IoT Medical Device Cybersecurity
The prediction that healthcare data and medical devices would be aggressively targeted by ransomware attacks since early 2017 has proven to be true. The WannaCry ransomware attack highlighted the need for healthcare organizations and medical device companies to focus on stronger cybersecurity measures and protections. Regulatory bodies are increasingly emphasizing the need for healthcare organizations and manufacturers to safeguard their technologies.
Cybersecurity risks go beyond ransom attacks and traditional IT devices. A malicious actor could make their way into a pacemaker or medical pump, potentially causing more damage to a patient than an attack on a server or data center. In 2020, ransomware attacks within the healthcare sector is predicted to have quadrupled. (Source: Herjavec Group Healthcare Report)
“If the public knew how insecure so much of the equipment is out there, they would lose their faith in the medical industry,” C. Gates, principal security architect at Houston-based medical device engineering firm. “There [are] a lot of issues that need to be corrected.”
– MedTech Dive, July 2020
The risks are high. This year researchers discovered vulnerabilities in a popular TCP/IP library from a third-party software vendor used by medical device manufacturers, potentially providing hackers remote access control and the ability to alter medication dosages. The security holes, found by Israeli firm JSOF and dubbed Ripple20, are the latest example of cyber vulnerabilities in third-party software impacting the medical technology industry.
The sophistication of malware continues to adapt and grow alongside the complexity of Internet connectivity. MEDJACK, a malware virus, compromised three healthcare systems through medical devices such as x-ray machines, blood gas analyzers and diagnostic equipment.
A silver bullet for achieving security does not exist. Moreover, it cannot be considered an afterthought once a design has been completed. Cybersecurity needs to be built into the product design from the beginning. Security requires a constant focus from product conception, design, development, deployment, maintenance, all the way through support.
Four best practices for integrating security into connected medical devices:
- Security by Design – Set out the design features and cybersecurity controls clearly at the start of the design and development process. Begin by defining and mapping the product ecosystem including how data originates, travels and is processed – both upstream and downstream.
- Identify the Security Framework and Controls – Medical devices are computers susceptible to the same threats and vulnerabilities as traditional systems. The Food Drug Administration (FDA) provides detailed guidelines for assessing the vulnerabilities and reducing cybersecurity risks [link]. This includes establishing the security controls, device controls and application integrations.
- Create a Risk Assessment and Control Strategy – Start with risk assessments of current device implementations and identify the required security and privacy controls needed to put into place to mitigate the most serious security threats and vulnerabilities.
- Establish and Conduct Regular Security Audits – For audits of medical devices, penetration testing is the recommended approach. These tests will help evaluate identify product vulnerabilities and weaknesses, providing for a risk assessment to be completed. Nevertheless, penetration testing is not a “one and done” solution.
CynergisTek in a 2019 study revealed their findings of its CAPP Community Conference surveying approximately 60 C-level healthcare executives for their cybersecurity practices. Sections of the survey pinpointed some of the barriers or disconnects within their respective organizations. Significant findings include:
- Nearly one-third of respondents stated not having an effective cybersecurity strategy in place to assess the risks posed by medical devices. Almost 26% said they do not have any process at all,
- Culture was identified as the main difficulty in retaining and training cybersecurity professionals,
- Fifty-four percent (54%) of those surveyed said the greatest barrier to meeting privacy and security challenges was due to lack of adequate resources (tools, money, or people),
For connected medical devices, a 2015 Raytheon & Websense report suggests “up to seventy-five percent of hospital network traffic goes unmonitored by security solutions out of fear that improperly configured security measures or alarming false positives could dramatically increase the risk to patient health or well-being.” Medical devices and health care networks can be compromised in several ways. Malware can access and gather private data, potentially allowing cyber aggressors to gain control of connected systems.
It is critical to maintain and update operating systems, firmware and application software. Provided the complexity of these systems and the connected equipment used in manufacturing, hospitals and clinical offices, operating and application technology is often not user serviceable. It may run outdated applications and lack protections for software or firmware. Skilled software support is generally required
THE PATH FORWARD
DivIHN provides a strategy to address connected medical device security requirements through a security controls review architecture centered around the FDA guidelines. The controls must provide the appropriate technical measures to protect sensitive data generated and transmitted by the device. Technical measures include both software security controls, device security controls and well-developed foundational practices.