The silent threat: Protecting biomedical equipment from cyberattacks

Cyberattacks are becoming more prevalent in healthcare. With 1,613 attacks per week in 2023 and an average cost of $11 million per incident, they’re not just expensive but potential threats to patient safety. It’s important for health systems to proactively protect against these dangers and including biomedical equipment in that risk mitigation plan is crucial.

Biomedical equipment — like ventilators, heart monitors and infusion pumps — that are connected to the internet and hospital networks are just as vulnerable to cyberattacks as other hospital systems. And because these devices often have outdated software and weak security measures, they can be viewed as easy targets for hackers.

The risk of a cyberattack on hospital biomedical equipment can result in serious harm to patients. For example, if a hacker gains control of a ventilator, they could change the prescribed settings. Similarly, if a hacker gains access to a patient monitor, they could modify the readings and cause incorrect diagnoses or treatments.

Strengthening hospital defenses: A multi-layered approach

Hospitals must adopt a proactive and comprehensive strategy to safeguard their biomedical equipment from cyber threats. Here are critical steps they can take:

1. Prioritize software updates and patching: Regular updates with the latest security patches and software are paramount for all biomedical equipment. This ensures known vulnerabilities are addressed before they can be exploited.
2. Implement strict access controls: Limiting access to equipment and monitoring for unusual activity can prevent unauthorized access. This includes implementing robust password policies and multi-factor authentication (MFA) to create multiple layers of security.
3. Ensure network segmentation: Hospitals should segment their networks, placing biomedical equipment on a separate, isolated network from other hospital systems. This crucial step prevents attackers from moving laterally across the network and accessing other sensitive data or systems if one segment is breached.
4. Invest in staff training: Human error remains a significant vulnerability. Regular cybersecurity training for all staff members is essential to raise awareness of potential risks and ways to mitigate them.
5. Develop a robust incident response plan: No system is entirely impenetrable. Hospitals must have a comprehensive incident response plan in place to quickly identify, contain and recover from cyberattacks on their biomedical equipment. This plan should outline clear procedures for isolating affected devices, notifying relevant stakeholders and restoring normal operations efficiently.
6. Assign a dedicated oversight team: This team — comprising clinical engineering, IT security and risk management professionals — should be responsible for continuous monitoring and investigation of equipment issues, including malfunctions, tampering, theft/loss and manufacturer recalls. This centralized oversight ensures faster response and risk containment.
7. Formalize chain-of-custody protocols: When devices are decommissioned, serviced or relocated, these protocols help protect sensitive patient data and ensure that device configurations and security controls are preserved and transferred properly.
8. Establish physical security measures: Areas housing biomedical equipment — including server rooms, storage areas and patient care zones — should be secured with badge-based or biometric access. Keycard logging systems can help monitor and audit entries. Devices should never be left unattended in public or semi-public areas.
9. Tag and track all biomedical equipment: Use asset tagging technologies such as RFID or BLE beacons to physically tag and track equipment. These enable real-time location tracking and can alert security teams to unauthorized movement of devices.
10. Disable or block unused USB and I/O ports: If ports must remain accessible for maintenance, implement supervised access and logging procedures to mitigate cyber intrusion risks.

Cyberattacks aren’t just a one-and-done situation — these attacks can be ongoing and last for weeks or months. The longer they last, the more costly they are, which is why it’s important for health systems to have a clear strategy for protecting against and managing possible threats. By implementing these measures, hospitals can significantly reduce their risk of cyberattacks on biomedical equipment and ensure the safety and well-being of their patients in an increasingly connected world.