Last week there were multiple reports of a patient death in Germany that appears to be directly linked to a ransomware incident. Briefly, a patient in need of emergency medical care died because she sought treatment at a hospital that was under cyber-attack. Düsseldorf University Clinic (DUC) was unable to admit the woman, so she was transferred to another facility 30 km (about 19 miles) away.
Prosecutors have launched a negligent homicide case and are now investigating whether hackers could be to blame for the woman’s death. In a chilling, but perhaps not unexpected development, prosecutors also intend to launch an investigation into the hospital’s role in the tragedy. CISOs and medical device product managers should take notice.
While this may be the first “direct” link to a death from ransomware, it is important to realize that there have been incursions on several productized devices previously including life-saving pacemakers and infusion pumps. Cybersecurity expert and lecturer Chris Roberts suggested on Linkedin that this event couldn’t have been the first when looking at the number of ransomware attacks in just one day.
Healthcare CISOs, medical device product managers, and R&D engineers who are in this post COVID-19 world and developing new products like remote patient monitoring, insulin pumps, and robotic surgical devices need to act now. Security by design - along with a program of monitoring and reacting - provides a strong, approach to medical device and healthcare security.
As the story unfolds in Germany, new facts will arise. Executives, practitioners, customers, and patients will ask what you are doing about it. Here are some actions to take now:
For medical device manufacturers, communicate with your customers and let them know what security approaches you are taking to secure IoMT devices in the design phase. Can you explain to them how security fits into the overall design process, secures the device, how you provide the overall “glue” of securing the device, communications, and the data being fed into cloud-based services.
For healthcare organizations, ask the device manufacturers if the device is secure. Can they provide secure firmware updates, can they take advantage of bootstrap certificates installed during the production process? Are there excess costs in provisioning these IoMT devices? Can they provision and secure automatically at scale?
For both entities, be prepared to answer questions about your device and network security. Do we have a lot of legacy IoMT devices that are currently unprotected? Can they be updated? Can they be retrofitted? Is there a possibility of locking down at the edge of the network to protect the overall network services?
Since this attack appears to be associated with patching commercial software, can you show how you securely update IoMT devices?
This may be a watershed moment for Healthcare companies and medical device manufacturers; particularly with the investigation of the hospital itself. Do everything you can and implement a security by design program for the devices themselves and the devices that your healthcare group purchases.
How can we help?
Device Authority has recently showcased how to build, apply and enforce an Identity Access Management service for a customer’s IoT devices using the KeyScaler® platform, which rapidly and transparently provides layers of added protection. Consequently, the customer’s devices and project are back on track, safe and secure, and can be managed through its security lifecycle.