Medical Device Security: The HurdlesAnalysis of the Pain Points and the Progress
Healthcare providers, manufacturers and regulators are becoming increasingly aware that networked medical devices face emerging cyberthreats. So they're finally beginning to take action to address those issues. Still, many hurdles remain.2014 HIMSS Conference in Orlando.
"Regulators issued an important draft guidance last year, healthcare organizations are starting to assess and demand secure devices and manufacturers know that organizations expect that and are willing to pay for it," Nordenberg says. "This will also drive innovation."
The Food and Drug Administration last year issued draft cybersecurity guidance for healthcare and medical device makers. The guidance urges manufacturers to develop cybersecurity controls in the design phase of their product development and recommends the companies document their risk analysis of cybersecurity threats and vulnerabilities and spell out ways to mitigate those risks, such as through encryption.
The FDA also issued a "safety communication" to manufacturers and healthcare organizations, listing steps they should consider taking to mitigate cybersecurity risks to medical devices. For healthcare providers, those steps include making sure their anti-malware software and firewalls are updated, ensuring that access to networked devices is restricted and making sure that medical device makers are contacted about any cybersecurity issues.
Bakul Patel, senior policy adviser to the director of the Center for Devices and Radiological Health at the FDA, tells Information Security Media Group that the final version of guidance for medical device cybersecurity will be issued in late 2014 or early 2015.
The FDA also opened a cybersecurity lab last year to begin testing medical devices.
In the Spotlight
But it's not just regulators that are intensifying its attention to medical device cybersecurity.
Some healthcare organizations are beginning to implement programs that focus on assessing the risk of medical devices before making final decisions about the procurement of the products. This also puts pressure on the makers to improve the security of their products.
"The buck stops with vendors, but there are a lot of interdependencies," says Michael McNeil, global product security officer at Philips Healthcare. He joined the organization last year after holding security leadership posts at device maker Medtronic.
Information exchange among device manufacturers and users is critical, he says.
Medical device security is an extremely complex issue for the healthcare sector. For instance, some medical device makers believe that they need to seek FDA re-approval for their products if they provide software patches or operating system updates to address security issues. But that's a fallacy, Patel says. And even when there are patches and software updates available from vendors, healthcare organizations often fail to apply the fixes, he says.
Compounding those issues is the fact that many medical devices still in use today were designed before cybersecurity became an area of major concern. Also, many of the legacy devices still in use have old or even obsolete operating systems. For instance, some devices run on Windows XP, a system for which Microsoft will stop offering supporting in April. That means no more software patches or updates from the vendor will be available to fix newly found vulnerabilities, notes Kevin Fu, a researcher who is a professor at the University of Michigan and director of its security and privacy research lab, which studies the security and safety of devices.
While there's been a great deal of attention in recent years on white hat hacker demonstrations showing how wireless medical devices can be attacked remotely, Fu says "hacking is a bit of a red herring." He stresses that malware is a much greater threat to medical devices. His research has found incidents where devices "were factory installed with malware by mistake," Fu says.
Another problem for the industry is that best practices for medical device security aren't in place at many healthcare organizations or even widespread at many of the medical device makers themselves, researchers say.
For instance, while healthcare organizations should conduct risk assessments of medical devices that are linked to their networks, that's a time-intensive chore that some entities, especially smaller ones, lack the time, expertise or resources to carry out.
Also lacking at some organizations are solid authentication practices for medical device users. Some organizations neglect to even change the default settings and passwords on their devices once they're put in place. Additionally, physicians and other clinicians often resist security programs that require frequently changing passwords on the devices and other health IT.
Signs of Progress
Despite the challenges, progress is being made, especially as awareness of the threats against medical device security grows, Nordenberg says.
In addition to FDA guidance, help in risk management practices and assessment is also being offered by others, including the Medical Device Innovation, Safety and Security Consortium. The group is offering the Medical Device Risk Assessment Platform, which provides guidance for risk-based assessment of common security capabilities and control gaps in medical devices.
The guidance is based on a tool developed at John Muir Health, a Northern California integrated health delivery network, which uses it for evaluating both application and device risk. The tool provides a risk score by category and allows comparative studies across several different devices, Nordenberg says.
More robust standards are emerging as well, including those related to manufacturers and healthcare providers managing and evaluating the security risks of medical devices for the entire life cycle of the products, including pre-procurement by healthcare entities. For example, IEC 62443, a comprehensive set of 12 standards from the International Electrotechnical Commission, covers nearly every aspect of the security lifecycle of systems used in industrial control systems, says Mike Ahmadi, global director of medical security, Codenomicon Ltd., a security testing firm.
Researchers are also spending more time examining other issues that play a role in medical device security, ranging from testing the vulnerability of hardware components as well as firmware and other software used in the devices, says Ryan Kastner, a professor in the Department of Computer Science and Engineering at the University of California, San Diego.
So far, mainly larger provider organizations, such as the Department of Veterans Affairs' Veterans Health Administration, are conducting medical device risk assessments, says Theresa Cullen, the VA's chief medical information officer. But even smaller organizations with fewer resources can complete such assessments, she contends.
Besides conducting risk assessments and applying software patches and operating system updates, organizations should consider other steps to help improve the security of medical devices. Among those is giving bio-engineers the necessary access privileges so they can monitor the devices for performance and anomalies, Cullen told the HIMSS workshop audience.
Incident reporting is also vital, she adds. Not only is it important for technology and security experts to monitor devices, but other staff also should be trained to report problems to the appropriate security leaders. Cullen recalls a recent incident where an unusual number of VA patients at one facility had a blood gas analysis indicating high sodium readings. VA clinicians helped the lab to quickly identify a problem with the testing equipment. "It was not a security issue, but was a patient safety issue, and that's the most important thing in delivering healthcare," Cullen says.
Healthcare organizations also should consider segregating medical devices to run on networks separate from their main IT network to reduce risk of malware and other problems being introduced to the devices or spreading, Cullen says.
Smaller organizations that lack the resources to set up a segregated network for medical devices should still try to carefully assess device risks on an ongoing basis, she stresses.
Patel calls on healthcare providers and medical device manufacturers to consider how to improve detection and response to emerging security issues. "Think up front, think frequently, and fix problems before something happens," he says. "Don't wait for someone else to move the needle."