Medical Device Security Requires Standards, Shared Responsibility

March 16, 2022 - Medical device security is arguably one of the biggest security challenges healthcare organizations face today. With thousands of connected devices moving around a hospital at once, organizations have historically struggled to keep a reliable inventory.

In addition, threat actors have discovered that outdated legacy medical devices might be a more accessible network entry point than other attack vectors.

Unit 42 researchers recently discovered that 75 percent of over 200,000 analyzed infusion pumps contained known security vulnerabilities. Meanwhile, Vedere Labs found seven severe vulnerabilities in the PTC Axeda agent that may allow threat actors to remotely execute code, alter system configurations, and access files.

Effectively combatting mounting medical device security concerns requires collaboration across the supply chain and beyond, from regulators to manufacturers and providers.

"Awareness, understanding, and collaboration have exponentially increased over the last ten years, and that has been great to see," Anura Fernando, global head of medical device security at UL, a global safety certification company, explained in an interview with HealthITSecurity.

"The problem, however, is not only keeping pace but also accelerating. There are a number of technical, logistical, and economic challenges that still need to be worked through."

Current State of Medical Device Security

The early-to-mid 2000s saw an increased focus on driving healthcare costs down and improving access to care around the globe, Fernando recalled.

"Policies, legislation, and regulations started to change to enable that. As a result, more innovative network-connected technologies entered the healthcare space," Fernando explained.

But as much as new technology and digital transformation positively impacted the sector, negative security impacts followed suit.  

"We improved accessibility and drove down costs to an extent, but we also expanded the attack surface of all of healthcare by virtue of the fact that we moved into these open network environments," Fernando continued.

Before this shift, experts primarily focused on the safety and security of devices and technologies on an individual basis. But now, thanks to interoperability and digital transformation efforts, medical devices are integrated into EHR systems and middleware technologies that bind them to the organization's network.

This integration streamlined workflows and enabled better care delivery, but it also presented a host of security concerns. Unsecured medical devices could serve as an open door to threat actors, who may take advantage of unpatched vulnerabilities to gain network access and deploy ransomware. 

Regulators, manufacturers, and providers found themselves scrambling to establish industry standards and best practices for medical device security in this new technological landscape.

The Need for SBOMs, Industry Standards

"Supporting standards development at the domestic and international level and promoting the use of standards not only in design and development but also in procurement processes can aid the cause of improving the cybersecurity posture of the healthcare sector," Fernando suggested.

The US Food and Drug Administration (FDA) is the primary medical device regulator, but other organizations have stepped in to help fill in the gaps. For example, MITRE and the Medical Device Innovation Consortium (MDIC) partnered with the FDA to release a playbook for medical device threat modeling. The Cloud Security Alliance (CSA) issued a playbook to help organizations with medical device incident response.

These efforts are all steps in the right direction, and they all underscored the need for standardized industry guidance.

While the FDA regulates end-use technologies, Fernando noted that component technologies often fall into a gray area. The FDA's Quality System (QS) Regulation exists to hold manufacturers to certain standards, but the generality of the regulation leaves much to be desired. The FDA recently called for comments on amendments to the QS regulation.

"FDA has identified in the QS regulation the essential elements that a quality system shall embody, without prescribing specific ways to establish these elements," the FDA's website states.

"Because the QS regulation covers a broad spectrum of devices, production processes, etc., it allows some leeway in the details of quality system elements. It is left to manufacturers to determine the necessity for, or extent of, some quality elements and to develop and implement specific procedures tailored to their particular processes and devices."

Widespread use of software bill of materials (SBOMs) offers a potential fix. SBOMs are similar to a nutrition label—they list the "ingredients" of a device, including all software components. Ideally, medical device manufacturers should produce SBOMs to promote transparency and enable faster vulnerability remediation.

"If you don't understand the vulnerabilities that might exist in the component that you are putting into the system, you are essentially designing in vulnerabilities and increasing the attack surface," Fernando emphasized.

"By having a robust, machine-readable software bill of materials, you are not only enabling the mitigation of vulnerabilities, but you are also facilitating the ongoing vulnerability management of the system that's being deployed."

Motivated by President Biden's executive order on improving the nation's cybersecurity, organizations across all industries have increasingly turned to SBOMs to ensure software supply chain security. The executive order emphasized SBOMs as especially critical to securing US critical infrastructure.

Recent research indicated that healthcare is trending in the right direction regarding SBOM adoption. The Linux Foundation found that the healthcare sector led SBOM adoption by a wide margin compared to other industries.

Hurdles to widespread SBOM adoption include the repeatedly disproven theory that SBOMS may provide a blueprint to hackers. Fernando noted that any motivated hacker could find a way to hack a system, with or without an SBOM. In addition, the benefits far outweigh the negatives.

If healthcare regulators and manufacturers embrace SBOMs, organizations will be able to patch devices and manage vulnerabilities more efficiently.

Shared Responsibility, Accountability Essential to Medical Device Security

"Going back a number of years, this notion of shared responsibility being critical for dealing with security in the healthcare ecosystem has been understood," Fernando said.

"Hospitals and medical device manufacturers have had to look at how they interact with each other because they are part of the same supply chain."

The Healthcare & Public Health Sector Coordinating Council (HSCC) recently published model contract language to help healthcare organizations ensure medical device security when crafting contracts with device manufacturers.

The need for a contract template stemmed from ongoing complications between healthcare organizations and medical device manufacturers (MDMs) regarding responsibility, accountability, and varying cybersecurity expectations.

The HSCC Model Contract Language task group attributed some miscommunications to inconsistent contract terminology between healthcare organizations and MDMs. The group suggested that the inconsistent language ultimately led to cybersecurity responsibility and accountability ambiguities in the past.

HSCC's guidance further emphasized the need for collaboration and communication between healthcare organizations and manufacturers from device development to deployment. In addition, different regulatory agencies such as the FDA and the Office of the National Coordinator for Health Information Technology (ONC) also must collaborate to establish standards.

"As a community, everyone is starting to become more aware of these problems. Governments, hospitals, device manufacturers, and patients are starting to come together to collaboratively work through these problems," Fernando remarked.

Medical device security will continue to evolve as technology advances. For that reason, it is crucial to collaborate and maintain open communication between key stakeholders to ensure patient safety.