Medical device security has become a much bigger concerns for healthcare organizations since ransomware attackers began using vulnerable medical devices in their attack campaigns.
There has always been industry and regulatory concern about the risks that vulnerable medical devices could posed to patient safety.
However, attackers using medical devices to harm patients is a rare occurrence. Much more likely and more concerning to healthcare organizations is the use of device security vulnerabilities to gain access to the corporate network to steal data or deploy ransomware.
The WannaCry ransomware attack of last year infected many medical devices. Research by the Institute for Critical Infrastructure Technology found that attackers could use medical devices to set up beach heads for future attacks. The entire network could be vulnerable because there is often no endpoint security for these devices.
A number of initiatives are underway to identify security threats to medical devices and deploy strategies to combat malicious interference with this key component of the healthcare infrastructure.
From the FDA to the multistakeholder Healthcare and Public Health Sector Coordinating Council, experts from across the industry agree that collaboration and proactive preparation are vital for maintaining the security of devices that directly support quality patient care.
Medical devices as launching points for attacks
While press reports tend to focus on the threat that vulnerabilities in medical devices poses to patients, the risk that attackers can use medical devices to steal data and infiltrate the network is much greater.
“There is a potential for patient harm that has been demonstrated academically. Medical researchers have found vulnerabilities that can impact the performance of devices, but we haven’t seen that in the wild,” said MITRE IT and Cybersecurity Integrator Penny Chase.
However, attackers do exploit medical device vulnerabilities to steal EHR data for financial gain and deploy ransomware.
“Medical devices can serve as pivot points into a hospital. An adversary could attack a medical device and use that to get access to the rest of the hospital network,” Chase told HealthITSecurity.com.
She explained that clinicians must weigh the small risks that these vulnerabilities pose to patients and the large benefits of delivering life-saving treatment with these devices.
Suzanne Schwartz, FDA Associate Director for Science and Strategic Partnerships at the Center for Devices and Radiological Health, said that her agency’s main concern around medical devices is patient safety.
“From where we sit, our mission is in terms of protection and promotion of public health; our great concern is for the medical device’s ability to perform in the way that it is supposed to perform — what we call its intended use,” Schwartz told HealthITSecurity.com.
If the device’s functionality is affected through an exploitation, then this could result in a safety concern for patients and to the public health community, she noted.
“There are other risks associated with vulnerabilities in medical devices, such as a point of entry into a networked hospital to gain access to either PHI or PII that can be monetized by a cybercriminal,” she added.
The FDA’s focus on medical device security, both pre-market and post-market, is to identify regulatory incentives for industry to be proactive in the identification of vulnerabilities and address them in a timely manner.
“We are concerned about the times when malware or ransomware attacks can affect the clinical operations of an entire healthcare organization by shutting down equipment. That is an area that certainly we’re paying very close attention to,” Schwartz said.
The FDA’s emphasis from the beginning has been around building community and collaboration. The agency brings all the stakeholders to the table and gives them a voice. It enables them to work together as a community towards addressing medical device security, she noted.
“The push has been towards being proactive as opposed to reactive. We have seen over the past few years some really substantial progress, and we are encouraged by what we’ve seen across the ecosystem with regard to manufacturers really being champions in certain areas, as well as working together with healthcare delivery organizations,” said Schwartz.
She identified two stakeholder groups that in the past have pointed fingers at each other and were quite confrontational—manufacturers and healthcare organizations. The FDA has been working with both groups to come up with solutions to the medical device security problem.
Fostering collaboration through the Medical Device Security Task Force
Part of that effort involves FDA working with manufacturers and healthcare providers within a task force set up by the Healthcare and Public Health Sector Coordinating Council as part of the Cybersecurity Information Sharing Act (CISA) of 2015.
The law directed HHS to stand up the Healthcare Industry Cybersecurity Task Force, a group of 17 industry members and four government members.
The group delivered a report to Congress in June of 2017 in which it recommended prioritizing the security and resilience of medical devices and health IT.
Greg Garcia, Executive Director for Cybersecurity at the Healthcare and Public Health Sector Coordinating Council, said that the council's Joint Cyber Security Working Group (JCSWG) set up a medical device security task group (Task Group 1B) to respond directly to the task force’s report to Congress.
“The medical device community really took the recommendations [in the congressional report] to heart, and last fall started developing a joint strategic plan. The idea was to make this an iterative process that would ultimately result in an expression of joint commitment from both the medical device community and the hospital community about how to enhance cybersecurity risk management for medical devices,” Garcia told HealthITSecurity.com.
The joint strategic plan, now called the joint security plan, sets out a series of voluntary best practices for designing and building security into medical devices.
These best practices include patch management, remote patching, vulnerability disclosure, communicating with customers, and addressing products and devices that are nearing the end of their supported lifetimes.
The plan includes a structured cyber risk management framework that details what the medical device community is responsible for and what the healthcare providers are responsible for when it comes to medical device security, Garcia explained.
The medical device and healthcare provider participants recognize that cybersecurity is a shared challenge and a shared responsibility, Garcia added.
Even if device makers were to embed the best security into their devices, the user community can still be vulnerable if organizations are not appropriately managing all aspects of their enterprise architecture, their network security, and their employee training, he said.
The joint security plan is intended to generate consensus between manufacturers and providers about those shared responsibilities. The effort is co-chaired by Rob Suarez with medical device maker BD, Kevin McDonald at the Mayo Clinic, and Aftin Ross of the FDA.
“You have the three major stakeholders [device makers, healthcare providers, and the FDA] in this process with an incentive to find a solution that is scalable, from small to mid-sized hospital organizations and medical device makers, to the much larger, more sophisticated national and global entities,” Garcia said.
