23 Jun 2020

Cyberattacks: Don’t Overlook Medical Devices

By Christophe Dore

Healthcare is digitalizing more information and connecting more information systems than ever before, with the expectation that synergies between these technologies will add value to enhance patient care and operational efficiency. Unfortunately, arising out of this hyper-connectivity is an increased porosity inside of the integrated infrastructure. Given that hackers typically use a compromised system to penetrate other systems on the same network, like a virus becoming ‘more contagious’ when people connect, this hyper-connectivity increases the likelihood of systems and medical devices being exploited.

If history is any indicator, cyberattacks are likely to increase. In a report this year, ransomware attacks between 2016 and 2019 on healthcare facilities increased 35%, with hospitals and health systems as the main targets in more than half of incidents.

A healthcare organization’s electronic health record (EHR) system is a typical target in such attacks, but any networked medical device can also potentially be compromised and controlled by the hacker. If a cyberattack on a networked medical device seems far-fetched, consider that 82% of 232 security decision-makers in healthcare organizations have experienced an Internet of Things-focused attack in the past year. Of the organizations affected, 30% report experiencing compromised end-user safety while 43% of these cybersecurity events caused operational downtime, which also risks patient safety if care comes to a standstill.

Healthcare organizations are not powerless to stop cyberattacks. Rather, they can and should take proactive steps to protect their clinical systems and integrated medical devices. The good news is that they do not need to create everything from scratch, because many effective methods to identify security risks and optimize risk mitigations to protect against cyberattacks already exist. Following best security practices laid out by others, healthcare organizations can leverage the latest integrated medical device technologies with good control over cyber risks.

Where Cyberattacks Originate

It is important to recognize that many legacy standalone systems and devices were developed before today’s most common cybersecurity safeguards had any consideration and deployed without proper protections. Most provider organizations understand the risk that these unsecured technologies pose, but fewer have airtight plans in place to identify and mitigate this potential peril. In fact, a recent survey of C-level healthcare executives found one-third consider medical device security one of the top five risks facing healthcare, but most reported they lack an effective strategy to assess vulnerabilities and more than a quarter said they have no process at all.

Many medical devices are essentially ‘closed boxes’ that give hospitals and health systems little, if any, control over security, yet they need to be deployed on their networks. When networking and integrating medical devices with clinical systems, hospitals must seek integration solutions and deployment architecture designed with security in mind.

How Medical Device Integration Helps Protect Hospitals

Using a medical device integration solution which brings security to the connected devices—for instance, by isolating them from the network with edge computing—can make securing such integration easier, safer, and more cost-effective. With an edge computing strategy, the data exchange between the medical device and the medical device integration solution—which is the first step in Personal Heath Information acquisition—happens locally at the bedside. The particulars of the medical device, such as its proprietary protocol, its vulnerabilities too (known or unknown) are only exposed locally and are invisible from the hospital networks. As a consequence, the integration is more secure, and easier to keep secure. And, if the integration solution encrypts the medical device data in transit, then there’s one less concern to worry about.

Capsule’s Medical Device Integration solution and Neuron 3 clinical computing hub provide dependable and secure connectivity through authentication and encrypted data exchange. Learn more about Capsule Medical Device Integration and Neuron 3 security.


Christophe Dore is the Cybersecurity Manager at Capsule Technologies, overseeing all aspects of Capsule’s cybersecurity strategy. He has been answering to the needs of organizations in several industries in understanding and positioning themselves versus cybersecurity challenges since 1995, when he supported the development and deployment of the first web applications in the then nascent Internet as an expert for NeXT Software, a company lead by Steve Jobs.

Harnessing the Power of Medical Device Data—the Capsule Medical Device Information System

Download