Hackers are now looking to monetize their efforts, moving beyond ransomware gambits to efforts that seek to manipulate medical devices.
Under these new approaches, some hackers no longer are just interested in getting quick money by encrypting healthcare provider data and demanding a ransom. Instead, they also want the organization’s data, and that includes selling the information in medical devices, such as a dispensing cabinet, says Vidya Murthy, vice president of operation at MedCrypt, a medical device security company.
Most dispensing cabinets and other devices do not have robust security features built in, and that’s why it is important for nurses to not enter a password to get in a cabinet, but to have a secure authenticated badge or thumb scan to access medications and other items, Murthy explains.
“Legacy devices under vendor support are likely to be more secure because of vendor patching and upgrading of devices,” she adds. “Those organizations running old Windows versions no longer supported by Microsoft—that’s the population of devices that cripple hospitals.”
Providers also often miss signs that something is amiss with a device. An infusion pump may be acting funny and be taken off the floor, but the IT professionals are working quickly to make a fix on the device and get it back on the floor, so they aren’t considering if the device may be compromised.
A recent study at Vanderbilt University could bolster efforts to improve device security, Murthy notes. The study suggested that 20 percent of patients have an adverse event—some degree of a negative outcome from being in a hospital that’s preoccupied with a breach and possibly reducing the hospital’s standard of care.