The security risks of medical equipment are high because of hospital networks connected to the Internet, a state agency says.
“Experts have pointed to the risks in the cyber security of medical devices since a decade ago, but it remains at a serious level,” said Information & Communications Technology Promotion (IITP) 정보통신기술진흥센터 under the Ministry of Science and ICT(MSIT) 과학기술정보통신부 in a report released Wednesday.
Because too many people at hospitals use them and the hospital networks are connected to outside through the Internet, it is hard to trust their security, the report noted.
“The concerns about the cyber security of medical devices have increased after the Internet connection, while the responses to the vicious attack on the Internet remains vulnerable,” it said.
Medical device companies and hospitals are not prepared for cyber attacks if someone can click malicious links at hospitals or downloads malicious files, the report added.
According to a report the U.S. security company Synopsys released in May, one-third of medical device makers and providers are aware of the risks resulting from equipment that fails to complete security, but only 17 percent of the producers and 15 percent of the providers take countermeasures.
“Security experts say they have yet to grasp the damages caused by medical devices, but R&D company Battelle pointed out the causes of medical device malfunctions pointed out makers have neglected whether the malfunctions resulted from the malicious cyberattack,” the report said.
Battelle noted there were so many cases of equipment malfunctions threatening the lives of patients, adding that attackers can harm patients and make them die in the worst case.
It cited five factors that increase security risks – a connective function to cloud, wireless connection function, the use of commercial OS and software with low versions, patient data storage function, and the case to use equipment connected to servers at other companies.
The report cited as the example of connection function to cloud the glucometer that measures sugar level in the blood to link to smart phones. If someone hacks into a smart phone application and wrong data is transferred, people can make a bad judgment about blood sugar levels.
It analyzed that the devices with the wireless connection function have more risks than ones connected to the cloud.
“Health measurement equipment Fitbit is linked to smart phones with Bluetooth,” it said. “Fitbit might be safe because it doesn’t communicate with other equipment, but it is important smart phones connected to Fitbit are the combination of all kinds of technology.”
Another problem is medical institutions tend to use old OS programs, which causes the target of malicious attacks, such as ransomware.
And IITP said medical devices that have “the patient data storage function” is likely to be the target of cyberattacks.
“Medical devices that have patients’ data are vulnerable to security because they usually directly communicate with the Electronic Health Record(EHR) system,” it said. “The attacks on X-ray equipment and Picture Archiving & Communication System(PACS) happen in real life because some of them have the whole patients’ records.”
Because equipment that communicates with patients’ database can be a beachhead to access to other data of the patients, the device can be the first target. Especially the EHR system, such as a pacemaker, insulin pump, CT, and MRI are riskier because the medical organizations are interconnected with various medical platforms, it added.
IITP also said the risk level of devices linked to servers in other places is higher than the degree of the connection in the same location.
“Equipment connected to servers in other companies is controlled by their security systems. The security risks of all connections to the outside of medical organizations are same,” it said. “For example, there is equipment in an ambulance linked to a hospital server. In this case, the security is lower than the case of information exchange in the hospital.”