threats in Medical Device Networks

Mar 17, 2019 08:00 CST Updated 08:00

With the advent of the internet era, medical devices are increasingly connected to the internet. While hospitals can improve healthcare services through network connectivity, they also face corresponding cybersecurity risks. Like other computer systems, medical devices are susceptible to security vulnerabilities. Cybersecurity issues in medical devices may not only compromise patient privacy but also pose risks of unintended device operation, potentially causing injury or death to patients or users. Therefore, cybersecurity is an integral component of the safety and effectiveness of medical devices.

 

Threats and vulnerabilities cannot be eliminated, making risk mitigation critically important. What is the current landscape of cybersecurity for medical devices in China and abroad? Which startups in this sector are leveraging novel methodologies and technologies to build robust firewalls?

  

Medical Devices Will Become the Next Target of Cyberattacks

 

VCBeat has long focused on the issue of cybersecurity in healthcare. According to 2017 data, there were more than 200 healthcare information breach incidents annually in the United States from 2010 to 2015. Today, the situation has become even more severe, with 503 healthcare data breaches occurring in 2018 alone. (Source: U.S. Department of Health and Human Services)

 

FortiGuard Labs reported that in 2017, healthcare organizations experienced an average of nearly 32,000 intrusion attempts per organization per day, compared to over 14,300 in other industries. Clearly, the healthcare sector was subjected to significantly more attacks.

 

In China, the situation is equally grim. In 2017, Legal Daily published a report titled “700 Million Pieces of Personal Information Leaked: Zhejiang Court Rules on Major Case of Infringement of Citizens’ Personal Information,” exposing that hackers had infiltrated the medical service information system of a certain ministry, resulting in the leakage and illegal trade of a large volume of prenatal examination data.

 

However, there is a concerning trend: hackers are no longer satisfied with merely extracting medical records and patient data. They have extended their reach to medical devices, thereby threatening patient safety.

 

For years, healthcare institutions have been safeguarding patients’ protected health information (PHI). With the advent of the Internet of Things (IoT) era, the healthcare industry faces new challenges. The Medical Internet of Things (IoMT) encompasses medical devices such as infusion pumps, magnetic resonance imaging (MRI) scanners, X-ray machines, and cardiac monitors, all of which may become targets for cyberattacks and ransomware.

 

Although the Internet of Medical Things (IoMT) can improve healthcare efficiency, IoMT devices lacking security protections expose systems to greater risks. With the rapid advancement of 5G technology, the adoption of IoT is accelerating, leaving medical devices without cybersecurity measures effectively “exposed and vulnerable” to cyberattacks.

 

One example is the WannaCry ransomware attack on the UK's National Health Service (NHS) in May 2017.

 

In February 2018, The Naked Security reported on how WannaCry affected the UK’s National Health Service (NHS). The report explained that the ransomware targeted MRI and CT scanners running on Windows XP workstations. Although the impact of this attack was limited to extortion for device release, greater concerns were raised that malware could affect device operations, interfere with mechanical movements, disrupt scanning signals, or even alter results.

 

In 2017, Forbes also reported that Bayer Medrad equipment at a U.S. hospital had been compromised. A Bayer spokesperson confirmed that the company had received two reports from U.S. customers indicating that the devices had been targeted by ransomware, but did not disclose which specific products were affected. Both sites resumed operations within 24 hours.

 

Hackers can directly attack medical devices to carry out ransomware attacks; furthermore, these devices may become accomplices, serving as tools for eavesdropping.

 

In August 2017, the FDA recalled nearly 500,000 cardiac pacemakers due to concerns about wireless eavesdropping. Even former U.S. Vice President Dick Cheney had his pacemaker modified to ensure it was protected against cyberattacks.

 

Smiths Medical’s Medfusion 4000 wireless syringe infusion pump is another example. This infusion pump is used worldwide to deliver small doses of medication from syringes in acute care settings. According to a September 2017 report by ICS-CERT, these devices contain eight vulnerabilities that can be exploited remotely.

  

According to Gartner Research, by 2020, 25% of healthcare attacks will originate from IoT devices. The SANS Institute reports that approximately 17% of cyberattacks in hospitals stem from medical endpoints, with 77% of hospitals surveyed indicating that security risks associated with medical devices are their top concern.


VCBeat interviewed Cao Xiaojun, Deputy Director of the Data Center at Guangzhou Women and Children’s Medical Center, on cybersecurity issues related to medical devices. The Guangzhou Women and Children’s Medical Center achieved HIMSS EMRAM Stage 7 certification for both inpatient and outpatient services in 2017.


