Medical Design and Outsourcing

  • Home
  • Medical Device Business
    • Mergers & Acquisitions
    • Financial
    • Regulatory
  • Applications
    • Cardiovascular
    • Devices
    • Imaging
    • Implantables
    • Medical Equipment
    • Orthopedic
    • Surgical
  • Technologies
    • Supplies and Components Index
    • Contract Manufacturing
    • Components
    • Electronics
    • Extrusions
    • Materials
    • Motion Control
    • Prototyping
    • Pumps
    • Tubing
  • MedTech Resources
    • Medtech Events in 2025
    • The 2024 Medtech Big 100
    • Medical Device Handbook
    • MedTech 100 Index
    • Subscribe to Print Magazine
    • DeviceTalks
    • Digital Editions
    • eBooks
    • Educational Assets
    • Manufacturer Search
    • Podcasts
    • Print Subscription
    • Webinars / Digital Events
    • Whitepapers
    • Voices
    • Views
    • Video
  • 2025 Leadership
    • 2024 Winners
    • 2023 Winners
    • 2022 Winners
    • 2021 Winners
  • Women in Medtech
  • Advertise
  • Subscribe

Gaps In The Gate: How Medical Devices Make Hospitals Vulnerable To Cyberattacks

August 9, 2017 By Daniel Seeger

Personnel at hospitals and other healthcare facilities already know they need to be extremely vigilant about a wide range of safety considerations. With mounting frequency, cybersecurity is asserting itself as an especially critical area that needs attention. Unfortunately, that cybersecurity is simultaneously one of the facets of healthcare facility operations that is often overlooked.

Part of the challenge is that hackers have realized there are more avenues into a healthcare organization’s system than is the case with other businesses. There are a whole slew of medical devices that could provide an access point.

“There are a variety of reasons cybercriminals may target medical devices,” says Craig Young, computer security researcher on the Vulnerability and Exposures Research Team (VERT) at software security company Tripwire. “Embedded devices like the ones used in the medical field are notorious for falling behind on operating system patches. These devices often require the manufacturer to test and package patches before they can go out to customers.”

Potentially vulnerable equipment is practically everywhere in healthcare facilities, often in numbers that exceed what any one team member might guess.

Many of the systems that have some level of computerized control have a PC component in the room with them, which means they are running with an operating system, just like a laptop. If there are around a dozen connected medical devices with every bed in a hospital and thousands of beds in the largest the hospital chains, the sheer scope of the danger is staggering.

“That’s a huge landscape for a security team, which is typically quite small, to try and solve,” says Terry Ray, CTO of data security company Imperva.

A map compiled by British company Malware Tech displays the geographical distribution of the WannaCry ransomware cyber-attack as seen on a computer screen in Portland Ore., on May 12, 2017. The attack hit vulnerable computer systems in as many as 74 countries around the world demanding cryptocurrency payments to unlock encrypted files. (Image credit: Associated Press/photo by Alex Milan Tracy)

Ray adds that the healthcare field is uniquely overburdened by risk mitigation concerns. Other organizations might be anxious about losing proprietary information, but they’re not necessarily sweating HIPAA laws. Thus far, Ray says he hasn’t seen data thieves threatening to release stolen medical records, but, in a sense, it doesn’t matter all that much whether the pilfered material gets out. Any breach of a system does damage.

“Technically, if a hospital has proof of them losing records, whether or not those records are released to the public, they still have to notify that those records were lost,” notes Ray.

Of course, there’s a potential outcome that’s even more dire.

“If medical systems go offline, patients can die,” says Young. “This presents a predicament for security professionals looking to lock down medical environments without impacting uptime for critical systems.”

And the malicious mischief hackers might engage in isn’t limited to shutting down critical equipment.

“A subtle attacker could simply corrupt elements of medical records to change things like drug allergies, blood type, and medical history,” Young cautions. “This would not be immediately obvious to the provider and could result in wasted time, confusion, and even loss of life.”

Cybercriminal awareness over the leverage they have in wresting control of systems contributes to a shift in their methodology, or at least the endgame. When outside attacks on computer networks initially became a threat, the interlopers seemed to have little more than digital destruction in mind. They’d craft computer viruses that would indiscriminately wipe out data. Now, the bad guys are more often looking for an illicit payday.

Ray notes that the recent WannaCry ransomware attack — which crippled many healthcare facilities in the U.K. and elsewhere — illustrates exactly how cybercriminals are shifting the terrain. The ransomware infiltrated and spread in a manner similar to an old-school computer virus, but it didn’t wipe out the data. It simply held it hostage, with the promise it would be released following a hefty payment in bitcoin, the anonymous and untraceable online currency.

“They didn’t ask for any extortion back in the day,” says Ray. “That’s the real difference between today and back then.”

There is plenty to fret about, but it’s more important to move towards solutions that keep medical data safe. Ray and Young agree that the first step entails conducting a thorough audit of equipment that could fall prey to cyber-attack.

