Cybersecurity Risks in Healthcare: The Need for Vigilance Against Network Disruptions
Ransomware attacks targeting medical devices may not be frequent, but the vulnerability of IT systems that support these devices poses significant concerns for the healthcare sector. Jessica Wilkerson, a representative from the Food and Drug Administration (FDA), has emphasized the growing need for the industry to prioritize these risks. A disruption in network availability can have dire consequences, as many medical devices rely on these systems for essential communications with electronic health records and among themselves.
If a network outage occurs, the implications are immediate and severe. Wilkerson notes that when medical devices cannot communicate due to such disruptions, patient care may be compromised. This reality underscores the necessity for collaboration between healthcare professionals and IT leaders, especially chief information security officers, during critical decision-making processes pertaining to cybersecurity.
In her recent audio interview with Information Security Media Group, held at the HIPAA Summit organized by the U.S. Department of Health and Human Services, Wilkerson touched on multiple crucial topics. She outlined the challenges faced by manufacturers and healthcare organizations concerning the availability of medical devices during cyber incidents. Notably, she highlighted that legacy devices and implantable technology present unique cybersecurity issues, as well as the specific risks related to artificial intelligence.
Wilkerson also addressed the current status of medical device manufacturers as they strive to meet the FDA’s heightened cybersecurity requirements. This evolution indicates both progress and the persistent challenges developers face in aligning their products with regulatory standards. Additionally, she discussed ongoing efforts at the FDA to enhance medical device cybersecurity, including guidance that is currently under development.
As the senior cyber policy adviser and team lead for medical device cybersecurity at the FDA’s Center for Devices and Radiological Health, Wilkerson brings a wealth of knowledge to the topic. Her background as an attorney enables her to frame the importance of policy development around the safety and efficacy of connected medical devices.
It is essential to recognize that the tactics employed in potential cyber incidents align with various categories identified in the MITRE ATT&CK framework. For instance, the tactics of initial access may be a precursor to larger network infiltrations, while strategies around persistence and privilege escalation could be leveraged to maintain control over compromised devices. These frameworks serve as valuable tools for understanding the possible methods that attackers might employ within the healthcare domain.
The collaboration between various stakeholders in the medical and cybersecurity fields is paramount as the landscape of threats continues to evolve. The FDA’s proactive stance and ongoing policy development are crucial steps toward mitigating risks associated with the connectivity of medical devices, ensuring that patient care remains uncompromised in an increasingly digital healthcare environment.