Cao Xiaojun also stated, “Unlike standard end-user devices, medical devices may involve customized systems and software deployed within proprietary network environments. They cannot rely on conventional endpoint protection measures for self-defense; however, due to constraints such as outdated system versions and non-compliant deployment practices, they are highly susceptible to cyberattacks.”


Cao Xiaojun also pointed out the current weaknesses in cybersecurity and endpoint security. He believes that the following issues are easily overlooked in endpoint security:

1. The intranet terminal hosts have not received any system patches since deployment, leaving them riddled with vulnerabilities and allowing malicious code to infiltrate unchecked;

2. To facilitate operations, terminals often use weak passwords. After obtaining the password through brute-force attacks, viruses directly log into the system with administrator privileges, bypassing all protective measures and allowing unrestricted access within the system;

3. To facilitate operations and office work, the misuse of mobile storage devices has provided an effective vector for the propagation of malicious code;

4. Due to inadequate dissemination of security awareness and a lack of personnel security consciousness, individuals resorted to using mobile hotspots for unauthorized external connections for the sake of convenience. This resulted in interconnectivity between the internal and external networks, thereby introducing unknown risks.


There are also some easily overlooked issues in cybersecurity, including:

1. The basic network infrastructure is disorganized, lacking zoning and segmentation. When a security incident occurs, it spreads rapidly across the network, making timely containment impossible;

2. Standardization of policies for cybersecurity devices; many network devices have never had their policies updated after deployment, or are configured to allow all traffic by default, failing to provide effective defense and rendering them virtually useless;

3. No one regularly analyzes and summarizes security logs within the network, often missing the optimal window for responding to security incidents. This allows situations to escalate beyond control, leaving operations in a perpetual state of passive defense.


Regarding protective measures, he offered two recommendations:

1. The host implements protection by enforcing the principle of least privilege for software, allowing only specific programs and interfaces to operate while blocking all other actions. This approach creates a protective shield for trusted software, directly eliminating the vectors for the existence and propagation of malicious code;

2. Where the network environment permits, categorize medical devices under the same network segment and deploy a security gateway at the ingress of this segment to cleanse malicious code from network transmission pathways, thereby achieving zonal protection.


Cybersecurity for Medical Devices Requires Collaborative Efforts to Build a Safety Net


Why Are Healthcare Organizations Targeted? Because medical data is highly valuable yet poorly protected. The financial sector is the most frequently targeted industry. For hospitals, violations involving patient information leaks or compromised devices result in severe penalties under HIPAA regulations.

 

In China, the situation is no exception. The "Regulations on Classified Protection of Cybersecurity (Draft for Comments)" released in 2018 divided the security levels of information systems into five tiers, proposing that the protection level be raised to Level 3 for information systems where damage would be "particularly severe."

 

Who will be held liable in the event of a cybersecurity incident at a hospital? According to the “Guiding Opinions on Information Security Level Protection in the Health Sector” issued by the Ministry of Health in 2011, the entity responsible for cybersecurity is clearly identified as ““Whoever is in charge shall be responsible; whoever operates shall be responsible.”

 

Medical device manufacturers also bear the responsibility for ensuring the cybersecurity of medical devices. The 2017 "Technical Review Guidelines for Cybersecurity Registration of Medical Devices" explicitly states:

 

“Medical device products are often connected to devices or systems not anticipated by the registration applicant during use, making it difficult for the registration applicant to control and ensure the cybersecurity of the medical device product on their own. Therefore, ensuring the cybersecurity of medical devices requires joint efforts and close collaboration among the registration applicant, users, and information technology service providers. However, this does not exempt the registration applicant from relevant responsibilities for medical device cybersecurity. The registration applicant shall ensure the inherent cybersecurity of the medical device product and clearly specify the interface requirements for devices or systems intended to be connected, thereby safeguarding the safety and effectiveness of the medical device product.”


Regarding the models adopted by Chinese hospitals to counter cyberattacks, Deputy Director Cao Xiaojun told VCBeat, “In addressing cybersecurity, experienced third-party companies develop security solutions tailored to the specific environment and circumstances of each hospital, which are then implemented collaboratively following internal approval.”

 

Most Hospitals Fail to Meet the Current Highest Standards

 

VCBeat reviewed relevant materials and found that the Standards and Specifications for Hospital Information Construction in China (Trial), issued by the National Health Commission in 2018, provides standardized and comprehensive requirements for medical security protection.

 

The National Health Commission has established distinct standard requirements for hospitals of different tiers. Standards and requirements are provided across four key areas: data center security (firewalls, security audit devices, system hardening appliances, data hardening appliances, intrusion prevention systems, identity authentication systems, access control systems, and security management systems); terminal security (identity authentication devices, media security devices, client management systems, and endpoint security management systems); network security (structural security devices, communication encryption devices, network optimization devices, and network security management); and disaster recovery and backup (infrastructure disaster recovery, redundant network disaster recovery, data backup and restoration, and application disaster recovery).

