As cybersecurity has evolved over the decades, so has the inspiration of our adversaries. What started as fun, cool, or maybe a challenge, is now very focused and profitable. With monetary gain as a motivator, the stakes and dangers continue to rise. When cybersecurity issues cross the digital plane into physical harm or maybe death, this is no longer “cool” or “fun.” This is the case with medical devices that directly impact the health of human beings. An indirect cybersecurity effect on medical devices was the early example of the “Wannacry” ransomware variant that set the internet on “fire” in 2017. This attack impacted cloud-based radiological systems that cancer patients relied upon for treatment, forcing missed scheduled appointments. The challenges are often the result of relying on device manufacturers to follow secure development, addressing vulnerabilities and a prescribed compliance requirement from a security perspective.
With cyberattacks and data breaches already having a significant impact to the healthcare industry, medical devices can add to the complexity of safeguarding electronic protected health information (ePHI). It is often the case that secure platforms are not always the focus when bringing new medical devices to market; rather, improving and savings lives are the priorities. However, it is crucial to protect the role and sensitive information involving medical devices such as ventilators, heart defibrillators, artificial cardiac pacemakers, and insulin pumps, etc. There are actually case studies of researchers exploiting vulnerabilities in a CT scanner to add fake cancerous growths to the results. Failing to properly secure medical devices make them an attractive target for attackers due to the crucial functions they serve, the data they contain, and their connection to the overall health information ecosystem that often spans multiple organizations.
There are initiatives, research, and guidance to better protect medical devices from cyberattacks. The FDA had issued pre-market guidance for medical devices in 2014 and recommendations for medical device manufacturers in 2016, along with a draft update in 2018. MITRE, a federally funded research organization, has also developed a Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook and a Playbook for Threat Modeling Medical Devices. On a global scale, The International Organization for Standardization (ISO) has developed their application of risk management guidance for medical devices (ISO 149781). While there have been efforts and guidance from the FDA to address the security issues, MITRE to respond to cyber incidents, and ISO to perform risk assessments, there has been no mandate requiring a secure baseline prior to a medical device providing patient care. This often leaves the protection of the medical device to the healthcare entity that relies upon them.
While there is not a current mandate, the FDA acknowledges the concern and has documented a cybersecurity requirement within its Medical Device Safety Action Plan to compel medical manufacturers to strengthen cybersecurity issues related to their devices that deliver patient care. While it may not specific for all medical devices, The National Institute of Standards and Technology (NIST) has developed more prescriptive guidance for medical imaging devices that could be loosely applied to medical device environments. Some of the suggestions include:
- A defense-in-depth solution, including network zoning that allows for more granular control of network traffic flows and limits communications capabilities to the minimum necessary to support business functions.
- Access control mechanisms that include multifactor authentication (MFA) for care providers, certificate-based authentication for imaging devices and clinical systems, and mechanisms that limit vendor remote support to medical imaging components.
- A holistic risk management approach that includes medical device asset management, augmenting enterprise security controls and leveraging behavioral analytic tools for near real-time threat and vulnerability management in conjunction with managed security solution providers.
In an effort to make the stakes as high as possible to meet their objectives, hackers are targeting medical devices either to obtain sensitive information or to force a ransom payment. The challenge for healthcare organizations that rely on medical devices is similar to the hardware and software supply chain issues across all industries:
- Reliance on the vendor to develop a secure product
- Reliance on the vendor to provide third party security testing
- Reliance on the vendor to disclose and release security patches severe for vulnerabilities discovered
- Fear of losing support for the product if non-approved measures are taken to secure the product and associated environment
While there are numerous sources of guidance to secure medical devices, the best advice may be to work with your cybersecurity experts to develop a secure environment for those devices. Once the deployment is complete, engage a third-party firm to perform a security assessment to validate that the specific security controls are functioning as intended.
If you would like more information on the threat of ransomware or to discuss a risk assessment for your organization, contact us today.
Content provided by LBMC Information Security professional, Bill Dean.