Developing the FDA Action Plan
In order for healthcare organizations to meet their responsibilities and successfully secure their devices, they will need what’s called a “software bill of materials,” Garcia said.
“Manufacturers ought to be able to tell their customers what software is in the product being sold; for example, what version of Windows, BIOS, or firmware is in the product. This will enable the security teams at the customer to better manage their security as part of their asset management program,” he said.
The FDA agrees and has included a proposal around the idea in its Medical Device Safety Action Plan, released earlier in 2018.
The FDA’s plan also includes the establishment of a CyberMed Safety (Expert) Analysis Board, a public-private partnership between the FDA and device makers to complement existing device vulnerability coordination and response mechanisms.
The board would include individuals with expertise in hardware, software, networking, biomedical engineering, and clinical environments. It would assess vulnerabilities, evaluate patient safety risks, adjudicate disputes, assess proposed mitigations, serve as consultants to organizations navigating the coordinated disclosure process, and function as a “go-team” that could be deployed in the field to investigate a suspected or confirmed device compromise.
The American Hospital Association is pushing to have healthcare providers included on the board. In comments submitted to the FDA, AHA said that providers “stand to benefit from the Board’s expertise on how to assess vulnerabilities, evaluate patient safety risks, assess proposed mitigations, and the other functions described in the safety plan.”
Schwartz said that board is intended to fill a gap in the medical device security area.
“We are looking to have the appropriate expertise across disciplines — the private sector and government drawing upon the best that there is out there to help support and assess vulnerabilities that tend to be the most concerning from a high risk/high impact perspective,” she said.
Schwartz stressed that the board would complement existing practices and processes that are in place to address medical device vulnerabilities that present a significant risk to critical infrastructure and to patients.
She said that medical device vulnerabilities are currently assessed in a siloed and fragmented manner. Often, security experts that are call upon to address vulnerabilities don’t have visibility into the whole picture of cybersecurity vulnerabilities.
“We believe strongly that in order to be timelier and to mitigate risk to the public and reduce concerns for medical device security cases, it would be of enormous benefit to have a neutral entity positioned to do the work and come up with an objective assessment,” she said.
Standardizing the assessment of medical device vulnerabilities
Assessing what constitutes a vulnerability — and how significant the problem really is — can be a challenge for an industry that hasn’t had the greatest success thus far with standardization.
MITRE is currently working with the medical device security community to offer an enhanced solution in the form of the Common Vulnerability Scoring System (CVSS), said Chase.
The CVSS captures the principal characteristics of a vulnerability and produces a numerical score reflecting its severity.
But the score needs some adjustment, Chase said.
“When medical device vulnerabilities are discovered, there’s often disagreement about the CVSS score because it doesn’t take into account the clinical environment,” she opined.
“We convened a working group of medical device manufacturers, healthcare delivery organizations, cybersecurity experts, and other stakeholders to develop a rubric to provide better guidance on using CVSS to assess the severity of medical device vulnerabilities.”
“Our goal is to make CVSS more useful and consistent for device vulnerabilities. Hospitals would be able to use this rubric to better understand the impacts of the vulnerability, if exploited, as well as the effectiveness of security controls on reducing the risk posed by the vulnerability,” she added.
When the rubric is complete, it will be included as an appendix to the joint security plan being worked on by JCSWG.
Improving device security now
While the FDA is working with healthcare organizations and manufacturers to develop a more secure future, what can hospitals and other providers do now to secure their medical devices?
MITRE’s Chase advised providers to include procurement language in contracts with security requirements for manufacturers, such as requiring devices to run antivirus software and be upgradable. She noted that the Mayo Clinic is willing to share the language it uses during the procurement process to help other hospitals remain secure.
Chase recommended that hospitals segment their networks so that “life-critical” medical devices are on a separate network from the organization’s main network to ensure continuity in case a problem strikes the larger network and to prevent compromised devices from being used as an entry point into the larger network.
Hospitals and other healthcare providers should also incorporate cyber into their emergency preparedness and response plans.
“The value of having these plans is you understand what your processes are, you know who your internal team is, you know who you need to reach out to in terms of local law enforcement or your peers,” Chase said.
In addition, hospitals and other providers should join groups like the National Health Information Sharing and Analysis Center (NH-ISAC) to get regular updates about current cybersecurity threats, she said.
Schwartz agreed with Chase that hospitals and other healthcare providers should join NH-ISAC and other efforts in the healthcare and public health ecosystem to build awareness about cyberthreats and what organizations can do to stop them.
“[At NH-ISAC], there’s a targeted focus on building education, on building awareness for healthcare delivery organizations of all sizes so that they are better armed with information and what to do in the event of intrusions or attacks and better yet, how to be prepared, how to be better defensively,” she said.
Schwartz also recommended training employees about proper cybersecurity hygiene and about the risks posed to the organization and patients when devices are not handled appropriately.
The FDA encourages healthcare delivery organizations to interact frequently with manufacturers around education and to get involved in different efforts in the healthcare and public health ecosystem that help inform, educate, and build awareness about medical device security in their organizations.
Basic password maintenance is an important part of device management, added Garcia. He advised hospitals to change default passwords on medical devices to a strong password. “If you don’t do that, you open yourself up to the risk that the product can be hacked because it has a very simple password or no password at all,” he stressed.
Engaging with longer-term industry efforts to improve security while taking immediate steps to close gaps in the medical device ecosystem will help to ensure that healthcare organizations stay as far ahead of malicious actors as possible, said Chase.
“When it comes down to it, everybody really does want the patients to be treated safely and securely,” she said. “But there’s a lot of work to be done, and the bad guys are always ahead of us. We really need to figure out how we can come together and better protect ourselves.”