“Asset inventory is a fundamental first step toward locking down a healthcare facility network,” says Young. “This means tracking the software running on desktops and servers as well as embedded devices. Providers should be aware of what OS is installed and have plans in place for identifying and deploying updates.”

It’s especially important to give scrutiny to the more incidental devices that are easily forgotten about. Even if these pieces of equipment are connected to the internet — sometimes through a separate but associated device — they’re so small or limited in the software that it’s difficult to install cybersecurity components on them.

“This is a problem that has not truly yet been addressed,” says Ray. “And it’s going to be a big problem as we continue to move forward because these devices are widely open.”

From there, the next step is determining which devices are the responsibility of the end user to update and which are not equipped with a clear pathway to keeping the security tools in proper working order to repel ever-adapting threats. The latter are especially important to identify since there’s some additional research and outreach to manufacturers that will need to take place before the space is secure.

The healthcare community is beginning to develop a smart, strategic response to the risks, but Ray says the FDA needs to push manufacturers to take on some of the burden, too.

“The hospitals get, it but the hospitals are like every other organization and industry out there — they’re constrained on costs,” Ray notes. “The cybersecurity team is always a cost center, not a revenue center. So they’re typically a small team of people in hospitals, and they can only do so much. The manufacturers, I think, are going to have to step up and start to show how they’re providing the cybersecurity on their devices, and how do they maintain that over three, four, five years through the life of that product.”

Related Articles Read More >

This is a screenshot of the remote robotic surgery technical guidelines appearing in the World Journal of Surgery.
New technical guidelines set to advance remote robotic surgery
An illustration of Embolization Inc.'s Nitinol Enhanced Device (NED).
This nitinol vascular embolization device has another shape memory material up its sleeve
A photo of nitinol, a nickel-titanium alloy used for medical devices such as stents, heart valves, catheters and orthopedics.
What is nitinol and where is it used?
A photo of Johnson & Johnson MedTech's Polyphonic-connected Monarch robotics-assisted bronchoscopy system in the lab.
J&J MedTech’s global head of digital wants to fund your AI project
“mdo
EXPAND YOUR KNOWLEDGE AND STAY CONNECTED
Get the latest medical device business news, application and technology trends.

DeviceTalks Weekly

See More >

MDO Digital Edition

Digital Edition

Subscribe to Medical Design & Outsourcing. Bookmark, share and interact with the leading medical design engineering magazine today.

MEDTECH 100 INDEX

Medtech 100 logo
Market Summary > Current Price
The MedTech 100 is a financial index calculated using the BIG100 companies covered in Medical Design and Outsourcing.
DeviceTalks

DeviceTalks is a conversation among medical technology leaders. It's events, podcasts, webinars and one-on-one exchanges of ideas & insights.

DeviceTalks

New MedTech Resource

Medical Tubing

MassDevice

Mass Device

The Medical Device Business Journal. MassDevice is the leading medical device news business journal telling the stories of the devices that save lives.

Visit Website
MDO ad
Medical Design and Outsourcing
  • MassDevice
  • DeviceTalks
  • MedTech100 Index
  • Medical Tubing + Extrusion
  • Medical Design Sourcing
  • Drug Delivery Business News
  • Drug Discovery & Development
  • Pharmaceutical Processing World
  • R&D World
  • About Us/Contact
  • Advertise With Us
  • Subscribe to Print Magazine
  • Subscribe to our E-Newsletter
  • Listen to our Weekly Podcasts
  • Join our DeviceTalks Tuesdays Discussion

Copyright © 2025 WTWH Media, LLC. All Rights Reserved. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media LLC. Site Map | Privacy Policy | RSS

Search Medical Design & Outsourcing

  • Home
  • Medical Device Business
    • Mergers & Acquisitions
    • Financial
    • Regulatory
  • Applications
    • Cardiovascular
    • Devices
    • Imaging
    • Implantables
    • Medical Equipment
    • Orthopedic
    • Surgical
  • Technologies
    • Supplies and Components Index
    • Contract Manufacturing
    • Components
    • Electronics
    • Extrusions
    • Materials
    • Motion Control
    • Prototyping
    • Pumps
    • Tubing
  • MedTech Resources
    • Medtech Events in 2025
    • The 2024 Medtech Big 100
    • Medical Device Handbook
    • MedTech 100 Index
    • Subscribe to Print Magazine
    • DeviceTalks
    • Digital Editions
    • eBooks
    • Educational Assets
    • Manufacturer Search
    • Podcasts
    • Print Subscription
    • Webinars / Digital Events
    • Whitepapers
    • Voices
    • Views
    • Video
  • 2025 Leadership
    • 2024 Winners
    • 2023 Winners
    • 2022 Winners
    • 2021 Winners
  • Women in Medtech
  • Advertise
  • Subscribe