医疗物联网设备导致患者安全问题

确保医疗设备的组织挑战

并非旨在损害患者的常见网络攻击仍然是对患者安全的主要威胁，因为在许多情况下，连接的医疗设备受到保护。即使由于日常的网络攻击（例如勒索软件），医疗设备没有直接针对的勒索软件，患者治疗可能会中断并可能崩溃，从而导致服务中断。

一直发现新漏洞，包括紧急/11在VXWorks上运行，Meditronic的智能胰岛素泵上的Wi-Fi漏洞，基于与WannaCry相同的永恒蓝色软件包，Microsoft Windows 7到10上运行的Sodinokibi恶意软件以及选择性TCP确认漏洞，称为Sack Panic，该漏洞是居住在Linux Kernels TCP堆栈中的Sack Panic。

This is in addition to the infamousWannaCry ransomwareattack that is still active, and has been attributed to shutting down more than 60 hospitals in the UK and more than 100 million dollars in damages. But even though the danger is clear, and there are directives from the FDA and Office of Civil Rights to take action, not enough is being done to protect patient safety.

Who is responsible for medical device security?

通常，它主要负责大型医院的信息安全性，但是他们需要依靠生物医学工程师的专业专业知识来知道如何有效地保护医疗设备。Sharing information and collaboratingcan be difficult when the relevant experts work in different departments. Communications are even more complicated when biomedical engineering is outsourced. Recently, we are seeing a new trend where biomedical engineering is reporting to IT, which makes collaboration easier. A new position is also emerging: The medical device security engineer which makes one individual ultimately responsible for the security of medical devices.

但是，即使一个人被控安全，医院通常都有专业部门，例如放射学，肿瘤学，心脏病学和儿科，每个人都有自己的医疗设备，具有独特的连接要求，行为和工作流程。这使一个人很难在整个医院定义和执行统一的安全政策。

患者安全干扰患者护理

Doctors and nurses are already at their limit caring for patients. When devices do有身份验证, punching in passwords to protect patient data and safety can appear counterproductive because they slow down patient treatments. Since remembering passwords is tedious, many caregivers share logins which can make devices even less secure.

此外，如果医疗设备出现故障，护理人员可能会拉动该设备并将其替换为另一个设备，而无需意识到产品故障是由于安全事件引起的。在制造商宣布安全漏洞和补丁后，需要与制造商和所有部门协调安装，以帮助最大程度地减少对患者治疗的影响。

If a patch isn’t available, all the relevant departments need to collaborate to apply a mitigation, such as limiting device communications by utilizing access lists or implementing network segmentation. All of these measurements can impact business processes related to patient care.

Collaboration with verification

Because of all the complexity and the high level of collaboration required, voluntary compliance to medical devices’security proceduresisn’t strong enough. To protect patient safety, medical device security should be fully regulated with specific measurable requirements, and then enforced. Doctors and other caregivers should also be educated about the potential risk to patient health by not securing medical devices as part of their formal training.

However, there are steps that hospitals can take today without waiting for regulations and cybersecurity training to take effect. Hospitals should make sure that all the responsible people in the relevant departments share all information related to medical device operations and clinical workflows.IT security需要成为采购过程的一部分，以便考虑安全要求。

医院在医疗设备方面需要完全可见，包括供应商在试用器中添加的设备。医院还必须能够根据患者安全，服务可用性和数据机密性的影响来评估所有漏洞并确定它们的优先级。优先级后，医院应实施适当的补偿控制，例如网络细分和访问控制列表，以限制攻击表面。还应不断监视设备的异常行为，以检测和防止潜在威胁。

医疗设备网络安全is a must, but it requires cooperation from everyone. A combination of training, sensible policies, enforcement and automation can help keep patients safe. Because in the end, patient health and safety are equally important.

所有的物联网议程网络贡献者都负责其帖子的内容和准确性。意见是作家的，不一定会传达物联网议程的思想。