Hacking our way into cybersecurity for medical devices
Hospitals are filled with machines connected to the internet. With a combination of both wired and wireless connectivity, knowing and managing which devices are connected has become more complicated and, consequently, the institutions’ attack surface has expanded.
When did these devices get smart?
A brief timeline shows the FDA didn’t start regulating the connectivity of devices until 2005, but medical devices started to leverage software back in the ‘80s. Clinical capabilities have benefited greatly from this digitalization, bringing features, data collection and analytic computing to clinical care. Some devices that have been digitized include pacemakers, infusion pumps, ventilators, CT and MRI scanners, all of which (as a result) contain patient information and have some level of connectivity. Walk into a healthcare conference today and you’ll be hard-pressed to find devices that don’t offer connectivity via wires, Bluetooth, and/or wirelessly.
Wearable devices and at-home medical devices are also becoming increasingly common. The ability for a device to transmit vital sign data from a patient’s home to hospital staff has encouraged the expansion of the telehealth industry. It has also made possible for the emergency medical community to respond to device alerts. In some cases, health insurance companies use data from fitness trackers to incentivize medical expense management and “wellness” promotions.
Information exposure and theft
There was a time when medical devices relied on physical security to limit who could update a device. But to enhance clinical experience, many of these devices have since been retrofitted so they can be networked and managed remotely by both provider and vendor.
These devices often carry patient personal information (such as Social Security numbers), health insurance information, contact information and information about health conditions. Connectivity and inevitable software vulnerabilities mean that this data can potentially be exposed.
There are some predictable schemes for obtaining a person’s SSN – insurance claims, tax filings, rebate claims, bank loan documents. More healthcare-specific is the idea of a deceased patient’s SSN being used to run a scheme, as there tends to be less monitoring of financial activity after someone has died. There are also those who use insurance and contact information to claim prescriptions or run phishing schemes on an aging population. The combination of patient health factors and geographic location can sometimes also allow scammers to pinpoint a person’s identity and discover other personal information that can be of use.
Understanding devices in the field
When a connected medical device is procured by an HDO, the terms for ongoing support are a critical component of the negotiation. This often includes medical device manufacturers (MDMs) supporting device bug resolution, patching for known vulnerabilities, and enhancements to security over the warrantied lifetime of the device.
However, there is no mandate to remove a device that’s past vendor warranty from operation. With payers influencing HDO procurement strategies, devices that “still work” can be difficult to throw out, especially when a cybersecurity vulnerability is “theoretical.”
Imagine a vulnerability is identified on a single device that is no longer under warranty. This means the vendor no longer provides software patches. This vulnerability may be exploited to other installations of the same device. Devices that are no longer receiving updates for known vulnerabilities are an exponential threat for hackers looking for an entry point into critical healthcare data.
An additional consideration is the development practices for medical devices. Many MDMs develop their software on commercial operating systems such as Windows. Software is phased out all the time – it’s part of the development life cycle. But, for example, the end of Windows 7 support in 2020 means medical devices in the field that run Windows 7 will become more vulnerable with each passing day. Every virus or malware attempt will no longer face Microsoft’s security capabilities and improvements. These devices and HDOs will have to fend for themselves.
Exploitation
Setting aside the data available on a device, there is also the possibility of attackers using devices as a gateway into an HDO’s network. Due to budgeting decisions and the organizations’ preference for clinical investments, hospitals IT departments often work with limited resources. In some instances, the limited allocation of resources towards recovery procedures has made HDOs especially susceptible to ransomware attacks.
Some have suggested that a hospital should revert to emergency protocols (i.e. pencil and paper mode) to operate during a cyber attack, as occurred when parts of the NHS were shut down due to WannaCry. This can limit the impact of attacks on elective procedures, but what about patients with urgent needs?
Research shows a 13.3% higher mortality rate for cardiac arrest patients who experienced a four-minutes delay in care. And a delay in care due to a network takeover by hackers is likely to be more than four minutes.
Even in the wake of multiple HDOs implementing better security practices after an attack, there is evidence of negative outcomes for patients in facilities with a historic breach. The 0.04% increase in mortality rate observed is the equivalent of the 0.04% increase in positive outcomes for patients based on enhanced treatments.
What happens next?
The FDA draft premarket cybersecurity guidance from October 2018 recommends incorporating the NIST Cybersecurity Framework (NIST-CSF). NIST-CSF includes a combination of both technical and procedural interventions into both the design and support of devices. While there is no risk rating associated with the NIST-CSF sub-categories, the technical sub-categories tend to require more effort and technical sophistication to implement.
However, there is no need for healthcare to go at it alone – we can learn from other industries. We have seen the financial services industry, often perceived as a cybersecurity leader, manage cyber threats through leveraging tools to implement and maintain security over time. The migration away from building personalized data centers to using commercially available cloud-based service providers is a prime example of this. There have been numerous case studies showing how cloud hosting enhances security responses (especially redundancy & availability), expedites product development and reduces maintenance cost over the lifetime of a product.
As medical device manufacturers develop new products and update products currently in the field, using relevant tools to address the FDA premarket guidance and incorporating industry leading best practices is surely the most sustainable and scalable approach.