Imagine having your wirelessly-controllable pacemaker or smart insulin-pen being hacked by criminals—and then knowing your hospital is helpless to stop it!
The journey to better security for connected medical devices continues to be a bumpy one.
Yes, there is progress, experts agree. But it is incremental and still not keeping pace with the threats. It is not so much one step forward and two steps back. It is almost like: for every step forward the healthcare industry takes, the number and sophistication of the threats grows by two steps, or more.
There is little debate about the value of connected devices in improving health and prolonging lives—especially when everything from wearables to “implantables,” infusion pumps, and smart insulin pens can be operated remotely for those who live in areas far from hospitals or for elders who have difficulty traveling.
But as has been said many times and is still being demonstrated at numerous security conferences, cyber vulnerabilities in those devices or in the systems and networks that support them could allow malicious hackers to turn healing tools into lethal weapons, or to use them as leverage for ransom or blackmail.
Healthcare cybersecurity in ‘critical condition’
This is no secret. Awareness of the problem is widespread and has been so for some time. The June 2017 Report on Improving Cybersecurity in the Healthcare Industry by a congressional task force declared that “healthcare cybersecurity is in critical condition.”
And there are substantive initiatives to address it. The federal Food and Drug Administration (FDA) published a Medical Device Safety Action Plan in April 2018—a plan that Synopsys participated in crafting. Among its key stated goals were to “update the premarket guidance on medical device cybersecurity to better protect against moderate risks (such as ransomware campaigns that could disrupt clinical operations and delay patient care) and major risks (such as exploiting a vulnerability that enables a remote, multi-patient, catastrophic attack).”
Three months later, in July 2018, the FDA announced its adoption of ANSI (American National Standards Institute) UL 2900-2-1 as a “consensus standard” for device manufacturers and for patients.
UL—formerly Underwriters Laboratories—is an independent third-party assessment firm that has certified consumer product safety, or lack of it, for more than a century.
UL 2900-2-1 calls for, among other things, “structured penetration testing, evaluation of product source code, and analysis of software bill of materials.”
The progress is noticeable, said Larry Trowell, principal consultant at Synopsys. “Five years ago, security in these devices was more or less an afterthought if it was considered at all. Today security experts are being called in during the design phase of products to look for potential risk areas before the products are off the drawing board.”
That has led to “definable improvement,” he said.
Medical device security initiatives delayed
And yet, in some cases, the rhetoric is more ambitious than the actions.
Among the proposed initiatives in the FDA’s action plan is the creation of a new public-private partnership called the CyberMed Safety (Expert) Analysis Board (CYMSAB), chartered to “assess, assist, and adjudicate coordinated vulnerability disclosures in medical devices” and, possibly, to investigate medical device security breaches.
That generated an enthusiastic response at the time from numerous advocates, including Cory Doctorow, journalist, blogger, author, activist, and Internet of Things (IoT) expert. He wrote on his blog that the FDA was “finally taking action to improve (medical device security).”
But 19 months later, there is no CYMSAB. Stephanie Caccomo, press officer at the FDA, said while the agency did include funding for that board in its $70 million FY 2019 budget request, so far it has designated only “a very small amount of money to fund an internal exploratory phase to research what the FDA would need to do to implement the CYMSAB. At this point, there is no CYMSAB created or running,” she said.
Of course, that is only one of the multiple initiatives the FDA proposed. And Caccomo added that the FDA’s “cybersecurity work never stops, and we continue to grow our engagements with the many stakeholders involved in this community to identify cybersecurity threats to medical devices.”
But there is apparently not enough money available to implement the agency’s entire action plan, even though connected medical devices are a prime attack surface.
A recent survey by Irdeto, a digital platform security vendor, found that 82% of healthcare organizations’ IoT devices have been targeted by a cyber attack within the last year.
Current state of medical device security
So how do experts see the current “state of security” for medical devices? The reviews are mixed.
One view, expressed in a Threatpost story covering a presentation on connected devices at the recent ENFUSE 2019 event in Las Vegas, hospitals and healthcare centers in general “have notoriously lax culture when it comes to security.” It quoted Ferdi Steinmann, industry strategist for life sciences at OpenText, declaring that “drivers across the industry,” such as an aging population and regulations, “are putting facilities and patients at risk.”
Trowell agrees. He said the physicians he knows have no interest in maintaining a high level of security in their workplace because “it is perceived as increasing the complexity and increases the decisions that medical professionals have to make every day.”
“Even the few I know who attempt to keep up with security issues by say, listening to popular security podcasts, only use that information to better their personal lives, not their professional ones,” he said.
Focus on ‘critical service delivery’
But Megan L. Brown, a partner with the Washington, D.C., law firm Wiley Rein, said “notoriously lax” overstates reality. “Hospitals operate in challenging real-world and regulatory environments,” she said. “They want to do the right thing and have been investing in security, but their cultures are focused on critical service delivery.”
Brown also said she thinks some conference presentations are aimed more at generating publicity than anything else. “There is a whole hacking industry that has sprung up to identify issues and freak the public and press out about security at conferences,” she said.
Not that she blames all hackers. “I’ve seen a real culture shift in the past five years on coordinated disclosure and vulnerability handling and openness to working with groups like HackerOne,” she said.
“But some hackers don’t act responsibly or are focused on public attention rather than discreet remediation. Often they don’t have access to full information, for good reason. Remember, not all vulnerabilities are exploited or exploitable.”