- “Attackers see medical devices and other endpoints in the healthcare environment as rich targets,” explains Julie Connolly, principal cybersecurity engineer at MITRE.
Connolly identifies several security problems with medical devices that attackers can exploit and healthcare organizations need to address. For instance, many older medical devices with lifespan ranges from 15–20 years, do not have connected security capabilities built into them.
“[These devices were] primarily stand-alone devices, so security was not a factor. Today, they are connected to the Electronic Health Records (EHR) and the broader IT network in hospitals. They are running on older Windows and other operating systems that have vulnerabilities,” says Connolly.
“Now what do we do when there is a vulnerability in one of these medical devices? Who is responsible? Is the hospital responsible? Is the medical device manufacturer responsible? What about the regulators?” she asks.
Connolly explains that the Food and Drug Administration (FDA) regulates medical devices in the premarket (development) and postmarket (procurement, deployment, operations and maintenance, and disposal) phases of the medical device lifecycle.
“It’s not just ‘throw it over the wall’. It’s a lifecycle process. Everybody needs to be involved with it. This is a cultural shift for the industry,” says Connolly.
The complexity of the medical device marketplace causes problems for finding and fixing security holes. There are medical device manufacturers, healthcare providers, payers, regulators, professional societies, security researchers, venture capitalists, not to mention the patients themselves.
In fact, there are more than 80,000 doctors in the U.S. and 7,000 medical device manufacturers, with the top ten representing a 38% market share.
“There really aren’t medical device cybersecurity best practices. There is no one-stop shop for medical device security,” says Connolly.
At the same time, NIST’s National Cybersecurity Center of Excellence (NCCoE) has been working on security practice guides for particular types of medical devices, such as wireless infusion pumps, picture archiving and communication systems, EHR and mobile devices.
According to the NCCoE, the guides offer organizations a way to defend Protected Health Information (PHI) on mobile devices without getting in the way of delivering care. They help provide a straightforward approach to securing EHR on mobile devices, ensuring flexibility in implementation for different circumstances while enabling organizations to build on existing infrastructure and incorporate commercially available technologies.
Connolly believes that medical device ecosystems need to increase information sharing on threats, develop a common risk framework for medical device security and safety, and offer incentives for progress on medical device cybersecurity.
The MITRE analyst stresses that insecure medical devices and other healthcare endpoints can lead to Health Insurance Portability and Accountability Act (HIPAA) violations through data breaches. “Medical devices can be the weakest link on your hospital network. Attackers might use your medical devices as a stepping stone to get into your network to get to the crown jewels, which is the PHI in your EHR. Then you have a HIPAA violation,” says Connolly.
Hospitals have a lot of angst that when there is an incident with a medical device on their network, they are the ones that are going to be stuck with the HIPAA fine, when it may be the manufacturer’s failure that caused the breach in the first place.
Healthcare organizations that are just starting to get their arms around medical device and endpoint security should consult with guides and information put out by the Advancing Safety in Health Technology (AAMI) group, starting with IEC 80001: Essential Information for Healthcare Providers Managing Medical IT Networks.
As the handbook notes, its goal is to “take the fear out of implementing this standard inside the hospital regardless of the hospital size.” Reading it is a good first step for organizations looking to revamp their security strategy and protect their endpoints from advancing cyber threats.