Driving the Future of IoT Innovation in London

Key Takeaways

Connected medical devices are increasingly vulnerable to cyber threats, particularly those using outdated operating systems.
Real-world examples highlight the serious risks of cyberattacks, including the disruptive WannaCry ransomware incident.
Healthcare organizations must implement robust cybersecurity measures to protect patient data and ensure operational continuity.

Cybersecurity Threats in Connected Medical Devices

Patrick Maw, a specialist in medical device cybersecurity at University College London Hospitals NHS Foundation Trust, recently shared insights into the cybersecurity challenges faced by connected medical devices during a talk at the IoT Tech Expo Global.

Maw emphasized that the spectrum of medical equipment now interfacing with healthcare networks extends from infusion pumps and CT scanners to mobile applications utilized in medical settings. He remarked, “Software is a medical device in its own right,” signifying the critical importance of software security in medical settings.

While the incorporation of connected devices enhances the quality of electronic health records and patient care, it simultaneously introduces significant vulnerabilities. Many medical devices operate on outdated operating systems, such as Windows 7, which no longer receive important security updates. In addition, some devices cannot accommodate antivirus software or security patches due to concerns over functionality and regulatory compliance, making them prime targets for cyberattacks.

Maw referenced the notorious 2017 WannaCry ransomware attack, which greatly affected NHS trusts, serving as a wake-up call regarding the vulnerabilities of connected medical technologies. He noted that more than 140 hacking groups are currently capable of launching similar attacks against healthcare systems, highlighting a pressing concern for cybersecurity. “We were getting patches for the Windows-based medical devices six months after WannaCry hit,” Maw lamented, expressing hope that manufacturers will respond more rapidly in the future.

In terms of tactics employed by cybercriminals, Maw identified several common attack vectors, including phishing emails, malware infections, and vulnerabilities in third-party software vendors that could disrupt supply chains. To uphold the balance between connectivity and security, he recommended that healthcare organizations implement measures like firewalls, network intrusion systems, and network segmentation. He also advised isolating legacy systems that are too outdated to be effectively secured.

On the topic of regulatory compliance, Maw provided an overview of the Medical Device Directives established in 1993 and their subsequent updates in 2017. He explained that medical devices are classified into categories based on risk, which influences their regulation and oversight. “The key thing to remember is all these are regulated medical devices and you cannot change them without having to be recertified,” Maw clarified.

Maw further delved into the necessity of networking medical devices, stating that the motivation lies in improving patient records and transitioning to efficient electronic systems that reduce the chances of errors compared to manual records. The move towards unified systems, illustrated by UCLH’s implementation of EpicCare, exemplifies this push for enhanced accuracy and accessibility in patient histories.

Maw concluded by underscoring that reverting to paper records is not a viable option for healthcare. As institutions embrace increased connectivity, they must also make ongoing investments in cybersecurity to safeguard medical systems and patient health data.

The content above is a summary. For more details, see the source article.