- Medical device security was thrust into the spotlight in 2018, as the Food and Drug Administration continued to bolster its cybersecurity program. In fact, an August MedCrypt report found that since the FDA released its cybersecurity guidance in 2016, medical device vendors reported 400 percent more vulnerabilities per quarter.
The increase in disclosures is a sign of growing compliance and maturing security risk assessments – and the hope that healthcare is beginning to move the needle on device security.
“We’ve made some great strides in the FDA’s work on the premarket side and post-market guidance,” said Christian Dameff, MD, an emergency room doctor and researcher at the University of California San Diego.
“There’s been a lot of good outreach from the federal regulator’s side in the private sector,” he continued. “FDA has really showed up to the table and said, ‘We’re willing to talk and move forward.’ Last year, really laid out a very clear plan for where they’re going to in the future.”
It’s also promising that healthcare stakeholders are having these conversations. Researchers are finding the vulnerabilities, healthcare organizations are aware of the problems, and manufacturers are now patching some of these flaws, he explained.
To Stephanie Domas, MedSec Vice President of Research and Development, the premarket progress has been tremendous, with manufacturers prioritizing and truly integrating cybersecurity into the device platforms.
The Department of Health and Human Services’ recent cybersecurity guidance also shed light on the issue, Domas said.
“The technology has outpaced our ability to secure it, and now we’re trying to catch up.”
In the top five cyber threats to healthcare, medical devices were listed in its own category – that brings some much needed awareness to the issue.
Patient Safety Risk
Given that an earlier MedCrypt study found that between 100 to 1,000 patients had adverse events from compromised healthcare infrastructure cybersecurity events like ransomware, compromised EHRS or a facility systems attack, these conversations and actions will be crucial in the coming year.
The most concerning part around medical device security is the potential impact on patient care, explained Dameff.
“For the longest time, security in healthcare was focused around HIPAA: Let us protect patient data at all costs because there are federal regulators that will slap us with a fine if we don’t,” said Dameff. “It’s a big deal, but we’re still having breaches almost every day and OCR fines.”
“That continues to be a be part of paradigm shift because there is regulation around it,” he added. “With medical devices specifically, it’s a continuation on that, but the concern is around the patient dataset.”
The security concerns are often overlooked in terms of patient safety. Dameff explained these are tools like CT scanners or lab equipment.
“I always talk about being part of this new generation of doctors who’ve never used paper charts,” said Dameff. “With all of this digital connectivity, when it fails, we’re pretty ineffective at our job. We’re pushing the boundaries of it, but the technology has outpaced our ability to secure it and now we’re trying to catch up.”
“You’re only as strong as your weakest link,” he added. “It doesn’t matter if you have the best security tools out there. If you have exposed connected medical devices—that could be an entry point into a network.”
More Than a Patching Problem
Manufacturers may be building more secure platforms for the market and releasing patches for the legacy devices already in the field, but it’s not enough.
The issue now, and into the future, will be handling the legacy side, where there hasn’t been as much progress, Domas explained.
“Manufacturers are prioritizing new devices with cybersecurity,” said Domas. “But now it’s time to turn the eye to the old devices and see what we can do about it. The average lifespan of a device is 15 to 20 years. So, we’re still looking until at least a decade until these devices that weren’t designed with security in mind, to be taken off market.”
“And you can’t do as much as manufacturers, as they’re already out there,” she added. “It’s not just a patching problem, it’s also a transparency problem right now. When manufacturers release this fix, or maybe there’s no fix, a number of hospitals get the software patches, but information missing, so what can the hospital do to help?”
Domas explained that it comes down to an information problem, where the educational tools to safely apply these patches or fix these devices aren’t disseminated. In end, many hospitals become afraid of locking down systems and other things because they don’t know what can run.
“It doesn’t matter if you have the best security tools out there. If you have exposed connected medical devices—that could be an entry point into a network.”
Also adding to the problem is that many hospitals struggle with understanding what devices they have on the network, she added.
“But on the manufacturer’s side, they struggle with how you get updates out to people,” said Domas. “You lose track of how complex the health ecosystem is—where the manufacturer releases an update and it’s tough to apply.”
“A lot of manufacturers don’t even know who to alert, and hospitals don’t understand what’s running on their system. It’s very complicated,” she continued. “We’re seeing more software updates rolled out – but the whole ecosystem needs to come together to figure out how to iron out complexities around updates and how apply it.”
Could FDA do More in 2019?
Dameff sees the FDA working toward filling in some of these gaps and addressing some of these concerns. Specifically, the software bill of materials is coming down the line and should identify new vulnerabilities and disseminate the information.
But currently, healthcare is in the “last mile problem.” All of the elements are in place – except for getting healthcare delivery organizations to bring medical device security up to par and apply those patches.
There are many conflicting reports on what can be safely patched and what can’t, and many aren’t applying patches as a result, explained Dameff.
“The FDA has been really great on inviting people and having an open discussion. We can likely expect an updated guidance that will come out of this month’s workshop,” said Dameff. “We’ve never had FDA leadership speak so strongly about this, and that’s great. We’ll see that continuing. It might set the tone for the future of the FDA, as well.”
“But right now, we need to transition to having best practice threat sharing,” he added. “While some people are doing it right… everyone needs to show up to the table to listen to it… There’s reluctance because they feel like they can’t do anything – and they’re not going to get a budget bump for medical device security – so I think a lot are saying why do what I can’t control?”
Part of the issue boils down to how security is handled within an organization. Traditionally, biomedical is separate from IT, which means that a lot of these security issues aren’t caught.
“[Biomed] generally lacks the security expertise,” said Dameff. “We have this siloed expertise that has led to this ineffective policy in hospitals: I secure the network, you secure everything else and when there’s conflict there’s really no accountability. You need a unified strategy. It’s still an alien concept that biomed should be a part of IT.”
“Medical devices are their own animal,” Domas said. “We need to resource tools that don’t fall under traditional IT reporting. There’s the parts issues and tools: Traditional tools don’t work for medical devices.”
“It’s not just a patching problem, it’s also a transparency problem right now.”
For example, to find these issues traditionally you’d use a digital “poke” to see what it is and its capabilities. But Domas explained that it’s not safe to do on a medical device.
“Device identification is hard, you can’t use traditional tools, or you can the risk device misbehaving,” she said.
To start, organizations can begin by watching the traffic for any rogue communication, Domas explained. Medical devices are complicated as often you can’t determine 100 percent whether malware is on the device.
“I can’t isolate that thing on a network and can’t guarantee it’s not going to harm a patient,” said Domas. “And traditional infosec setups can’t be used on medical devices. How can I know with certainty what’s going on? Traditional strategies don’t work on medical devices.”
For tools, the deidentification side it becomes a lot harder. Domas explained the need for purpose-built tools and medical scans for devices that are completely passive and don’t send that digital poke. Instead, you watch the behavior and see what it does and use that information to identify the device.
“The tool has to work a lot harder than a traditional poke,” said Domas. “So organizations can partner with device manufacturers to get the inside information on what it should be doing. You can notify the manufacturer that can do some safe actions without affecting digital function.”
“These are medical device-specific tools – but a hospital first has to appreciate that traditional tools don’t work on medical devices,” she added. “With security, you can never say it’s fixed. So much starts with awareness: None of this is going to get better until hospitals appreciate and accept that they need to do something different with medical devices.”