A new risk in connected medical devices has arisen in a recent report concerning cyber attacks on two hospitals. That risk is that cyber weaknesses in the devices may provide gateways for malware to enter the networks of the hospitals in which those devices are used. There is an added risk that those networks, in turn, may become part of “botnets,” and pose even greater peril to other health systems whose information grids are connected to those hospitals. These hospitals, then, may face exposures under HIPAA if patient information is disclosed through a breach as well as law suits brought under the Computer Fraud and Abuse Act, if their systems allow malware to enter the information networks of other hospitals.
A report by the consulting firm TrapX (discussed here) analyzes attacks on two hospitals, in which systems such as blood gas analyzers and imaging archive and viewing PACS (Picture Archive and Communications System were infiltrated by “Trojans malware that, in turn, functioned as “backdoors to move laterally within the hospital network.”
The report poses a new paradigm in medical device threats, previously thought to comprise mostly sabotage of the devices themselves leading to malfunction and potential injury to patients. These infiltrations are difficult to detect because these devices function within “closed systems,” and thus the malware cannot generally be detected by scans of the hospital networks.
How should Information Security personnel and Risk Managers respond to this new threat? These attacks were believed to have originated when a user visited a malicious website. Training on how to recognize malware “phishing” attachments could certainly assist in prevention. These steps and more, though, should be the subject of a full cybersecurity assessment and training on an annual basis, or whenever the hospitals’ systems are upgraded.
The risks can also be distributed, to some extent, to medical device manufacturers, who can be asked to make certain security representations for their devices and systems, with appropriate indemnity language, in the purchase and maintenance contracts, and cyber risk insurance that covers malware intrusions stemming from medical devices.
If you have questions as to cyber risk assessments, compliance requirements or training, please contact Kenneth N. Rashbaum.