Securing Health Care Infrastructure Against Potentially Devastating Cyberattacks

ECE/Khoury Professor Kevin Fu advises the health care industry to more effectively protect its infrastructure from hackers who can infiltrate medical devices such as cancer radiation therapy machines.

This article originally appeared on Northeastern Global News. It was published by Cesareo Contreras. Main photo: Change Healthcare is still dealing with the fallout of being cyberattacked last month. Photo by PATRICK T. FALLON/AFP via Getty Images

Cybersecurity attacks have the potential to infiltrate medical devices and cripple health care, Northeastern expert warns

The cyberattack on Change Healthcare last month should serve as a wake-up call for the health care industry, which needs to focus on securing its infrastructure, says Kevin Fu, a Northeastern University professor of electrical and computer engineering and cybersecurity adviser to the White House.

While the most recent attack impacted online billing and revenue systems, hackers have the potential to infiltrate medical devices that provide critical care.

In fact, they already have, Fu says.

He points to one example.

In 2021, hackers broke into the infrastructure of software cancer provider Elekta. They found their way into the company’s internal systems through the internet and took its software offline.

“They took down their private cloud and that effectively shut down all cancer radiation therapy machines for about six weeks globally,” he says. “I think the industry has learned a lot from that because they were one of the first victims of ransomware affecting an actual medical device.”

But the threat still remains, says Fu, a member of The President’s Council of Advisors on Science and Technology Working Group.

Cloud technology is to blame, he says.

“I think that because many medical device manufacturers are beginning to integrate cloud services into their products, we can expect outages of entire medical device product lines, if they are not resilient to ransomware and other cyberthreats,” says Fu, who recently published research on privacy and data concerns.

Kevin Fu, professor in the Department of Electrical & Computer Engineering, says companies need to be proactive in the face of cyberattacks. Photo by Matthew Modoono/Northeastern University

So, what does that mean?

First, we need to be proactive rather than reactive, he says.

“We are still in the initial ‘deer in headlights’ shock stage,” he says. “We know the right approach is to engineer not just secure systems, but resilient systems that can continue to operate essential services unimpeded even if ransomware gets into the cloud or even if all the firewalls are compromised.”

Second, companies need to abandon what is called “perimeter-based” thinking. It’s a term used in cybersecurity to describe protecting yourself against an intruder through the use of a virtual firewall or moat of sorts.

“A lot of companies today, I would say 99%, still think about firewalls, and if they are protected at the border,” Fu says. “But guess what, there is no border. When you have perimeter-based thinking, you have very ungraceful failures. What you want to do is have a system that is resilient if pieces of software fail.”

“The industry has to cleanse its colon of perimeter-based thinking and move toward cyber-physical resilience,” he adds.

For guidance, Fu suggests health care providers turn to the Joint Security Plan filed by the Healthcare Sector Coordinating Council for cybersecurity suggestions.

Read full story at Northeastern Global News

Related Faculty: Kevin Fu

Related Departments:Electrical & Computer Engineering