Hospital devices are loaded with features to make them more user-friendly, increase safety and better monitor patients, but they’re also potential security risks. As cyber attacks multiply, hospitals, government agencies and manufacturers are taking a long hard look at security. But how vulnerable are these connected devices?
“If we knew the answer to that, we would know what to do,” said Patrick Schaumont, professor in the Bradley Department of Electrical and Computer Engineering at Virginia Tech, in a phone interview. “With the features being designed into these devices, security isn’t always integrated from the start. I think one of the hard problems we are facing is understanding all the risks that result from interconnecting everything.”
Interconnectivity offers advantages for patients and hospital staff, but it also boosts complexity and risk. Networking protocols, wireless standards, data encryption and other software may require occasional updates.
“You get many more features because you have software in the loop,” said Schaumont. “But because it’s software and has potential for security flaws, your system becomes that much more vulnerable.”
The consequences are manifold. Vulnerable devices could provide doorways into hospital networks, breaching confidentiality or locking up the system entirely. In addition, an insecure system is potentially an untrustworthy one.
“For devices, you rely on the data they provide,” said Schaumont. “Once you have the uncertainty of security risks — the device crashes or the data is corrupted — it’s not only the software that is being corrupted, it’s the whole system.”
These are the risks that keep hospital IT people up at night. Their mission can be summed up with the acronym CIA — confidentiality, integrity, availability — but the bottom line is patient safety.
“IT is the underlying infrastructure that supports almost every patient care service,” said Jeanie Larson, chief…