Concerns over the security of connected medical devices have grown at nearly the same rate as those devices’ capabilities in recent years.
The thinking on how to approach security, as well as the likelihood of certain attacks, has grown and evolved as well.
Professionals using approaches that were standard even a year ago may seem to be making a 180-degree change, based on more up-to-date evidence.
Last year, Wired referred to connected devices as “the next security nightmare.” That might sound like hyperbole, but the tech magazine backed it up with some chilling what-ifs.
Connected devices, the article stated “connect to a huge array of sensors and monitors, making them potential entry points to larger hospital networks.” That makes them gateways for criminals looking to steal medical records or hold them for ransom.
Wired also asserted that security is imperative “so that attackers can’t hack an insulin pump to administer a fatal dose.”
The Reality
That blood-curdling possibility isn’t likely to occur, or at least couldn’t happen as easily as the Wired article suggests.
It’s true that infusion pumps get a high score on Common Vulnerability Scoring Systems (CVSS) assessments, a measurement of a medical device’s level of vulnerability. However, according to Penny Chase, IT and Cybersecurity Integrator for The MITRE Corporation, the CVSS can sensationalize the level of vulnerability when you look closer at how those devices are deployed.
“In the case of infusion pumps, they’ll often be on a separate network, or may not even be connected to a network,” Chase told a crowd at HIMSS18 during an education session titled “Managing Medical Device Cybersecurity Vulnerabilities.” “Further analysis also found that if an attacker wanted to manipulate a dose that would be delivered, they couldn’t actually carry it out themselves, there were other layers of approval and a nurse would actually have to be there hitting a button for it to happen.”
Having the pump connected to a separate network, or keeping it unconnected, illustrates one of the most basic ways to protect healthcare information, segmenting networks.
“Network segmentation should be implemented to make sure these IoT and medical devices are not members of the same network as PCs, laptops and databases,” Ofer Amitai of the cybersecurity firm Portnox, told Healthcare IT News. This is to ensure that a hack of a single device doesn’t give the cybercriminal access to a larger network.
FDA Changes Its Thinking
Chase went onto talk about MITRE’s work with the Food and Drug Administration (FDA) in developing the CVSS further to iron out some of its kinks. The goal is to create a level of consistency in CVSS scores between both the FDA and the device manufacturers. To do so they’ve also created the Medical Device Development Tool (MDDT), defined as “scientifically validated tools that can facilitate the scientific evaluation and assessment of a medical device by providing a more efficient and predictable means for collecting the necessary information to make regulatory assessments.”
These tools come in three types: clinical outcome assessment, biomarker test and nonclinical assessment model.
The desire for consistency has caused the FDA to have a rethink on cybersecurity responsibilities.
A 2016 Food and Drug Administration report encouraged device and software manufacturers to “address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment and maintenance of the device.”
But since then, the FDA has experienced a shift in mentality. Dr. Seth Carmody, Cybersecurity Program Manager at FDA Center for Devices and Radiological Health, in outlining the evolution FDA’s risk assessment framework for a crowd at HIMSS18, explained it like this:
“We want medical device manufacturers to not address cybersecurity in the design phase. We’d rather they make it and turn it over to our jurisdiction once it goes to market. We use a risk-based framework for our cybersecurity approach and that relationship with device manufacturers has to be collaborative, non-punitive, non-compliance focused. We’ve done a lot in the past to drive a compliance mindset of checking boxes. We want to get away from that.”
This involves, according to Carmody, incentivizing best practices, aligning with National Institute of Standards and Technology (NIST) framework, and the clear communication of manufacturer responsibilities by making the most of existing postmarket authorities and system quality regulations.
Software Applications and Vulnerability
Some manufacturers are guilty of ignoring a vital area of protection, according to Rusty Carter of cybersecurity firm Arxan Technologies.
According to Carter, “it’s the software application binary code running on the medical device that’s the most vulnerable to theft or tampering, not the actual device,” Carter said. “Instead of just focusing on securing the end-point, focus must be put on securing the applications on those devices, because that’s where attackers will focus their attention.”
Proper encryption is an essential tool of medical device security. While that may seem obvious, security checks revealed that the software in one company’s pacemakers was completely unencrypted, making it low-hanging fruit for hackers.
Approaches Change, Concerns Are the Same
Of course, even as new ideas and approaches are introduced, the concerns of securing medical data remain the same. It’s an area of great concern, and great expense.
Healthcare IT News published a list of “The biggest healthcare breaches of 2017” that included 40 of the biggest hacks, some of which affected millions of patients.
A study by the Poneman Institute, which researches privacy, data protection and information security policy, estimated that healthcare breaches are the most expensive of any industry, at $380 for each patient record illegally accessed. Small wonder researchers Cybersecurity Ventures estimated healthcare organizations will spend $65 billion to protect data and systems over the five-year period from 2017-2021.
