BD calls for 'Zero Trust' to combat rising healthcare hacking amid pandemic

Dive Brief:

BD, in an inaugural cybersecurity annual report, said a culture of transparency and collaboration with customers and industry stakeholders is needed to establish industry best practices, as the number of cyber attacks targeting the healthcare industry continues to rise.
The medtech anticipates the industry will remain under pressure from cyber criminals in the coming months, with social engineering attempts such as phishing becoming more sophisticated and ransomware attacks continuing against hospital networks.
The Medical Device Innovation Consortium, chaired by BD Vice President and Chief Information Security Officer Rob Suárez, is working to develop a benchmark for cybersecurity maturity to help medical device manufacturers and healthcare information technology companies track and measure progress against their peers with the aim of improving industry-wide visibility.

Dive Insight:

Cybersecurity threats have been on the rise during the COVID-19 pandemic at a time when healthcare providers are increasingly relying on telehealth and remote patient monitoring to care for patients. Hackers have targeted hospitals, health systems and even research organizations working to develop vaccines.

To address these growing threats, BD has called for the healthcare industry to adopt what it calls "Zero Trust" principles, meaning organizations should assume no one is to be trusted by default and should operate as though the network has already been compromised. Instead of relying on strong passwords and virtual private networks (VPNs), additional criteria such as location, user behaviors and device health should be incorporated to authorize access, according to BD's report.

The company expects greater proactive collaboration and knowledge sharing between device makers about emerging threats and cybersecurity vulnerabilities in the year ahead.

BD has faced its own cybersecurity challenges over the past year, the latest coming to the forefront last month when the company's Alaris infusion pumps, which deliver fluids to patients in the hospital setting, became the subject of a Cybersecurity and Infrastructure Security Agency advisory. BD said it had received no reports of the vulnerability being exploited, which could have forced operators to have to manually program the pumps. It is addressing the problem with server upgrades and a patch.

The alert follows advisories about the company’s BD Pyxis MedStation and BD Alaris PCU system earlier this year.

Medtronic and GE Healthcare last week became the most recent device makers to have cybersecurity vulnerabilities flagged in CISA advisories.

CISA issued an alert about Medtronic’s MyCareLink system that allows pacemaker patients to send heart device information to their doctors. Medtronic said there has been no cyberattack or unauthorized access to patient data because of the problem, which could allow an attacker to take control of the device. The company has made an update available that eliminates the vulnerabilities.

GE’s cybersecurity disclosure, involving dozens of imaging and ultrasound products, indicated that vulnerabilities could allow an attacker to potentially put the operation of these systems and the health data contained on them at risk. The company said it was not aware of any incidents of hackers exploiting the vulnerability or gaining unauthorized access to data, and the company said its own risk assessment found no patient safety concern. GE has identified mitigations for specific products.