search.noResults

search.searching

note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
© DragonImages - Fotolia/Adobe Stock.


t


CLINICAL ENGINEERING


Medical devices under threat from hackers


Patient information is now worth more than credit card data on the dark web and hackers are increasingly using medical devices to infiltrate hospital networks. A clinical engineering conference, hosted by the National Performance Advisory Group (NPAG), highlighted the threat posed to Trusts’ cyber security. Louise Frampton reports.


There is a major drive towards digitalisation within the NHS and Trusts will increasingly be scrutinised on their ‘digital maturity’ in the next few years – putting cyber security and IT connectivity at the top of the agenda. The aim is for patients to be able to access their own electronic health records, adding personal data from devices such as FitBit and enabling two-way interaction. At the same time, hospital-based monitoring devices are increasingly being linked directly into patients’ electronic patient records, with a view to becoming ‘paper-free at the point of care’. Digital technologies and connected devices have the opportunity to increase efficiency and transform care for patients, but there are also challenges ahead for clinical engineers. Against a back-drop of increasing connectivity, digitalisation and interoperability, clinical engineers will need to increase their knowledge of IT networks, as well as cyber security for linked medical devices. Many hospitals across the world have been hit by having their patient records encrypted, through ransomware, and attempts to sell stolen confidential data on the dark web


marketplace have also been identified.1 Medical devices are particularly vulnerable to being exploited by attackers who wish to obtain remote access to hospital networks. Speaking at the clinical engineering conference, Peter Smithson warned that internal and external threats can lead to a loss of use or the leakage of data, with the potential to result in high costs to the organisation. A consultant clinical engineer for CliniBizTech Solutions and a facilitator for the NPAG IT and Connectivity Group, Peter Smithson works closely with government, clinical engineering and Information Management and Technology (IM&T) departments, and was chairman of the Bristol Trust medical devices anti-malware working group. He reported that serious cyber security incidents have already occurred at some Trusts in the UK and that the cost of tackling a breach and re-installing IT systems, in one case, was reported to have totalled £4 million over a period of a month. “This is happening worldwide and it is coming to a Trust near you,” he warned.


“Patient data is worth 10-20 times more than credit card data on the ‘dark web’ – it is possible to blackmail a Trust, blackmail the patient, or simply hold the data for ransom. Medical devices contain this data in bundles.” He explained that malware can get into the network in various ways. Modern medical equipment often contains a computer, has open USB ports and contains valuable personal details (e.g. patient ID, treatment or diagnosis details). This could range from a blood glucose monitor to a MRI scanner. Entry to the hospital’s IT systems can be achieved through malware that remains undetected in medical devices on the network. Peter Smithson explained that the malware ‘MEDJACK2’ targets older operating systems and devices – technologies that use XP, such as in radiology, are particularly vulnerable as this system is no longer ‘patched’ by Microsoft.2


“Hackers are targeting older devices at


your Trust; they embed the software and use the devices as a ‘jumping off’ point to go and attack other areas of the Trust, while keeping themselves ‘undercover’. You may be infected already,” he commented. During research, undertaken in 2016,


cyber-attacks were identified at least 18 North American hospitals, some of which involved a variety of capital equipment and imaging systems, including a radiation oncology system, an x-ray machine, and a picture archiving and communication system (PACS).3


Vulnerable devices


included diagnostic equipment, therapeutic equipment, life support systems, as well as technology using old operating systems and proprietary internal software. “You don’t know if hackers are changing the parameters on critical medical devices or radiation doses, for example – this is the danger of these systems,” Peter Smithson commented.


In March 2016, SC Magazine reported that nearly 1,500 vulnerabilities were found


FEBRUARY 2017 WWW.CLINICALSERVICESJOURNAL.COM I 19


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64