RSNA 2023: Hospital imaging systems may be gateways for ransomware, expert warns
Cybersecutiy expert Richard Staynings of the University of Denver is concerned about the evolution of medical devices and the security threat they pose to healthcare practices. And despite new U.S. Food & Drug Administration policy mandating security updates, he thinks serious vulnerabilities looming in legacy devices will cause breaches for “decades” to come.
“The technological innovations that we’re seeing in medical devices today are revolutionary. They’re allowing us to increase efficiency—whether you’re in medical imaging or whether you’re in some other form of medicine—and they’re also helping to drive patient outcomes,” he said in a presentation titled “Detecting Compromise and Attacks Against Medical Devices,” held Nov. 29 at the annual Radiological Society of North America (RSNA) conference in Chicago.
“But, these advances introduce new risks to patients from a patient clinical safety perspective and new risks to the integrity … of the medical network,” he noted, adding that “until recently, medical devices were simple” and not considered to be a major target of cyberattacks.
However, Sterling pointed out that this is changing rapidly as PHI has proven to be valuable to hackers, providing doorways into hospitals networks. Worse yet, breaking into them is easier than ever, Staynings said, citing how modern medical devices from CT scanners to handheld tablets are “highly connected” and “really driving interoperability,” meaning they provide a central role in the exchange of information between providers and healthcare organizations.
Citing an example of a pain clinic he recently visited whose medical devices were 30 years old, and “written in an old programming language from the 1980s,” Staynings said this clinic is actually secure because the devices are simply too old to hack. However, this exception to the rule signals a larger problem: A lot of older devices are aging, and the solution isn’t easy when patching may not even be possible.
“Most providers don’t realize medical devices should be risk-assessed every year as part of their HIPAA compliance, if they’re a covered entity or business associate,” he added, noting that medical devices are “inherently insecure,” manufactured with very simple components and software.
Staynings discussed the Patch Act of 2022 that extends FDA security and compliance rules to a range of medical devices, making them ineligible for clearance without meeting certain safety metrics. He said the assurance of patches will benefit healthcare organizations adopting new technology. However, the act excludes anything made before Oct. 1.
“[The Patch Act] doesn’t impact the thousands, or hundreds of thousands, of medical devices you may have on your network today that were approved last year—or were approved in September of this year,” Staynings warned, citing the inadequacy of the legislation to properly protect providers from security vulnerabilities.
While he believes new regulations can help to bring legacy devices up to standard, Staynings said the responsibility ultimately falls on healthcare organizations. However, he joked “medical devices have the half-life of plutonium,” citing the resistance organizations have to replacing dated technology due to the upfront cost.
“Anyone who has had a conversation with the CFO of a hospital about replacing some system that still had 5 years left to run on its [expected lifespan] will know what I am talking about,” he quipped. “It’s a nonstarter of a conversation, particularly if that’s a $25 million X-ray system, or something else that costs a lot of money.”
However, Staynings warned practice leaders in the room to rethink their resistance to upgrades, especially as adversarial nations begin to use smarter methods to break into systems. He hopes the financial risks—not to mention the threat to patients—posed by a ransomware attack will encourage leadership assess cybersecurity risks and purchase necessary upgrades.
“Medical devices are critical to healthcare facilities today; when they go down, hospitals have to stop operating,” he said. “If your medical imaging system in your hospital goes down, what do you do with patients who come in with broken bones or with other conditions that require a level of professional and medical attention that the hospital is unable to give as a result of the current attack against the system?”