Addressing Security Risks of Older Medical DevicesCybersecurity Expert Kevin Fu on Mitigating Steps to Take
It could take many years before healthcare entities are "flushed" of using older medical devices running software that is no longer supported by vendors. But there are critical steps organizations can take now to minimize the security risks posed by those legacy products, says medical device cybersecurity expert Kevin Fu.
"Most of our systems were not designed with security as core requirements, so it's not surprising that things can be compromised," says Fu in an interview with Information Security Media Group.
"Rather than worry about all the ways things can go wrong, why don't we design away the problems in the first place? And that comes down to some basic engineering. [But] it's going to take some time. You've got supply chains [of medical devices] sometimes five or 10 years in the making ... that didn't have the kind of security requirements that you would expect for something connected to the internet," he says.
The Food and Drug Administration for about two years has been urging medical device makers through voluntary guidance to design and develop their new products with cybersecurity a top consideration for the life cycle of the devices.
But in the meantime, tens of thousands of healthcare organizations across the U.S. are still using older medical device products that were not only designed without security as a priority, but are also running legacy software and operating systems, such as XP, that are no longer supported by vendors, which creates security and safety risks.
"The two main risks are that the device, when compromised, can become unavailable to deliver patient care; and the other key risk is that the device no longer has integrity," he says.
"If a device becomes compromised, it enters an unpredictable state that the manufacturer hasn't anticipated. And if the device has entered this unpredictable behavior, you can no longer count on that device to be safe and effective," he says.
A malware infection on an older device's operating system, for instance, can potentially cause "subtle timing changes" that result in missed sensor readings and miscalculations about a patient's condition, he explains. "A clinician has a safety net - they should understand bogus data, but when malware breaks in, it starts to remove that safety net."
To address these and other security challenges related to legacy medical devices, Fu suggests that healthcare organizations take several important steps as recommended by guidance issued by the National Institute of Standards and Technology.
That includes enumerating risks. "There's a strong tendency to throw security technologies against a wall and see what works. But it's important to first see what's at risk," he says. "Know your assets, your inventory and what you're up against," he says.
The next steps are implementing security controls that align with specific risks, and continuously measuring the effectiveness of those controls. "This is one of the harder ones because it's very easy to install a piece of security software, but it's a lot harder to uninstall it ... and to know when that piece of security software isn't working as well as it used to," he says.
Making those challenges even more difficult for healthcare entities and those responsible for security within those organizations is that "there are so many security vulnerabilities that it's hard to know which ones are important."
In the interview, Fu also discusses:
- The pros and cons of having tighter access controls on some medical devices, such as pacemakers;
- How ransomware potentially threatens medical devices;
- Security and privacy risks posed by cloud services and other third-party vendors to healthcare settings.
Fu is associate professor of electrical engineering and computer science at the University of Michigan, where he directs the Archimedes Research Center for Medical Device Security. Previously, he served as an associate professor of computer science and adjunct associate professor of electrical and computer engineering at the University of Massachusetts, Amherst. Fu also has served as a visiting scientist at the Food and Drug Administration, the Beth Israel Deaconess Medical Center, Microsoft Research and Massachusetts Institute of Technology Computer Science and Artificial Intelligence Lab. He's also founder, CEO and chief scientist at malware-detection start-up firm Virta Laboratories.