 

However, in light of the current reality, according to the “Healthcare Industry Security Index Report” jointly released by Tencent Smart Security and the China Hospital Information Management Association (CHIMA)It is pointed out that, under the guidance of the National Health Commission, the level of information security construction in hospitals across China continues to improve. The Report shows that 38% of hospitals in China have an index value at a good level, and 22% at an excellent level, indicating that the level of information security construction in hospitals across China is continuously improving under the guidance of the National Health Commission.

 

However, several issues have been exposed, including weak awareness of information security construction in the healthcare industry and a lack of effective security protections for core data. The main manifestations are as follows: a large number of cyberspace asset ports are open, posing significant risks—for instance, up to 50% of systems have remote login services enabled; external-facing computers face numerous security risks that could provide opportunities for unauthorized access; vulnerabilities in online service platforms and third-party medical service platforms increase the risk of medical data breaches; and the healthcare industry has become a primary target for ransomware attacks, challenging the continuity of medical operations.


As the fourth hospital in China to achieve HIMSS Stage 7 certification, Guangzhou Women and Children’s Medical Center also shared its experience in cybersecurity infrastructure development, as presented by Cao Xiaojun.


He stated, “Issued by the National Health Commission《National Standards and Specifications for Hospital Information Technology Construction (Trial)》In this regard, detailed requirements are proposed for data center security protection across eight major aspects, including firewalls, security auditing, system hardening, and data hardening. In China, not all Grade A tertiary hospitals can fully meet all the recommended requirements, particularly in the areas of intrusion prevention and identity authentication, where many hospitals have yet to achieve comprehensive implementation. Since the inception of our cloud-based hospital initiative, our institution has placed significant emphasis on data center security, recognizing that cloud-based data centers are more susceptible to security vulnerabilities that could lead to security incidents. Therefore, in accordance with the National Health Commission’s requirements for Grade A tertiary hospitals, we have established security construction standards for our cloud-based data center and have progressively refined them through multiple phases of development, initially achieving《National Standards and Specifications for Hospital Information Technology Construction (Trial)》Eight Aspects of Safety Standards.”


In terms of disaster recovery and backup, Guangzhou Women and Children’s Medical Center has exceeded the standards set by the National Health Commission:“In the construction of our disaster recovery and backup systems, our hospital places particular emphasis on ensuring business continuity through high availability. We have designed an active-active redundant architecture across multiple layers—including the network, host, and storage layers—to eliminate single points of failure across the entire information system platform. Additionally, we have established a metropolitan-area remote disaster recovery center that achieves near real-time data synchronization. In extreme scenarios, this setup enables a Recovery Time Objective (RTO) of ≤15 minutes and a Recovery Point Objective (RPO) of approximately zero, exceeding the standards and requirements set by the National Health Commission,” said Cao Xiaojun.

 

Startups Enter the Arena Leveraging Technologies Such as AI and Blockchain


As previously stated, cybersecurity for medical devices cannot be guaranteed by a single entity. The involvement of third-party companies can help hospitals better respond to cyberattacks, and several startups have already entered this field. Abroad, there are more than 120 startups focused on cybersecurity in the healthcare industry. VCBeat has previously conducted an analysis and found that nine of these startups are dedicated to securing medical devices, employing various technologies such as AI and blockchain to assist hospitals in combating cyberattacks.

 

医疗设备和物联网网络安全防护公司.png

 

At the HIMSS19 conference, former U.S. Chief Information Security Officer Greg Touhill offered recommendations on how healthcare organizations can address cybersecurity challenges. VCBeat has excerpted some of his insights for reference:

 

1. Adopt a zero-trust strategy. “I think much of what we do is considered trust-based, but that is very wrong.”

2. Usernames and passwords were considered state-of-the-art in 1979, but access control should now be reconsidered;

3. Other industries, such as finance and government, are using multi-factor authentication to help individuals better protect their information; the healthcare industry should place even greater emphasis on these capabilities.

4、TCP/IP is a weak security foundation:Transmission Control Protocol/Internet Protocol, which manages the connection between computer systems and the internet, was also the most advanced in the late 1970s, Touhill said. But it is not a robust security foundation;

5、Leveraging Automation to Detect and Prevent Fraud:Many tools are available for fraud detection, but Touhill states that the best ones originate from the financial sector. Healthcare practitioners should identify solutions from the financial sector and adapt them to the healthcare industry;

6、Caution: Flying into the Clouds:Touhill also addressed security issues related to cloud computing. When collaborating with cloud providers, he recommended that organizations maintain access logs, retain the right to conduct penetration testing, and reserve the right to engage independent third-party auditors.

