What solutions can ensure the cybersecurity of biomedical equipment?

Furthermore, the digitisation and exploitation of health data will be the main challenges of the next decade, with several objectives:

• Better patient diagnosis;
• Optimisation of patient management within healthcare institutions;
• Increased use of data for research and clinical trial purposes.

However, the increase in data generation increases the appetite of hackers. This can be seen in the significant increase in health data leaks that are being sold on the darknet markets. In January alone, an American hospital (Broward Health) was the victim of a data leak involving more than one million patients, and the same thing happened to Indonesian hospitals. In France, the hospital in Arles had dozens of patient files stolen before the attackers demanded a ransom. According to a study by Cynerio, the proportion of data leaks caused by biomedical equipment is equivalent to that caused by phishing: it is therefore colossal.

Healthcare institutions are thus faced with a growing threat given the nature of the data processed (health data) and the increasing exposure of their infrastructures via the development of telemedicine, tele-expertise, etc. Among the components of the digital infrastructures of healthcare institutions, biomedical equipment is taking on an increasingly important and strategic role. It is therefore necessary to enable hospitals to control the digital risks associated with these new connected tools.

Why is biomedical equipment a key target for attackers?

Biomedical equipment—which can be a major source of data leakage—is present at various stages of the patient journey, and some directly affect the bodily integrity of patients. The consequences of exploiting a vulnerability can be critical and affect patient safety.

For example, in 2020, IBM discovered a vulnerability (CVE-2020-15858) that would allow attackers to remotely take control of insulin pumps and alter the doses of medication injected into patients. The consequence would have been lethal for the patient.

This flaw would also make it possible to modify the data sent to the monitors of biomedical equipment in order, for example, to create a false panic within a department. The subject has become so important that the American Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis note to warn of the importance of this flaw.

But it turns out that healthcare institutions have very little power over the implementation of equipment within them. For example, biomedical software publishers regularly ask them to deactivate the antivirus on a hospital information system file to allow the proper functioning of their tools. Given the risks involved in lifting this protection, it is an unacceptable practice, especially for international biomedical equipment giants. However, if healthcare institutions do not accept this practice, the publishers retort that maintenance cannot be carried out by their teams. This is obviously unacceptable when it comes to equipment that is vital to patients.

Consequently, the burden of cybersecurity for biomedical equipment falls solely on healthcare institutions, albeit this equipment is increasingly interconnected with health information systems and even the internet (for telemedicine purposes, for example). It is therefore urgent to control the digital risks associated with biomedical equipment.

What answers can we offer?

As a preamble, it is important to point out that cybersecurity should not impact patient management within healthcare institutions. However, it is necessary to ensure that they are not the gateway for hackers targeting the data of health information systems.

Biomedical equipment manufacturers and end users must therefore exchange on how to deploy such equipment.

Today, a publisher wanting to implement a piece of equipment in a hospital offers a certified, ready-to-use solution. It is therefore not easy to modify the equipment—that has its share of vulnerabilities—and to identify all the software components used. If biomedical publishers do not make an effort to be transparent and flexible, the implementation of security certification procedures (as recommended by the ANSSI) will not be very useful for a pragmatic consideration of the risk.

Manufacturers must therefore be encouraged to develop equipment that is “secure by design” and with greater transparency regarding their products. This would give healthcare institutions the ability to quickly detect the presence of vulnerabilities within their own healthcare information systems, all the more since the Cynerio study indicates that more than half of connected equipment contains at least one vulnerability.

Indeed, these devices use many third-party components, which can make them vulnerable at any time. For example, in December 2021, following the software vulnerability disclosure (CVE-2021-44228), healthcare institutions encountered difficulties in quickly identifying biomedical equipment that used a Log4J library, even though it was rated 10/10 on the CVSSv3 severity score. Under these conditions, it is difficult to maintain an acceptable level of cybersecurity.

As a first step, the implementation of a software nomenclature would allow publishers and healthcare institutions to know the extent of a vulnerability affecting components quickly and exhaustively through a simple search. This transparency work is essential for better security in hospitals. All of this is with a view to adopting a global cybersecurity approach for healthcare institutions, and even to considering the introduction of a certification system for biomedical equipment, following the example of the ANSSI’s CSPN.

However, this measure must also be accompanied by better management of biomedical equipment within healthcare institutions. For example, according to a report by CyberMDX and Phillips, 65% of the U.S. healthcare facilities interviewed said that to take inventory of equipment, they used manual methods, which are therefore unreliable.

In conclusion, businesses and healthcare institutions must work together to ensure better protection of patients’ health data while developing new uses for healthcare professionals.