What Outdated Medical Devices Mean for a Network — and How to Protect Yours

Despite an understanding in the healthcare community that unsecure and legacy medical devices are particularly susceptible to cyberattacks, that concern hasn’t necessarily translated into action.

Case in point is a survey released by the Ponemon Institute, which found that 67 percent of medical device manufacturers and 56 percent of healthcare delivery organizations believe an attack on a medical device built or in use by their organization is likely to occur in the next year. But only 17 percent of device makers and 15 percent of healthcare organizations are taking significant steps to prevent attacks.

Moreover, only 51 percent of device makers and 44 percent of healthcare organizations follow current Food and Drug Administration guidance to mitigate or reduce inherent security risks in medical devices, according to the study.

“The lackadaisical approach that [health organizations] take, for the most part, is the reason they’re so vulnerable. The treasure trove of electronic health records PII [personally identifiable information] is ready to be taken with very minimal acumen by the actual adversary,” says James Scott, senior fellow at the Institute for Critical Infrastructure Technology (ICIT).

SIGN UP: Get more news from the HealthTech newsletter in your inbox every two weeks

Cybersecurity Collaboration and Leadership Are Key

Too many hospitals depend on their IT departments to also fill the role of cybersecurity experts, Scott says. But the IT departments don’t always have the training and understanding of what’s necessary to develop and maintain a strong cyberdefense.

On the other hand, organizations with a senior information security leaders are more likely to adopt a holistic approach to cybersecurity, according to the 2017 HIMSS Cybersecurity Survey.

“Most of these [small] organizations don’t have CISOs. They don’t have cyber-centric experts on the board or even advising them,” Scott says. “If you don’t have qualified people to put this together, if you don’t have qualified people to listen to the vendors’ pitches, you don’t know how to buy, you don’t know how to layer your security measures.”

Often, even when there is a dedicated security team in place, they aren’t properly consulted on each new device joining the network.

At the University of Vermont Health Network, for example, the six-hospital network makes security part of vendor vetting — it just upgraded around 700 infusion pumps — but occasionally security pros learn of machines expected to go on the network the day it arrives.

“Somebody bought it, signed a contract for it and the information security department was never told about it,” says Richard Schaaf, regional information security officer for the University of Vermont Health Network. “Our only option at that point is to use some technical network mechanism and work with a clinic, take a look at their workflow,” he says, adding that the tech could be adjusted to add an extra layer of security to ensure patient safety.

Guidelines Seek to Close the Legacy Device Security Gap

A main issue, according to Schaaf, is that buying newer models does not mean they are more secure. FDA guidance on medical devices tells manufacturers they have an obligation to consider the cybersecurity of their devices during design and throughout the operating life of that device, though the FDA’s follow-through on that remains a mixed bag.

“The problem is we’re chasing security after-the-fact,” says Schaaf, who also calls using the network to secure devices “putting a Band-Aid on something that needs to be healed.”

For the Department of Health and Human Services’ Cyber Security Task Force, legacy medical device cybersecurity is a major concern, and one that took center stage in its latest report. The task force called for developing incentives for organizations to replace legacy devices that are particularly vulnerable to an attack, such as a “Cash for Clunkers” program.

According to the FDA, medical devices should be considered a hostile environment for hacking and devices have to be hardened against it.

System-level security is a shared responsibility, according to the cybersecurity principles released by AdvaMed, a digital health trade group. The guidelines call on device makers to work with healthcare organizations after the sale to ensure devices work as intended to protect patients and systems.

Future Policies Promise to Push Device Security to the Forefront

At the federal level, two device security bills have been proposed. The Medical Device Cybersecurity Act of 2017 would create a “cyber report card” to increase transparency of medical device security. The Internet of Medical Things Resilience Partnership Act calls on the FDA to set up a public-private working group to "develop recommendations for voluntary frameworks and guidelines.”

Scott, however, maintains that the industry cannot police itself, and points to three efforts that could make a big difference:

• The Department of Health and Human Services launched the Healthcare Cybersecurity and Communications Integration Center (HCCIC) earlier this year, an intelligence-sharing clearinghouse for coordination between the healthcare sector and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). It aims to provide real-time communications among incident response teams. ICIT calls this a major step forward in introducing real cybersecurity resiliency and moving healthcare organizations away from self-regulating, checkbox-driven security standards. Scott characterizes this effort as stalled.

• The Cyber Shield Act would create an Energy Star-type program to provide buyers with more specific information about medical devices. It would require security-by-design throughout the development lifecycle in accordance with National Institute of Standards and Technology (NIST) 800-160, which addresses how to develop secure systems from the bottom up.

• A more aggressive push toward NIST standards.

“There’s a lot of talk, and that’s all it is — talk,” Scott said. “Why don’t we deal with the plethora of [proposals] already on the table? Let’s move forward, let’s just start.”

How Organizations Can Keep Medical Devices Safe

In the meantime, how can manufacturers and IT teams work together to understand a device’s vulnerabilities? It’s vital for organizations to understand how each device treats a patient as well as the information it collects and where that information resides, says John Fowler, deputy information security officer for the Henry Ford Health System in Detroit. He encourages organizations to ask where medical data from the device is stored, whether on the device itself or a central console.

Many devices are mobile and use wireless connections, which is where employing encryption to keep medical data safe as it moves from one device to another is critical.

Lately, organizations have also started looking at network segmentation, he says, because there’s a cost to it, and organizations generally like to have a flat network for accessibility.

“The next generation of firewalls actually provides that [segmentation]. You don’t have to build out a specific infrastructure; now I’m creating a bubble within my network for medical devices,” Fowler says, adding that the cost of segmentation is dropping significantly.

Many security pros consider automation, such as machine-to-machine learning and artificial intelligence, as the best option.

“The speed of today’s security environment means that if a human is involved, an event will have moved past [network] security and is now a forensics case,” Robert Kingma, CEO at ICT Networks told IT chiefs gathered in Sydney recently, according to CIO.

Many security vendors reject the perimeter firewall approach to security, because once it’s breached, malicious actors can freely move through the network. Instead, vendors use machine learning to determine normal behavior of systems and monitor and alert in near-real time on aberrations. They also call on combined community knowledge in cloud-based analytics engines to parse true problems from noise.

Using automated software to find unknown open ports, default credentials, missing patches, bad code and known vulnerabilities across enterprise systems can be invaluable, but such systems have yet to gain widespread traction within healthcare.

“The jury’s still out on whether that kind of technology will be helpful,” says Schaaf.