Closing the Gap in Medical Device Cybersecurity

Adam Brand, Director IT Security and Privacy

In June 2017, the Health Care Industry Cybersecurity Task Force released its draft report on how to strengthen patient safety and cybersecurity in healthcare. Three of the six imperatives in the report for improving patient safety focused on reducing the vulnerability to cyber attacks of networked medical devices. Since then, this issue has received much more attention within the industry, in the media, and among regulators and Congress.

Awareness of medical device cybersecurity vulnerabilities has grown. The Industrial Control Systems Computer Emergency Response Team (ICS-CERT) issued 16 vulnerability alerts so far in 2017 — up from only a handful in 2015 and 2016.

In addition, bills were introduced in both the U.S. House of Representatives (H.R. 3985) and the U.S. Senate (S.1656, S.1691) that proposed minimum security controls and other government actions to address medical device security.

Finally, the U.S. Food and Drug Administration’s (FDA) Associate Director for Science and Strategic Partnerships, at the Center for Devices and Radiological Health, underlined the agency’s concerns about networked medical devices, which were also documented in FDA pre-market guidance and post-market guidance from 2016.

Many people assume that the FDA tests or validates medical devices for cybersecurity as part of the device approval process. The FDA does not have a mandate to perform any device testing. It provides guidance to manufacturers, but the manufacturers are responsible for any testing and validation. Many manufacturers today have been engaging third parties such as Protiviti for cybersecurity testing of devices, and a few others have been beneficiaries of free testing performed by security researchers (“ethical hackers”) that have obtained their devices.

Hospital purchasing groups have been reviewing and revising their cybersecurity requirements for networked devices to include additional security controls, such as updateability and a requirement for third-party penetration testing. Hospitals have also been slowly replacing outdated devices that have unsupported operating systems and other known vulnerabilities with more modern, less risky technology, and reviewing IT practices to ensure that these devices are better protected.

This is significant progress. Former Vice President Dick Cheney made headlines in 2013 when doctors disabled wireless controls in his implanted defibrillator to thwart potential cyber assassination attempts – but that was seen as an extreme precaution at the time.  Until recently, in fact, many healthcare organizations did not consider medical devices to be part of the information technology ecosystem – a carryover from a time when medical devices were primarily mechanical and could not be accessed remotely.

Security consciousness has grown in leaps and bounds, of course, and the widely publicized and hugely impactful hacks, like WannaCry (apparently, courtesy of North Korea), have played their role in that. Patient privacy concerns and an increasing awareness of the value of personal health data, which beats credit card numbers in value by a factor of 20, has added to the awareness. Finally, there is the very real danger of patient harm – in August, for example, the FDA issued a recall for 465,000 pacemakers it deemed vulnerable to hacker-induced rapid battery depletion and inappropriate pacing. No patients were known to be harmed, but the ubiquitous vulnerability made manufacturers, cyber experts and hospitals sit up and pay attention.

A few years ago, some researchers at Protiviti conducted an experiment. We connected several systems emulating vulnerable medical devices to the internet and sat back to see what happened. Over the course of six months, hackers successfully logged into the “honey pot” devices more than 55,000 times, and installed more than 300 pieces of malware. The fact that the hackers didn’t seem to be aware that they had penetrated a medical device, but rather any connected device, should make no difference. Medical devices on the internet can and will be compromised.

We still have a long way to go. Connected medical devices will proliferate because they increase efficiency, reduce errors, and allow remote monitoring of patients in their homes, reducing medical costs. With more connected devices, there will be increased regulatory pressure as well, and increased interest by ethical and malicious hackers. At Protiviti, we will continue to report on this important issue as it evolves. In the meantime, the action items outlined in our flash report on the Cybersecurity Task Force report are a good place to start.

Add comment