Malware: The Threat to Medical DevicesExpert Offers Mitigation Recommendations
Malware affecting medical devices is one of the most serious emerging threats in healthcare, says security researcher Kevin Fu.
"If a medical device, let's say a bedside monitor, gets infected with a computer virus, then that device can do one of two things: It can break and therefore not be available to give patient care, or its performance is less predictable," says Fu, director of the security and privacy lab at University of Michigan, in an interview with HealthcareInfoSecurity (transcript below).
A malware-infected medical device "might actually give incorrect data to the healthcare professionals," he adds.
"You'll see a lot of attention to some fairly dramatic events involving what some might call hacking medical devices. But I think the real emerging issues are a little bit more mundane but have greater impact," and that includes malware, Fu stresses.
In the interview, Fu discusses:
- Why healthcare organizations need to put more pressure on medical device vendors about security issues at the time of procurement;
- Why healthcare entities need to allocate resources and encourage staff to do more reporting of security incidents involving medical devices;
- The emergence of mobile health applications that consumers can download via the web.
Before joining the University of Michigan in January as associate professor of electrical engineering and computer science, Fu served as an associate professor of computer science and adjunct associate professor of electrical and computer engineering at the University of Massachusetts-Amherst. Fu also has served as a visiting scientist at the Food & Drug Administration, the Beth Israel Deaconess Medical Center, Microsoft Research, and MIT CSAIL. He is a current member of the NIST Information Security and Privacy Advisory Board. Fu was also recipient of a Sloan Research Fellowship and the National Science Foundation Career Award, and he was named MIT Technology Review TR35 Innovator of the Year. Fu earned his Ph.D. in electrical engineering and computer science at MIT for research on secure storage and web authentication.
Risks to Medical Devices
MARIANNE MCGEE: To start, could you briefly explain why medical devices pose security risks and what some of those risks are?
KEVIN FU: First of all, every object has risks and benefits, and medical devices are no different from that equation. But medical devices today tend to contain computers and software. Computers and software have a natural tendency to include security risks, and the medical devices inherit that. Examples of these kinds of risks include the confidentiality, integrity and authenticity of the wireless communication, as well as the programming of the device, among other risks.
Emerging Security Threats
MCGEE: What are some of the new emerging security threats that we should be watching out for when it comes to medical device security and why?
FU: There are emerging risks and then there's emerging discovery of the implications of those risks. One of the emerging issues I'm seeing is the prevalence of malware in clinical computing environments. You'll see a lot of attention to some fairly dramatic events involving what some might call hacking medical devices.
But I think the real emerging issues are a little bit more mundane but have greater impact. If a medical device, let's say a bedside monitor, gets infected with a computer virus, then that device can do one of two things. It can break and therefore not be available to give patient care, or its performance is less predictable. It might actually give incorrect data to the healthcare professionals. I'd say an emerging risk is the prevalence of malware on medical devices - conventional malware getting into medical devices that just happen to run commodity software, off-the-shelf software, and therefore make it more difficult to deliver patient care.
Devices Most at Risk
MCGEE: What medical devices do you think are most vulnerable to these security issues?
FU: Right now, I don't think there's a great consensus on which devices are most vulnerable. You can talk about high-consequence devices that are in smaller numbers, such as the implantables, or you can talk about devices that are much more prevalent, say bedside monitors, but the consequences perhaps might not be as immediately great. These are very difficult kinds of risks to quantify.
Right now, the only consensus is that those in the industry and those in academia realize that there's a problem with malware interfering with medical devices, and right now the big question is what the number-one priority is. Those kinds of discussions are still going on, and the answers aren't out there yet.
MCGEE: What kinds of safety concerns do medical device security issues pose to patients, and what can patients do to protect themselves?
FU: First of all, medical devices have risks and benefits, and I think, in most cases, the benefits far outweigh the present-day risks. The real safety concern, in my view, is the future risks coming down the line as more and more devices use wireless communication, pathways to the Internet and software inside the device. For instance, you might have a pump that requires human intervention and in the future that pump might become what's called "closed loop," or effectively automated without a human in the loop. In those kinds of situations when the devices become much more automated, that does raise some more questions about safety. It doesn't mean the device is inherently less safe, but it does raise some questions. And I think patients, for their part, need to have some assurance that there are a number of very smart engineers working on these problems. But it's a multi-headed problem not only about good engineering and good delivery of patient care, but also there's quite a bit of work [happening] on the business management side, justifying the cost it takes to protect these kinds of systems.
Assessing Security Risks
MCGEE: How should healthcare entities be assessing medical device security risks, and what should they be doing to mitigate those risks?
FU: Healthcare entities, in my view, are really sort of in a bind. They're stuck between a rock and a hard place because they're the front lines. They know what's going on. I've yet to go to a single hospital that hasn't had some kind of malware issue, but I find that hospitals and staff at hospitals are either reluctant to file reports on security issues or simply don't have the resources to do so effectively. One suggestion I have for healthcare entities is to do more conscientious reporting of security incidents, whether it be automated or manual.
