In the healthcare industry’s fight to improve cybersecurity, Kevin Fu believes there’s too much fear and too little action.
“Fear … can cause sort of a sky-is-falling effect,” said Fu, co-founder and chief scientist of medical device security startup Virta Laboratories, during Sunday’s keynote speech at the Association for the Advancement of Medical Instrumentation’s 2017 conference in Austin, Texas. “Fear may drive some C-suite decision-making, but we need to figure out how to get better security and stop admiring problems.”
When it comes to mitigating current threats, Fu, associate professor at the University of Michigan and director of UM’s Archimedes Center for Medical Device Security, thinks there’s too much of a focus on treating symptoms. Anti-virus tools, for instance, represent only a temporary solution to an ongoing problem, he said.
“We should be designing for these problems from the beginning,” Fu said. “How we climb out of this mess is really going to begin with a lot of premarket activities.”
Continuously Measure Effectiveness of Solutions
Provider organizations, in particular, are very good at “buying” cybersecurity solutions, Fu said. But decision-makers must use caution when taking that approach due to the rapid evolution of threats.
“What NIST [the National Institute of Science and Technology] recommends is that you have to continuously measure the effectiveness of any controls you put in place to know whether they’re still working,” he said. “A firewall might work great today, but tomorrow, maybe not; maybe there’s a flaw in that firewall.”
Fu outlined four challenges such organizations face:
Inventory: What it boils down to, Fu said, is that if you don’t know what you have, you’re not going to know how to protect it. “Most of the health systems we’ve looked at tend to have a huge amount of shadow IT, upward of 15 to 20 percent sometimes. These could just be legitimate devices that somehow didn’t make it into your clinical engineering CMMS [computerized maintenance management systems], or it could just be that a clinician went out under the procurement limit and bought some interesting devices, or maybe a vendor installed some interesting things without telling you.” Fu said an organization’s CMMS must integrate security risk; without it, there’s little context in which to identify potential issues.
Vendor relationships: Vendors make security hard, Fu said. “A good way to know if you’re working with a mature vendor? If they tell you, ‘just put it behind a firewall’ or ‘just put it on the secure network,’ that’s what I call BS,” he said. A fragile radiological device that crashes on a vulnerability scan, for example, should call into question the device’s safety. Additionally, Fu said, while every vendor he’s visited has someone who understands security, sometimes there’s a big disconnect between the security expert and the sales engineers who speak with providers.
Current technology: Security tools are really good at finding problems, Fu said, but finding solutions is a bit harder. “We need to figure out how to integrate these tools for clinical workflow,” he said.
Segmentation: When used in moderation, segmentation works, Fu said. But segmenting everything is just as bad as having no segmentation at all, he warned. “If you segment all your networks, you’ve just created a new management nightmare for yourself. … You need to find the right policies that fit with your clinical workflow,” Fu said.
Are Medical Sensors the Next Big Target?
A bigger issue for providers than hackers breaking into medical devices is protecting their organizations from widespread unavailability, Fu said. While Fu and his colleagues have warned providers for the past decade about the potential for hackers to hinder the availability of patient services, only recently, in the wake of high-profile ransomware attacks, has there been more of a call to arms to mitigate attacks on availability. Last summer, for instance, the Health and Human Services Department’s Office for Civil Rights published guidance focusing on ransomware and HIPAA; more recently, it published a cybersecurity checklist for providers.
Fu anticipates that within a decade, attacks on medical-device sensors could be just as problematic as availability-focused attacks are today.
“We haven’t yet seen a lot of hacking that affects the integrity of medical sensors, but this is something that really worries me,” Fu said. “In five or 10 years, we’re likely going to see some severe problems with the integrity of sensors that are going into closed-loop feedback systems.”
Read articles from HealthTech's coverage of AAMI 2017 here.