7、Artificial Intelligence Could Be an Entry Point Coveted by Hackers:Due to the surge in artificial intelligence, many organizations are investing in this technology. However, keep in mind that adopting AI makes your organization a target for cybercriminals;


Likewise, Cao Xiaojun also offers some recommendations on cybersecurity development for hospitals in China:


1. Establish a hospital information security management organizational structure, clearly define the roles and responsibilities of security administrators, data center administrators, network administrators, application administrators, host administrators, and other information security-related positions, establish and improve the information security management responsibility system, and ensure that all information security responsibilities are assigned to specific individuals;


2. Conduct regular internal audits and management reviews of the hospital’s information security management system, measure the effectiveness of implemented security controls, and implement corresponding corrective and preventive actions to ensure the continuing adequacy, suitability, and effectiveness of the information security management system.Conduct planned assessment and management of security risks present in hospital information systems;


3. Tiered Protection for Hospital Business Information Systems. In accordance with the national requirements for Classified Protection of Cybersecurity, security levels shall be determined for hospital information systems and data, and tiered protection measures shall be implemented based on the respective security levels;


4. Standardize the management processes for hospital information assets (including hardware, software, and services), establish an information asset register, clearly define asset owners, users, and maintainers, label all information assets, and achieve secure management throughout the entire lifecycle of information assets, including procurement, usage, modification, and disposal;


5. Ensure the physical and environmental security of the server room. Implement security measures, including access control, video surveillance, and alarm systems, to guarantee physical security. Deploy environmental support facilities such as dedicated precision air conditioning units and uninterruptible power supplies (UPS), and conduct regular inspections and maintenance of server room infrastructure. Strictly manage the entry and exit of personnel and equipment; all entries and exits must be registered, and external visitors must be accompanied by authorized management personnel to access the server room.


6. Strengthen the management of information system outsourcing activities and outsourcing vendors, and include requirements for information system security in the service agreements signed with information system outsourcing vendors. Enhance the management of external parties’ access to business information systems through measures such as approval processes, access control, monitoring, and signing confidentiality agreements, to prevent external parties from compromising information system security;


7. Centrally deploy network anti-malware software within the hospital network and perform unified updates of the malware signature database to prevent malicious code, Trojans, and other malware from impacting business information systems. Enhance the capability of business information systems to defend against malware by strengthening management measures, such as tightening media management, strictly prohibiting unauthorized software installation, enhancing staff security awareness through education, and conducting regular malware detection.


8. Back up critical information and information systems, securely store backup media, and conduct regular backup testing and verification to ensure the confidentiality, integrity, and availability of all backup data, thereby guaranteeing reliable recovery of all critical information systems and important data in the event of failures, disasters, or other specific requirements;


9. Adopt both technical and managerial control measures to strengthen network security controls, continuously improving the security and stability of the network. The hospital's office network is logically isolated from the Internet. By implementing technical preventive measures such as network access control, strict approval processes are enforced for network access, usage security management is strengthened, and security training and education on network usage are enhanced to ensure the security of network information;


10. Implement access controls for critical information systems and data based on the "need-to-know" principle through functional and technical configurations. Further promote the use of digital certificates and secure authorization management systems, and designate responsible individuals for authorization. Strictly approve and monitor the use of special system privileges and system utility tools.


11. Further prioritize software development security. During the project initiation and approval processes for various hospital business information systems, information security requirements and objectives shall be considered concurrently. The security of system design and development processes must be ensured, with a particular emphasis on strengthening the management of software code security. For outsourced software development, confidentiality agreements shall be signed with service providers. Upon completion of system development, a third-party security assessment of the software’s security shall be required.


12. Under conditions that comply with relevant national regulations on cryptographic management, reasonably employ cryptographic technologies and devices, strictly manage security aspects such as key generation, distribution, and storage, and ensure the secure use of cryptographic technologies;


13. Prioritize the management of IT service continuity, and establish mechanisms for the prevention, early warning, response, handling, and recovery of various information security incidents. Develop emergency contingency plans for critical systems such as the business-facing external network, and conduct regular testing and drills to ensure rapid and orderly emergency response in the event of information system failures or accidents, thereby minimizing the impact of sudden incidents or unexpected disasters on the hospital’s business information systems.


14. Regularly identify, document, and update applicable national laws and regulations on information security; assess the hospital’s current information security management practices for compliance with such laws and regulations to ensure that all information security activities adhere to national legal and regulatory requirements.