But one way forward to help mitigate these risks is what we call security economics. Today, hospitals, for instance, ought to be putting stronger terms in their procurement processes such that they have a quantifiable assurance about the cybersecurity of the medical devices they're buying. For instance, a vendor could be more upfront about the maintenance costs. There could be an optional security maintenance plan. It's not clear which entity will end up paying for that cost, but I think it's way beyond the time that we pretend there's no cost. If it's in the procurement process, then the hospitals, healthcare entities and the vendors will be able to have a much more honest discussion about the cost and the unintended consequences of using hardware and software that are susceptible to security risks.
Advice for Vendors
MCGEE: You brought up procurement and vendors. What can the medical device makers do to improve the security of their products?
FU: One of the more effective techniques I've found across manufacturers is to get the security engineering much earlier into the manufacturing process. I've seen one large medical device manufacturer now including security in what's called the design concept phase, before even the requirements of the device are written, which is before the design has been created, before the implementation and before the deployment. If a manufacturer has already deployed a device and now is asking the question, "How do we secure that?" ... they've missed the boat and it's very difficult and very costly to add security after the fact.
I think that the manufacturers who are a little more forward-looking have been able to see the future and realize that in seven years they're not going to be able to ignore this problem any more. They're planning ahead, getting security into those early phases so that they don't get stuck with a large bill six to seven years down the line when they suddenly realize, "You know what, we did need that but now we're going to have to basically pay 10 times more to retro-fit."
MCGEE: What do you expect we might see on the regulatory front this year when it comes to medical device security? What would you like to see?
FU: I don't have a crystal ball on what regulations are going to appear. I suspect there will be a combination of guidance documents and, perhaps, industry self-regulation. I know many manufacturers who care deeply about improving security, and I suspect they're going to try to help nudge the industry to have more consistent security engineering practices, sort of a minimum threshold.
One front that's starting to brew and I think will be productive is there are a number of workshops popping up across the country. These workshops are bringing together some of the smartest engineers from different manufacturers. They realize this is not a problem of one manufacturer. This is not a problem of one hospital. This is the problem of the entire community. So we're getting the smart people in the same room at the same time, not to complain about security problems, not to point fingers, but to figure out what's the right way forward. What are the right engineering practices? What are the right project management issues to deal with, and what are some of the economic issues that have to be solved to improve these devices that ultimately provide better, safer and more effective care for patients?
Mobile Medical Apps
MCGEE: A lot of patients have mobile devices and they're downloading applications that turn these smart phones into medical devices at home. Are there any particular security risks that are involved that need to be looked at more carefully?
FU: There are a couple of interesting dimensions to what are ... being called mobile medical apps. There will be security risks. That's not very surprising. There will always be risks. The real question is [are the risks] being balanced with the benefits?
[Here's] one of the challenges that I've seen in observing interactions at various workshops and other events. I have a lot of friends from the software community. I have a friend who works for an online gaming company, creating mobile apps and games for phones. I also have some colleagues who work in the medical manufacturing space. Now the problem is you've got two radically different cultures. In the medical device manufacturing community, it tends to be more safety-conscious. They're much more familiar with some of the validation practices and the FDA regulations. There's somewhat of a storm because when the IT culture comes in and is used to exponential change overnight - Facebook style, the exponential increase in number of users - that culture isn't used to the slightly more deliberate and careful processes that you would find in medical device manufacturing. There can often be a rush to market, and I think there are some unrealistic expectations when there's a medical app that has to be safety-conscious.
How to balance that is still a discussion being had, because you don't want to hold up medical apps. I've seen some fantastic ones that have solved some safety issues with some very clever usability problems. I'll give you one example. I saw one mobile app for radiology and they solved a safety problem by using effectively the contrast of the mobile device screen to determine if the radiologist is in a well-lit area. If the radiologist is in a poorly-lit area, then the app will warn the healthcare professional, "You shouldn't be using this app in this location." This is the kind of problem that comes up with mobile apps and bring-your-own-device situations that wouldn't traditionally come up in a room dedicated for viewing X-rays.
Medical Device Research
MCGEE: Is there any new medical device-related research that you have under way or planned that you can tell us about?
FU: In my lab, we always have new research coming out, and we like to think about more of the emerging risks. ... I feel that there are an insufficient number of research projects looking at what the constructive ways are to improve medical device security. There's quite a bit of attention to breaking things, which I think is one element. But it's much, much harder to figure out constructive ways to mitigate these kinds of risks. I'm hoping to see much more research on the mitigation side, but I think you also see still a number of reports identifying vulnerabilities because that's important to raise awareness, to change the mindset and realize that there are problems. Now let's start thinking about how to solve them.