Can Hospital Based Medical Devices Protect Personal Data?Optio Labs
Over the last few years, medical device technology has advanced significantly. Patients now have access to medical data and other personal information more quickly and conveniently than ever before. Likewise, doctors and practitioners are able to process patient data more efficiently. However, all this new technology has left our personal information exposed in a multitude of places that aren’t necessarily controlled or tracked. Medical device cyber security should be a priority in the healthcare industry where private data may be exposed in medical devices.
There are a lot of hackers out there who make it their business to steal our information, and some medical devices today might very well be hackable, thereby giving intruders access to patient records. The main issue at hand is this: The developers of today’s medical devices are first and foremost healthcare device experts, not necessarily security experts.
Medical device cyber security is a complex field that requires continuous adaptation to keep systems safe. A regular software engineer building an embedded medical device might think that it is ok to choose a well-known open source security software package, but he can still, and likely will, leave a number of vulnerabilities in his product because of what he doesn’t know about how to secure it.
It is imperative that designers consider all the components in their design including the hardware, the operating system, and the user interface and understand the potential vulnerabilities in each individual component. These considerations might include: How will the software be updated? How do you know it’s a valid update? How will it recognize another trusted system where it can send patient data securely? Who decides what other devices and systems to trust? If the settings can be changed, how do you know what changes are permitted? If a bug in the underlying operating system needs to be patched, will you patch it and if so how?
OEMs should develop significant in-house security expertise with the understanding that it is an evolving field, or get expert advice before building any networked device (particularly wireless devices) that communicate patient data.
While designing more secure medical devices should be a priority, the healthcare industry must not lose sight of the fact that their other systems are just as vulnerable. An attacker is more likely to go after the easiest targets with the least amount of work required if they want to steal patient records. This means they are likely to go after the biggest repository using the most common technology – the hospital networks, databases, and standard computers that access them. If a hacker can get into a file system or database, they can take all the records.
Hospitals need to reassess all their threats vectors and apply appropriate network security, data encryption, and user authentication methods to ensure they are properly defended against the likely attacks they will face this year.