The US Department of Veterans Affairs has tracked 173
medical devices that have been infected with malware
since January 2009.9
TrapX Security, in July 2016, reported client attacks that
- Hospital laboratory blood gas analyzer
- Hospital radiology, the picture archive, and commu-
- Hospital X-ray system and archive.
Bayer’s Medrad device has been discovered to include
Siemens Healthineers Technologies’ full portfolio of products have reported risks.
BectonDickinson has 45 different devices and systems in
its portfolio that have a variety of built-in vulnerabilities.
The types of devices that have fallen under attack include:
Diagnostic equipment (PET scanners, CT scanners, MRI
Therapeutic equipment (infusion pumps, medical lasers,
and LASIK surgical machines).
Life support equipment (heart and lung machines, medical ventilators, extracorporeal membrane oxygenation
machines, and dialysis machines).
Hackers are infecting a wide array of medical devices with
malware and using them as pivot points to launch cyberattacks
on healthcare IT systems. Typically, organized crime is behind
the weaponization of these medical devices, which are considered to be “soft targets” due to the widespread lack of cyberpro-tective measures.
These are but a few examples of a growing threat to healthcare
practices, hitting both large and small entities. The reality is that
healthcare has more data breaches than any other industry (
including finance, manufacturing, government, transportation,
14 Criminal attacks are the leading cause of data
breaches in healthcare, with consistently high rates of frequency, volume, impact, and cost.
15 The attacks can emanate from
anywhere, foreign or domestic.
While technically feasible, there has yet to be an attack on a
wearable device that caused direct harm to a patient. Attacks
on IT infrastructure as well as ransomware attacks are more
likely to be successful.
Ransomware on the Rise
Ransomware is a type of malicious software that attempts to deny
access to a user’s own data by encrypting the data and holding it
under a decryption key until the ransom is paid. During an attack, victims will typically encounter a screen giving them the
directions for paying a ransom to retrieve their data—often in a
crypto-currency such as Bitcoin, which is not trackable.
Ransomware is uncomfortably common in healthcare set-
tings. In a HIMSS Analytics study last year, more than half of
the hospitals surveyed were hit with ransomware in the previ-
ous 12 months. Even more disturbing was that 25 percent of
respondents were unsure if they had been affected or did not
even have the ability to find out.
Another study found 70 percent of organizations said they
had been victims of a cyberattack,
17 and only 22 percent had
prepared a plan for dealing with cyberattacks.
18 Further, it
should be noted that a ransomware attack may go undetected
for a period and may include the injection of other malicious
software, such as a keystroke logger. This is why the US Department of Health and Human Services (HHS) claims the
most prevalent type of cyberattack, a ransomware attack, is
considered a breach under HIPAA regulations. Ransomware
attacks may also trigger action under federal and state breach
Three regulatory agencies are responsible for regulating devices that are vulnerable to these attacks, including the FDA,
the Securities and Exchange Commission (SEC), and HHS’ Office for Civil Rights (OCR).
The FDA regulates cybersecurity and privacy requirements
of applicable medical devices, and recommends manufacturers implement the National Institute of Standards and
Technology’s (NIST’s) “Framework for Improving Critical Infrastructure Cybersecurity.” Core principles of this include:
identify, protect, detect, respond, recover.
The Federal Trade Commission (FTC) can hold organiza-
tions responsible for their privacy and (cyber)security prac-
tices under Section 5 of its regulations, regulating “unfair and
HHS and OCR regulate cybersecurity under the HIPAA regu-
Transmission Security ( 45 CFR 164.312(e)( 1)): This safeguard requires entities to implement technical security
measures to guard against unauthorized access to electronic protected health information (ePHI) that is being
transmitted over an electronic communications network.
Integrity Controls ( 45 CFR 164.312(e)( 2)(i): Require covered entities and business associates to implement security measures, when reasonable and appropriate, that
ensure electronically transmitted ePHI is not being improperly modified without detection.
Encryption ( 45 CFR § 164.312(a)( 2)(iv) and (e)( 2)(ii)): The
encryption implementation specification is addressable,
and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is
a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity, and availability
of ePHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement
an equivalent alternative measure.
HIPAA compliance can go a long way in helping fight against
ransomware and other threats to PHI. Some HIPAA require-