A survey released earlier this year found that medtech leaders were unprepared for a cyberattack. As the frequency of attacks on healthcare organizations continues to increase, recent commentary from GlobalData recommends that medtech companies get their software and technology up to speed to address and prevent vulnerabilities.
“Tech innovation is speeding ahead at a mighty pace, but healthcare technology is stuck in the 90s. Essential software used in devices such as anesthesia delivery systems and ventilators in some instances are being run on software first developed over two decades ago. The industry desperately needs a catch up,” stated Kamilla Kan, medical analyst at GlobalData. “Healthcare companies should not only monitor and test the safety of hardware and software of new medical devices, but keep updating and monitoring those that have been in service and on the medical market for some time.”
Now killware has been named one of the biggest threats in cybersecurity. MedTech Intelligence recently discussed this disturbing evolution in ransomware with Brian Wrozek, chief information security officer at Optiv Security, Inc. “The threat of killware is very real, but MedTech and healthcare organizations shouldn’t let it distract them from focusing on cybersecurity fundamentals and building strong cyber resilience strategies,” says Wrozek. “With a strong cybersecurity plan, organizations can defend against current and future threats, including killware.” Read on to learn how organizations in the medtech industry can navigate this troubling threat to not just companies, but more importantly, patient lives.
MedTech Intelligence: Killware has been named as one of the biggest threats in cybersecurity. What is the impact to the medical device community?
Brian Wrozek: Before we talk about killware’s impact on the medical device community, it’s important to understand what killware is and how it came to be. At a high-level, killware is an evolution of ransomware. In the early days of ransomware attacks, threat actors encrypted organizations’ data and then forced them to pay a ransom to have it unencrypted. Over time, this evolved to threat actors demanding higher payments from victims to not only unencrypt data, but [also] to prevent them from publicly releasing their information. Today, we’re seeing phase three of ransomware, which is killware. Cybercriminals are raising the stakes by moving beyond financial consequences and threatening their victims with physical harm, including loss of life.
The medical device community should be particularly concerned about killware because embedded medical devices, such as insulin pumps and pacemakers, are increasingly becoming accessible wirelessly. If cybercriminals were to gain access to the networks or systems these devices are connected to, they could take control of them. This means medical equipment manufacturers could be increasingly targeted with killware putting the individuals using these devices at risk.
For the medical device community, this means there is a heightened risk of bad publicity and reputation damage. Losing personally identifiable information (PII) has become an everyday occurrence, so it has lost its mass appeal as a headline. But, if someone dies because of a cyberattack, coverage will be rampant. And, an incident of this nature will drive away customers. It’s one thing to have your credit card number stolen, but quite another to have your life or a loved one’s life put at risk.
MTI: What are the current challenges for the MedTech and broader healthcare community as it relates to killware?
Wrozek: The biggest challenge is preventing bad actors from gaining access to medical devices—especially those that play a life-or-death role in patients’ lives. In addition to safeguarding the devices themselves, medical device and other healthcare institutions need to protect their networks because this, too, can result in patient harm and loss of life. In fact, there’s already been a case of the latter.
In 2019, a ransomware attack on Springhill Medical Center in Alabama left the organization without its computer system and medical equipment for eight days. During that time, a woman went into labor, and because staff didn’t have access to the equipment that monitors fetal heartbeats, they couldn’t tell the patient’s baby had the umbilical cord wrapped around her neck. The baby was diagnosed with severe brain damage and died nine months later. Healthcare and medical device manufacturers need to do everything in their power to prevent ransomware attacks, so this type of thing never happens again.
MTI: What steps should MedTech manufacturers take to address vulnerabilities and mitigate the risks?
Wrozek: The strategies and best practices required to mitigate the risk of killware aren’t all that different from defending against other types of threats. The most important thing is to recognize that you now have a target on your back with greater consequences if successfully attacked – and then take the opportunity to reassess your security strategies to make sure they are up-to-date and fill any security gaps. Here are a few best practices to consider in the process:
- Master security fundamentals – The most effective way to defend against cybercriminals still is to put security basics in place – things like multi-factor authentication, network segmentation, patching, systems updates, etc.
- Prioritize application security – Make sure security is built-in to medical device manufacturing processes from the start, rather than trying to add controls after-the-fact.
- Implement threat modeling – MedTech companies can become so focused on product features and getting the product to market, that it can be easy to forget to take a step back and think about devices, systems and environments from an attacker’s point of view. This is important because it will help them identify areas of vulnerability and security gaps as well as the controls that may be needed to overcome these weak points.
- Develop and document an incident response (IR) plan – If the unthinkable occurs, you don’t want to be left scrambling to respond. MedTech organizations would be well-served to develop, document and practice their IR plans, so they know exactly what actions to take following an attack. This also will help them localize and minimize the damage. You don’t want to learn as you go; rather, you want a plan in place to help you respond and recover confidently and quickly.
MTI: What role do the regulatory authorities play in this area?
Wrozek: Just as government and law enforcement agencies often are called in to help negotiate ransoms, there is the potential of looming government involvement and regulations as it relates to killware. However, this is where things get tricky. If killware becomes too commonplace, the U.S. government will be forced to step in and issue regulations and niche frameworks that companies need to follow. This is both good and bad. It’s good because they are putting laws in place to protect medtech and healthcare organizations as well as consumers and patients. The downside is that regulations of this nature often can distract organizations from putting good security practices in place. They become so focused on complying with the new laws that they lose sight of their overall security posture.
The threat of government intervention, I believe, is what will keep killware at bay. Cyber criminals don’t want increased attention from government and law enforcement. They want to threaten organizations with killware, but at the end of the day, the majority want them to pay the ransom—not take lives.