Like other Internet of Things (IoT) devices, medical equipment is a vulnerable attack surface. By 2018, it’s expected that sales of medical devices will exceed 14 million units—more than five times the sales of 2012.1 Network- and cloud-connected medical devices used in clinical settings—nurse stations, patient monitors, communications, networks, diagnostic devices, testing, scanning systems, blood gas analyzers, and more—are just as much at risk as healthcare IT networks, laptops, and tablets.
Typical attacks targeting such devices are ransomware, internal and external data exfiltration, distributed denial-of-service attacks, malware introduced via infected external memory devices, and network attacks. A single connected medical device can potentially be exploited to enable large-scale data theft.
Medical device manufacturers have a responsibility to secure their devices to prevent breaches and to protect the privacy of patient and healthcare facilities’ data. They must ensure their products conform to strict regulatory compliance mandates dictated by the Health Insurance Portability and Accountability Act (HIPAA) and the requirements for medical devices issued by the US Food and Drug Administration (FDA).
Healthcare information is rich in both financial and personally identifiable data, making it a highly profitable target for cybercriminals. In the black market, a health record can fetch as much as $60, compared to $15 for a Social Security number.2 It’s estimated that approximately 100 million healthcare records were compromised just in the first quarter of 2015.3 A recent study reveals that the average cost of a healthcare breach in 2016 was $4 million per incident—up 29% since 2013.4
Let’s take a look at the trajectory of a typical threat that targets poorly secured medical devices. The implications can be devastating, with the potential for costly data breaches.
- An employee (either inadvertently or with malicious intent) installs malware on a connected medical device via a USB drive.
- The malware connects the infected device to an external command and control server.
- The perpetrator wipes out the data and overwrites a server’s Master Boot Record.
- The server affects hundreds or thousands of devices, potentially disabling them.
McAfee helps medical device manufacturers thwart attacks and comply with strict regulatory mandates and requirements by providing an array of embedded security solutions, including application control with whitelisting, antivirus and anti-malware protection, device security management, advanced data protection, encryption, and simplified, streamlined device management. McAfee solutions can be customized to meet the design requirements for a manufacturer’s medical device.
Siemens Healthineers—a global leader in medical imaging, laboratory diagnostics, and healthcare information technology—recognizes that system security is a critical concern among healthcare providers and customers. They employ trusted McAfee embedded security and solutions to ensure that security is designed into their devices at the outset. The Siemens Ultrasound System Security is an embedded antivirus solution powered by McAfee that offers a comprehensive defense against unwanted applications, blocking both known and unknown threats. In addition, their RapidLab1200 blood gas analyzer uses McAfee whitelisting to secure the device and prevent unauthorized applications from running on it. To learn more about how network security can be breached via a medical instrument and how Siemens works with McAfee to protect patient data on blood gas analyzers, view this informational video created by Siemens.
To learn about McAfee solutions for embedded medical systems and ensure that your devices have the best possible security, visit: https://www.mcafee.com/us/resources/data-sheets/ds-embedded-control-for-healthcare.pdf.