ISA/IEC 62443
Medical

Connected medical devices pose significant cybersecurity risk for hospitals

February 17, 2021
Connected medical devices pose a far greater cybersecurity risk in hospital networks

Unlike business systems, hospital networks have been designed to facilitate ease of access from different networks, posing a far greater cybersecurity risk, according to the International Electrotechnical Commission (IEC). The COVID-19 pandemic has led to the rise of connected medical devices across hospitals networks, which has accelerated the convergence of the once separate domains of IT and operational technology (OT).

In an IT environment, a cybersecurity strategy aims to protect the confidentiality, integrity and availability (CIA) of information systems, IEC said in a post on Monday. For IT-led organizations, one of the initial lines of defense is shutting the entire system down. However, hospitals using life-saving medical devices must be able to run permanently to ensure patient safety. In addition, medical devices need to be able to communicate freely throughout the hospital.

The convergence of IT and OT technologies in hospitals through connected medical devices focuses on protecting the safety, integrity, availability and confidentiality (SIAC) of a range of traffic, from life-critical patient data requiring immediate delivery and response, to general administrative data. Hospitals and other critical systems place greater emphasis on availability, IEC said.

IEC International Standards, such as ISO/IEC 27001, IEC 80001 and IEC 62443, help in testing and certification for a holistic cybersecurity program that includes people, processes and technology. Such an approach increases confidence among stakeholders by demonstrating use of security measures based on best practices, besides implementation of the measures by organizations efficiently and effectively.

IEC 80001 standard addresses how medical devices can be connected to IT networks to achieve interoperability without compromising the organization and delivery of health care. It deals with the safety, effectiveness and security in the implementation and use of connected medical devices or connected health software.

The newly updated cyber security standard IEC 80001-1 defines roles, responsibilities and activities necessary for the risk management of IT networks incorporating medical devices, while dealing with safety, effectiveness, and data and system security.

The scope of the standard is in the context of healthcare organizations, manufacturers of medical devices and providers of other information technology. It specifies general requirements for organizations in the application of risk management before, during and after the connection of a health IT system within a health IT infrastructure, by addressing properties of safety, effectiveness and security, whilst engaging appropriate stakeholders.

The ability to compromise devices and networks and the possibility of monetizing patient data have led to an increase in the number and sophistication of cyberattacks targeting healthcare delivery organizations in recent years, according to data released by Forescout Research Labs in its 2020 research report.

Based on its research, Forescout recommended that healthcare delivery organizations (HDOs) made up of hospitals and clinics must adopt best practices to reduce security and operational risk in healthcare networks, Forescout Research said. Its analysis reveals that while HDOs have taken some meaningful steps to better secure their connected devices and networks, there are still several cybersecurity gaps and risks that need to be addressed.

HDOs will have to contend with medical devices running legacy operating systems for the foreseeable future. Hence, it is imperative to identify and mitigate this risk, it added. HDOs are complex organizations where a range of IT, Internet of medical things (IoMT), OT, and Internet of Things (IoT) devices are increasingly interconnected.

Heavy industrials face unique cybersecurity challenges, given their distributed, decentralized governance structures and large OT environment, which  does not lend itself readily to traditional cybersecurity controls, McKinsey said in its 2019 report on ‘Critical infrastructure companies and the global cybersecurity threat‘.

Furthermore, “many heavy industrials have invested in becoming cyber mature, as have other at-risk industries, such as financial services and healthcare. The investment gap has left most heavy industrials insufficiently prepared for the mounting threats,” the analyst firm added.

“From the early days of COVID-19 to the current rollout of the vaccine, we’ve seen healthcare professionals form the backbone of the global response to this pandemic, and crucially, hold up a standard of excellence no matter what challenges they’ve faced– whether that’s increasing cyberattacks, limited resources, or a rapid shift to remote care,” wrote Jonathan Langer, CEO and co-founder of Medigate in a blog post earlier this year.

Earlier this month, the ISA Global Cybersecurity Alliance (ISAGCA) recommended the inclusion of the ISA/IEC 62443 series of cybersecurity standards in global policies that intend to improve critical infrastructure cybersecurity this year, and publish a fully detailed, auditable cross-referencing guide that maps the ISA/IEC 62443 standards to other cybersecurity standards across multiple industries.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

HHS warns of social engineering attacks targeting IT help desks across health sector
HHS warns of social engineering attacks targeting IT help desks across health sector
The Takepoint Research report indicates a significant shift towards adopting the Zero Trust model in OT, with 72% of professionals integrating it to boost security and efficiency. It highlights secure remote access as a key application, aligning with goals to reduce risk and enhance operations. Moreover, it points out the need for collaborative efforts across organizational roles to implement Zero Trust effectively, aiming to improve productivity and security.
Xage-Takepoint Research report reveals growing adoption of zero trust security in industrial enterprises
New legislation mandates minimum cybersecurity standards to safeguard healthcare providers in case of future hacks
New legislation mandates minimum cybersecurity standards to safeguard healthcare providers in case of future hacks
US, Australian healthcare agencies sign MoU to collaborate during cyber threats for Australian organizations
US, Australian healthcare agencies sign MoU to collaborate during cyber threats for Australian organizations
Growing need to address cybersecurity challenges across US healthcare sector for improved resilience
Growing need to address cybersecurity challenges across US healthcare sector for improved resilience
HHS responds to Change Healthcare cyberattack, prioritizes minimizing healthcare service disruptions
HHS responds to Change Healthcare cyberattack, prioritizes minimizing healthcare service disruptions
US agencies update advisory on ALPHV Blackcat ransomware targeting healthcare sector
US agencies update advisory on ALPHV Blackcat ransomware targeting healthcare sector
US Senate introduces legislation to enhance healthcare cybersecurity within the HHS amidst recent breaches
US Senate introduces legislation to enhance healthcare cybersecurity within the HHS amidst recent breaches
Cyber attacks continue to hit critical infrastructure, exposing vulnerabilities in oil, water, healthcare sectors
Cyber attacks continue to hit critical infrastructure, exposing vulnerabilities in oil, water, healthcare sectors
US HC3 warns of aggressive targeting by Akira ransomware, possible connections to Conti hacker group
US HC3 warns of aggressive targeting by Akira ransomware, possible connections to Conti hacker group