What a Colonial Pipeline Attack Teaches Us About Cybersecurity
The cyber attack on the Colonial Pipeline experienced heavy media coverage last month, and for good reason.
The important pipeline system — largely used to carry gasoline and jet fuel throughout the southeastern USA — was hacked for a payout of 75 bitcoin, or roughly $5 million. And while that is certainly a large payment, the effects of this event don’t end there. It is important to think critically about the true cost of this one event in addition to the secondary and tertiary losses in productivity.
According to BBC, the pipeline carries 2.5 million barrels a day, 45% of the East Coast’s supply of diesel, petrol and jet fuel. As a result of the, apparently financially-motivated, ransomware attack, a major portion of the country was affected by the 5-day pipeline shutdown with the corresponding loss in fuel availability: not just for consumers but for businesses and industries of all kinds.
Colonial Pipeline map (source)
Whatever the total impact may be, it is most certainly much, much larger than just $5M.
This attack is just one example of the increasing number of ransomware attacks. In this event, it was not a bank or an agency affected; it was a critical part of American infrastructure.
The Colonial Pipeline ransomware event has proven yet again that information technology of all kinds is vulnerable to this kind of attack, including areas of healthcare and connected medical devices.
This article will dive further into the cyber-hack, and what it means in the context of healthcare cybersecurity and connected medical device security.
Cybersecurity in Healthcare Cannot Be Overlooked
The Colonial Pipeline event shows how dependent we are on technology in all areas of our interconnected infrastructure, and how often we fall short in securing these systems against hacking and intrusion.
Cloud computing has many benefits as it is a flexible solution that allows hospitals, for example, to leverage a network of remotely accessible servers, where they store data that can be made available globally.
Not only should we always consider the risks of connecting systems to the internet itself, we should also be concerned about the businesses that are connected to it because it is their vulnerability to these cyber attacks that puts all else, including human safety, at risk.
A cyber attack in the healthcare landscape can have significant negative impacts on things like patient care, remote diagnostics, equipment monitoring, patient monitoring, and more.
According to Health IT Security, healthcare cybersecurity attacks doubled in 2020, with 28% of those occurrences being connected to ransomware. With that, it is suggested that up to 90% of these attacks are caused by employee error (e.g. clicking a malicious link). A staggering 25% of healthcare employees never receive cybersecurity training to help prevent such simple phishing intrusions.
Within the American healthcare system, the risk landscape is more active and dangerous than ever. As the biggest, richest, and by many estimates, the weakest target of this kind in the world, the United States suffers more healthcare cybersecurity attacks than anywhere else.
Apart from healthcare workers receiving inadequate training to help prevent them from being victimized by these attacks, many organizations that fall victim also fail to perform risk assessments that could expose their potential weaknesses to these threats.
Beyond the healthcare IT systems that contain sensitive patient data at risk of exposure, connected medical devices such as x-ray machines, heart rate monitors, and defibrillators (for example), open up dangerous points for hackers looking to access their data-rich cloud platforms.
Connected Medical Device Security Should Be Prioritized
The Colonial Pipeline attack teaches us how internet-dependent businesses, including connected medical devices, must adequately prepare for cyberattacks.
It is crucial to know the types of regulatory requirements you will need to comply with for Class II or Class III medical devices. Should you wish to expand your device into the E.U. market, then you must comply with the new cybersecurity requirements for MDR.
The combination of hackers wanting to gain access to valuable patient health information (the most valuable information being names and addresses of patients, social security numbers, diagnostic images, and biometric data) and a lack of healthcare cybersecurity culture within organizations helps explain the vulnerabilities of connected medical devices and why medical device cloud security should be prioritized.
There are several steps companies need to take in order to best manage connected medical device security, including:
- Creating a set of cybersecurity procedures and guidelines.
- Building a culture of medical device security through regular employee training and ensuring they understand risk areas.
- Designing connected medical devices with security in mind and keeping track of software components used in the development of the medical device.
- Taking appropriate security measures when providing access to data. Access should be limited to those who need it and should require a series of passwords or authentication in order to access it.
- Regularly backing up data and keeping the data back-up off-site so that it is secured away from the main data center.
- Creating a post-market surveillance program to be able to continuously assess risk.
Security within medical devices cannot be an afterthought and should be integrated at the beginning of medical device development.
Healthcare Cybersecurity breaches of the past
It is important to note that any organization is vulnerable to a cybersecurity attack.
In early 2016, a similar type of event as the Colonial Pipeline struck Hollywood Presbyterian Medical Center (HPMC).
For nearly a week, the Medical Center could not access its systems nor patient information. In order to cope with daily care commitments, it had to fall back to older technology: paper records, and fax machines.
Hollywood Presbyterian Medical Center (source)
The work was able to continue at a much slower pace — resulting in longer wait times, missed appointments, delayed surgeries, and a host of other disruptions occurred.
IT experts concluded that Hollywood Presbyterian Medical Center had a very weak security infrastructure, and, according to Elliott Frantz, CEO of Virtue Security, “This incident really sheds light how weak the core of many providers’ internal infrastructure is […]. It’s very common for hospitals to have a large number of outdated and vulnerable systems on the network.”
An example of a medical device cybersecurity threat took place in the summer of 2017, when almost half a million pacemakers were recalled in the U.S. due to fears that their connected medical device security was compromised.
Abbott (formerly known as St. Jude Medical) Accent MRI pacemaker, one of the recalled medical devices (source)
The recall didn’t require patients remove the devices through invasive, risky surgery, but rather, the manufacturer issued a firmware update which will be applied by medical staff to attempt to take corrective action to fix the vulnerability of the connected medical devices.
According to the FDA, in this healthcare cybersecurity attack, there were vulnerabilities within these medical devices that could grant unauthorized users access to the device. Fortunately, in this case, there are no known reports of patient harm related to this vulnerability.
Cybersecurity Experts for Healthcare and Medical Device Cybersecurity
Healthcare is an attractive target for hackers, as there is an incredible sense of urgency to get systems back up and running, quickly.
Organizations must not overlook their healthcare cybersecurity or connected medical device security because the consequences can be dire.
Always consider the risks if your business were to be hacked or its data was in some other way compromised. You can conduct a risk analysis by asking yourself: What happens if the data is altered or deleted? Would these occurrences pose any risk to a person, business or society?
To help your company mitigate cybersecurity risks, there are many third-party organizations that can help ensure security in connected medical devices, such as Galen Data. Our fully-managed cloud solution offers a cost-effective and compliant solution for medical device connectivity, visualization, analytics and much more.
Going with a third-party cloud provider can help reduce risks in terms of medical device security, privacy, compliance, and system development. It also removes the need of hiring additional personnel to operate and manage the infrastructure; ultimately saving your business time, money, and worry.