Sophisticated cyber threats targeting the healthcare sector are on the rise at a time when more connected medical devices are making their way into patient homes, increasing the need for strong preventive practices and industry collaboration to thwart attacks, according to a new report from medtech firm Becton Dickinson.
Ransomware, phishing and software vulnerabilities are among the biggest challenges facing medtech manufacturers, hospitals, labs and pharmacies, as well as patients’ homes where software-enabled medical devices are used, BD said in its third annual cybersecurity report released on Wednesday.
“Medical device cybersecurity has become more critical than ever as the number of smart, connected devices grows and healthcare expands into more care settings, including patient homes,” the report said. To increase awareness and protect patients, device makers, healthcare providers, regulators and researchers must work together to share best practices and threat intelligence, BD added.
The device maker alone blocks 114 million intrusion attempts a month, it said. A key part of the company’s approach to cybersecurity is making a routine practice of disclosing vulnerabilities and outlining activities it is undertaking to safeguard against emerging threats, said Rob Suárez, chief information security officer at BD.
“We are very big proponents for coordinated vulnerability disclosures,” Suárez said in an interview.
Ransomware attacks in which cybercriminals attempt to extort money declined by 23% overall during the first half of 2022 but increased 328% in healthcare, according to data from cybersecurity company SonicWall.
U.S. government agencies including the Department of Health and Human Services, the FBI and Cybersecurity and Infrastructure Security Agency issued alerts last year warning of ransomware attacks that aggressively targeted the healthcare sector using increasingly sophisticated techniques.
Those strategies ranged from employing a ransomware-as-a-service (RaaS) model to removing system backups to complicate data restoration efforts, and encrypting servers that house electronic health records, diagnostic and imaging data.
In one example made public in November, the HHS Health Sector Cybersecurity Coordination Center warned the industry that Venus ransomware operators were targeting remote desktop services to encrypt Windows devices, with at least one U.S. health organization becoming a victim. That alert followed a ransomware attack that hit hospital system CommonSpirit Health in October, interrupting access to electronic health records and delaying patient care in a number of regions.
Malware attacks are also are rising, increasing 11% to 2.8 billion incidents in the first half of last year, representing the first escalation of global malware volume in more than three years, according to SonicWall, a cybersecurity firm.
BD’s report describes the efforts of various cybersecurity working groups and the company to advance secure practices, including ethical hacking exercises, scenario training and preparing for greater software-bill-of-materials visibility.
The PATCH Act introduced in Congress last year would require medical device manufacturers to develop and maintain updates and patches throughout the life cycle of their devices. Manufacturers would have to create a plan for addressing post-market cybersecurity vulnerabilities in a timely manner and create a software bill of materials for each product and its components.
BD has reported a handful of cyber vulnerabilities to the Cybersecurity and Infrastructure Security Agency (CISA) in recent months, including weaknesses in its line of BodyGuard infusion pumps that delivery fluids and medications to patients.
The company’s annual cybersecurity report details how it prepares for cyberattacks and communicates with customers about risks.
“Talking about vulnerabilities has been a taboo topic, but we see it as doing the right thing,” Suárez said. “We want to convey a message that we are very vigilant about cybersecurity. It's not a matter of if, but when.“