Cybersecurity: Is medtech ‘lackadaisical’ about it?

The medical device industry needs to shake itself out of its stupor when it comes to cybersecurity, according to James Scott, senior fellow at the Institute for Critical Infrastructure Technology and author of the new paper, How to Crush the Health Sector’s Ransomware Pandemic.

Companies in the medtech sector and the overall healthcare space face nothing short of cyberwar with “combat nation states, cyber mercenaries, cyber caliphate, and other actors,” Scott said.

Without intervention, he said, “The health sector will continue to be pummeled by any and every script kiddie and sophisticated cybercriminal dedicated to stealing electronic health records and personally identifying information for infinite variation of use and optimal capitalization on dark web forums.”

The industry’s lack of action has left EHRs vulnerable to both sophisticated and unsophisticated attacks, the result of which is that patients are desensitized to breach notifications, and many healthcare organizations have negligently stopped disclosing breaches. Said Scott:

“Few critical infrastructures need to expedite their cyber resiliency as desperately as the health sector, who repeatedly demonstrates lackadaisical cyber hygiene, finagled and Frankensteined networks, virtually unanimous absence of security operations teams and good ol’ boys club bureaucratic board members flexing little more than smoke and mirror, cybersecurity theatrics as their organizational defense.”

And medical devices are part of the problem. Scott noted that pacemakers, insulin pumps, defibrillators and other medical equipment are extraordinarily vulnerable to cyberattacks. Further, embedded devices, medical equipment and mission critical systems have been shown to have lax security and are vulnerable to hackers.

But there is some hope, Scott said, for even the most apathetic organizations: machine learning based artificial intelligence. It is an algorithmic defense that allows groups to predict, detect and respond to threats, thus thwarting the majority of ransomware attacks. Using machine learning throughout the layers of an IoT microcosm can improve healthcare cybersecurity. Such a system recognizes, learns and adapts to hacker behavior with automated network defenses.

Machine learning (ML) applies to cybersecurity in two ways:

1. ML links seemingly unrelated activities together. For example, a hacker might use multiple accounts to access different types of sensitive personal health info (PHI). Each account might have valid access rights to some of the data, so rules-based security solutions won’t see anything wrong. ML can track IP address and other identifying information to link the parts into a single unified session that is then positively attributed to a person.
2. Second, ML assesses the behaviors of those coherent identities to determine if risky behavior is underway. It calculates a risk score based on the similarity to normal behavior observed for the user performing the specific events. Once the risk score has been determined in real-time, the system can use it during a login event to either grant the access, initiate a more in-depth log-in (aka, a multifactor event authentication), or block the access.

Currently, healthcare organizations use AI for big data analytics, clinical applications and benevolent network defense. But machine learning and artificial intelligence solutions are the only sophisticated defense against ransomware and tailored malware attacks. For once, information security professionals have a major advantage over cyber-adversaries in their ability to adopt and utilize artificial intelligence and machine learning solutions.

However, that advantage will not last. Adversaries are already attempting to reverse engineer and research AI solutions. Adversaries have an economic incentive to weaponize any and every emerging technology against healthcare and other organizations that are inadequately securing valuable information.

Cybersecurity is a perpetual arms war of escalation. New defensive technologies, such as the emergence of artificial intelligence capabilities, garner response in adversarial innovation.

Industry needs to responsibly protect its patients and their data by adopting algorithmic defense solutions. Each and every payer, provider and insurer that chooses artificial intelligence and machine learning defense-grade solutions, contributes to repairing the cybersecurity of the health sector; in doing so, they also rebuild the trust between patients and healthcare organizations.

[Want to stay more on top of MDO content? Subscribe to our weekly e-newsletter.]

Theranos whistleblower Tyler Shultz to participate in keynote interview at DeviceTalks Boston At DeviceTalks Boston, Tyler Shultz will give attendees an inside look at Theranos and how he was able to sound the alarm after he realized the company was falling apart. Shultz will take attendees behind the story that everyone is talking about: the rise and fall of Elizabeth Holmes and her diagnostic company, Theranos. Join Shultz and 1,000+ medical device professionals at the 8th annual DeviceTalks Boston. REGISTER NOW