Medical device cybersecurity is lousy — beyond lousy.
Indeed, the word from security experts for most of the past decade (and certainly since those devices increasingly have become connected to the internet) has been that while the physical security of most is superb and the devices function flawlessly, possibly for years at a time, when it comes to security from malicious online attacks, these devices are frighteningly insecure.
The web is practically littered with recent reports confirming this:
- A study by WhiteScope IO released in May reported more than 8,000 vulnerabilities in the code that runs in seven pacemakers from four manufacturers.
- A report released in December 2016 on an investigation into new implantable cardiac defibrillators (ICD) found security flaws in the proprietary communication protocols of 10 of them.
- Trend Micro reported in May that more than 36,000 healthcare-related devices in the U.S. alone are discoverable on Shodan, the search engine for connected devices.
- Ponemon, in a survey sponsored by Synopsys, reported in May that, “roughly one third of device makers and HDOs (health delivery organizations) are aware of potential adverse effects to patients due to an insecure medical device, but despite the risk only 17 percent of device makers and 15 percent of HDOs are taking significant steps to prevent such attacks.”
The problem, which has existed since HDOs began connecting these devices to the internet, is that the majority are being trusted to do what they weren’t designed to do — protect patient information and the patients themselves — from cyber attacks.
[ Related: How to securely deploy medical devices ]
Chris Camejo, director of product management, threat intelligence at NTT Security Devices, noted that most medical devices in use today would be secure, “only in a closed, trusted environment without any potentially malicious activity."
“Unfortunately a hospital network can't be considered trusted, as it is connected to the internet and contains thousands of internal users, any one of whom could click on the wrong link or download the wrong attachment,” he said.
Still, debate continues about how imminent is the risk of physical harm. Jay Radcliffe, a medical device security expert and Type-One diabetic, famously said at the 2014 Black Hat conference that it would be far more likely for, “an attacker to sneak up behind me and deliver a fatal blow to my head with a baseball bat,” than to be harmed by a cyber attack.
And the experts I spoke with say they are unaware of a documented, targeted attack on a device that caused physical harm to a patient.
But Stephanie Domas, lead medical security engineer at Batelle DeviceSecure Services, said a lot remains unknown about whether malfunctions of devices are caused by malicious cyber incidents. “I don’t know of a manufacturer that does root-cause forensics when a medical device misbehaves,” she said. “Nobody is looking to see how it happened.”
Camejo said regardless of the class of device, or whether it is located inside or outside of the hospital environment, “the risks are essentially the same: Patients’ lives often depend on these devices performing their functions accurately, and an attacker who can control one of these devices can alter those functions to the potential detriment of the patient, up to and including death.”
So should certain devices be banned? Domas and other experts say no – that it is difficult to say that one device, or even class of devices, is more vulnerable than others. They say the problem lies more in specific capabilities or features that can make them much more attractive targets and/or their users more vulnerable to harm.
These are the 5 features that the experts I spoke with say cause the greatest risk:
1. Cloud dependent
Only about 10 percent of medical devices fall into what the Food and Drug Administration (FDA) calls Class III, which means they are designed to sustain or support life (e.g., pacemakers and glucose meters). If these devices were hacked, an attacker could put patients’ lives or health in jeopardy.
Sonali P. Gunawardhana, of counsel with Wiley Rein and a former FDA attorney, pointed to glucose meters that are smartphone connected, which help patients monitor their sugar levels. If the app on the phone is hacked and a patient receives incorrect data, leading to incorrect decisions on managing sugar levels, “that can cause irreparable harm,” she said.
Chris Clark, principal security engineer at Synopsys, said devices that depend on the cloud for performance are “similar to telemedicine,” and can include devices like infusion pumps and patient monitors that use the cloud to perform their services.
“They have to go out to the internet,” he said, “which means there is a high potential for disruption or denial.”
2. RF connectivity
Clark said anything that is RF (radio frequency) based is at higher risk.
“Fitbit talks Bluetooth to our smartphones,” he said, “which is mostly OK, since it doesn’t talk to other devices.
“But the phone is an aggregation point for all types of technology, not just healthcare,” he said. “Most people don’t even know if they have Wi-Fi or Bluetooth. They just assume the manufacturer has provided for their security. But once we’ve enabled that type of tech, its more savory for an attacker.”
3. Commercial operating systems and software
Domas noted that WannaCry (one of the most recent high-profile ransomware worms), “was not targeted at medical devices. Nothing about it was aimed at hospitals, but it affected a lot of them once it was able to get in.
“Those attacks look for anything that is vulnerable. They saw devices that were vulnerable and attacked them.”
And even if it hadn’t attacked specific devices, the encryption of everything in a hospital system could mean shutting down all devices that serve patients.
Also, those systems may be obsolete. The Trend Micro survey found that more than 3 percent of exposed devices still used Windows XP, the Microsoft operating system that the company no longer supports, which means it no longer receives security updates.
[ Related: Microsoft's emergency patch is no reason to hold on to Windows XP, Server 2003 ]
4. Holding patient data
Not all devices hold patient data, Domas said, but those that do are vulnerable to having that data compromised, since they generally communicate directly with the Electronic Health Records (EHR) system.
“There have been in-the-wild attacks on X-rays and PACS (Picture Archiving and Communication System),” Domas said, “some of which will contain a whole patient record.
“The devices are designed to talk to your records, so anything that compromises them will have a connection to the rest of the data on a patient.”
Gunawardhana agreed. “Pacemakers, insulin pumps, CT scanners, MRI machines and digital health records are at the greatest risk, given their interconnectivity to various medical platforms within the hospital setting,” she said. “There are many ways these devices could be hacked in which damage could be done to patients.”
5. Third-party connections
Clark said it is not so much the class of the device but its purpose. “Remote monitoring is becoming incredibly popular,” he said, because it helps existing staff oversee all the patients in hospitals where they might not be able to do it physically.
“But if they use third-party servers, there is a high level of risk,” he said.
Domas agreed, noting that “devices that need to phone home” depend on the security of that third party. “It punches a hole in your (the HDO’s) security,” she said, noting that this applies to any connection “that needs to leave the hospital.”
One example is devices in ambulances that connect with a server at the hospital, so doctors in the hospital can see when a patient arrives what was already done in the ambulance. “You want that information to get to the doctor,” she said, “so there are good reasons for the device to have that capability,” but it also means the communication is less secure than it might be inside the hospital system.
PCs within the hospital network could even be considered a “third party.” Camejo noted that many devices are controlled through PCs. “Even if the device itself isn’t vulnerable, “an attacker who takes over the PCs that administer these devices could gather passwords and then attack the devices directly,” he said.