From Trojan.Kwampirs to KRACK, the last year has seen no shortage of reminders that medical devices are subject to attack. On April 23, software provider Symantec reported that it had analyzed Kwampirs backdoor hacks from cybercriminal group Orangeworm: 39 percent were on healthcare equipment like x-ray machines, MRIs, and systems used to complete patient consent forms. KRACK, on the other hand, didn\u2019t attack devices. Rather, it compromised Wi-Fi Protected Access II (WPA2)\u00a0\u2014 the connection between devices.\u201cPrior to network connectivity, these devices were protected by physical security. Only authorized medical personnel were allowed in the room with the patient. If changes to the infusion pump operations were made, they were made by pressing buttons on the device,\u201d says Michael Nowatkowski, information security professor at the Augusta University Cyber Institute. Now everything\u2019s connected, leaving hospitals and healthcare systems scrambling. Research provider KPMG says 41 percent are turning to improved governance and policies while 33 percent outsource device security to third parties.For those who do manage medical device security internally, experts offer this advice:1. Get better at protecting everythingIf you believe what you see on television, the goal of a medical device attack is to hurt the patient. Both \u201cSherlock\u201d and \u201cHomeland,\u201d for example, show people being murdered by their pacemakers. KPMG cyber practice partner Michael Ebert says that\u2019s not how these attacks work in real life: \u201cCyberattacks today have the potential to harm patients, but most of the attacks against medical device makers are aimed at stealing their technology so devices can be copied or product development dead ends can be avoided.\u201dIn other words, device hackers want the same thing most hackers want: information. According to Nowatkowski, hackers may not even realize they\u2019re in a device when they try to get it: \u201cMany of these systems run operating systems similar to a normal computer, so the attacker may think they are just exploring a computer rather than a medical device.\u201dLimit damage from this particular brand of hacker by improving security overall. Implement the same best practices for medical devices that you would for traditional computers. For example, Ali Youssef, principal mobile architect at Henry Ford Health System in Detroit, says, \u201cEnsure that data is encrypted,\u201d explaining that device software should \u201csupport EAP TLS authentication and WPA2 encryption as a baseline.\u201d Eric DiPietro, application consultant with security integration company Optiv, says to monitor for vulnerabilities and if you see one, patch it: \u201cDevelop and follow a mature patching plan to keep systems and devices up-to-date.\u201d2. Isolate at-risk patientsIn those rare instances when hackers are after patients, they usually want their personally identifiable information (PII). Sometimes they\u2019re after as much PII as they can get, no matter who the patients are. In other instances, they\u2019re looking for data on a specific person. Nowatkowski says, \u201cHigh-profile individuals may be at greater risk than the general public,\u201d particularly politicians, business leaders, and \u201ccelebrities or wealthy individuals that could be ransomed.\u201dTo get to one person, hackers usually have to attack multiple machines: \u201cA hacker may not be completely aware of which device they happen to exploit,\u201d Nowatkowski says. \u201cThe attacker may not know exactly which device their target is attached to.\u201d In other words, cybercriminals might know a celebrity\u2019s in room 914, but be unable to tell which IV or heart monitor is in that room. So, they target the entire floor. Isolating famous patients won\u2019t make their information safer, but it will narrow the scope of any attack, limiting possible PII breaches to fewer people.3. Protect data by not collecting itDiPietro recommends hospitals stop collecting patient social security numbers (SSN) and other PII. \u201cBetter protect patient data by removing sensitive data \u2014 for example, replacing a patient's SSN with a non-sensitive identifier,\u201d he says.Social security numbers haven\u2019t been required for insurance reimbursement since before 2014, so why does your hospital still ask for them? What other personal information does your facility collect that you don\u2019t really need? Hackers can\u2019t steal data you don\u2019t have \u2014 through a medical device or any other means.Unfortunately, this tip may be a hard pill for the business side to swallow: It requires change. As ABC News reports, many hospitals ask for social security numbers simply because there\u2019s a line for them on forms. Pulling that line off takes buy-in from multiple departments.Management doesn\u2019t always speak security, but they do speak HIPAA, so improve your chances by showing how minimizing data collection helps regulatory as well. DiPietro says, \u201cMedical staff sometimes ask [for PII] in public settings, such as waiting rooms\u201d where anyone can overhear, and that\u2019s a HIPAA violation. Limiting the info requested solves a problem for you and them \u2014 and it gets patients triaged more quickly.4. Teach everyone about securityThe nurse who checks an IV machine doesn\u2019t have to be a cybersecurity expert, but she does have to know hacks happen. This isn\u2019t just so she can call IT when equipment acts up. It\u2019s also so she doesn\u2019t accidentally help the hackers. \u201cIf someone wanted to attack an x-ray machine,\u201d DiPietro explains, \u201cthey likely wouldn\u2019t start with going after the operating system or trying to hack into the network. They would likely start with researching the machines, how often they should be updated, who is using them, and who is in charge or has oversight. They may start by calling the hospital, posing as a representative from the x-ray machine company and trying to find out who is in charge of that machine,\u201d which is where that nurse comes in. \u201cThe hospital may inadvertently give the attacker a name and the attacker can often guess an email via social engineering,\u201d he continues. \u201cOnce the attacker has that, they don\u2019t have to really \u2018hack\u2019 the network. They can just use approved credentials.\u201dAccording to KPMG\u2019s survey, 38 percent of respondents train all senior leadership on infosec while 34 percent run cyber-response drills for specific staff. But IT and management are where the study says most training stops, leaving all other employees vulnerable to phishing calls.5. Invest in deception techCarolyn Crandall, chief deception officer for security company Attivo Networks, says, \u201cHealthcare IT teams need tools in their arsenal that not only defend the network perimeter but also help them detect and respond to in-network threats quickly, efficiently, and effectively.\u201d These tools, of course, include a technology Attivo sells: deception software.Don\u2019t be so quick to dismiss Crandall\u2019s advice just because she\u2019s a vendor. \u201cDeception is an emerging security control driven by the need to reduce attacker dwell time,\u201d she explains, adding that the average U.S. hack remains undetected for 100 days. Some hospitals use next-gen firewalls for protection, she continues, \u201cbut these [are] centered on signature or database look-up\u201d and don\u2019t protect against credential harvesting. As DiPietro pointed out, once hackers have the right credentials, they can waltz right through.Deception tech, Crandall explains, creates an \u201cendpoint where deceptive credentials and bait are strategically placed to entice an attacker into harvesting them.\u201d This, she says, sets up a trap for security teams to catch medical device hacks before they happen.