Medical Device Cyber Vulnerabilities: More AlertsHealthcare Organizations Face Challenge of Tracking, Mitigating All the Risks Identified
The Department of Homeland Security has issued two more advisories concerning cyber vulnerabilities in certain medical devices, the latest in a series of alerts this year.
The stream of recent advisories is helping to draw more attention to the importance of addressing device security, many security experts say.
Since April, DHS's Industrial Control Systems Emergency Response Team has issued about a half dozen alerts advising healthcare entities of cyber vulnerabilities in equipment ranging from medical imaging systems to patient monitoring gear.
The intensifying attention on medical device cybersecurity is creating pressure on healthcare entities to keep track of - and then address - the findings involving medical devices used in their environments.
"The challenges associated with these vulnerabilities can vary greatly from things that the vendor needs to fix - meaning the hospital has no recourse to address - things that can be fixed through proper configuration/patching or architectural controls, and the ongoing issue of identifying all of these devices and the operational impacts of taking them offline to fix them and/or move them," says Mac McMillan, CEO of security consultancy CynergisTek.
"For the hospital, it's not just about the device; it's about balancing the clinical and operational impacts," he says.
Two New Alerts
The most recent alert issued on June 5 pertains to improper authentication, information exposure, and stack-based buffer overflow vulnerabilities in certain Philips' Intellivue patient monitors and Avalon fetal and maternal monitors.
ICS-CERT notes that those issues "may allow an attacker to read/write memory, and/or induce a denial-of-service through a system restart, thus potentially leading to a delay in diagnosis and treatment of patients."
In addition, a May 17 ICS-CERT advisory warns of a vulnerability involving "missing encryption" for sensitive data contained in the Medtronic N'Vision Clinician Programmer, a small, portable device that offers a single programming platform for Medtronic Neurological implantable therapy devices.
If exploited, the vulnerability could allow an attacker with physical access to an 8870 N'Vision Compact Flash card to access patient data, ICS-CERT warns.
Those latest alerts follow several other advisories issued in recent months.
Those include an alert in May warning about vulnerabilities in some wireless electrocardiogram products from Silex Technologies and GE Healthcare, and vulnerabilities in certain computed tomography, or CT, systems from Philips (see DHS Issues More Medical Device Cybersecurity Alerts).
In addition, ICS-CERT in May issued an advisory concerning vulnerabilities reported to the agency by Becton Dickinson related to "KRACK" flaws affecting some versions of the vendor's Pyxis medication and supply management products.
And in April, ICS-CERT and the Food and Drug Administration each issued advisories concerning the availability of new software patches to further address cyber vulnerabilities first identified in 2016 by independent research firm MedSec Holdings in certain Abbott Laboratories implantable cardiac devices (see Abbott Issues Software Patched for More Cardiac Devices). The affected products were previously sold by device maker St. Jude Medical, which Abbott acquired last year.
The government-issued alerts usually advise healthcare entities about the steps needed to mitigate the problems, as well as measures being taken by the vendors.
Typically, those manufacturers also issue their own advisories related to the government warnings.
Besides the alerts, the FDA in the last couple of years has also released cybersecurity guidance for pre-market and post-market medical devices, and also has proposed other actions to bolster medical device cybersecurity (see FDA Proposed Action to Enhance Medical Device Cybersecurity).
The FDA's attention on medical device cybersecurity typically focuses on risks to patient safety. But vulnerabilities pose other problems as well.
So what types of vulnerabilities spotlighted in some of the most recent advisories are most concerning?
"They are all very different, but any of the ones that could cause the device to not operate properly or corrupt the information that the caregiver would receive are definitely the most troubling," McMillan says. "When physicians can't rely on these tools to provide accurate information we are right back where we were before they existed."
What should healthcare entities be doing to keep up with the increasing flow of discoveries involving medical device cybersecurity flaws?
"You should always stay abreast of the security alerts published for systems in your enterprise and their risk management program should include this task, but this is not the answer for solving the challenge of better security for medical devices," MacMillan says.
Healthcare entities need a lifecycle approach to device security that starts with procurement and flows through retirement of the device and includes close coordination between IT and clinical engineering, he notes.
"The biggest hurdle, of course, is getting a handle on all of the devices they have to construct a strategy for secure management," McMillan says. "This is where they need to invest in either the technology or a service that creates this location-aware inventory with information about the integrity of each class of device. Doing this manually as it has been done in the past is just not effective."
Ben Ransford, president and co-founder of healthcare cybersecurity firm Virta Labs, offers a similar assessment: "Every time a vulnerability is disclosed, healthcare entities scramble inefficiently to figure out whether they are affected. Even with the best of intentions, if you're not incorporating specific inventory information-gathering into your clinical workflow, you're going to be blindsided again and again."
To help get a better handle on the medical devices impacted by cybersecurity advisories, Ransford suggests that organizations "keep specific inventory down to make, model, MAC address, and software version, and use modern software tools that match new threats against your device population."
With resources stretched at many healthcare entities struggling to keep up with all the security issues impacting various systems, who should be responsible for medical device cybersecurity - the IT security team or bio engineering group?
"It's a combination," McMillan says. "These devices have a clinical purpose, so the operator needs to know that those handling them understand what is most important here. But it is also a security problem, and most clinical engineering teams do not have the cyber expertise needed to assess the risk or prioritize solutions, and it's a technical problem so IT needs to be involved to address network solutions and challenges."
Ransford says healthcare entities should designate someone as the point person for dealing with newly disclosed threats. "That person should be responsible for assessing impact and following through with any necessary remediation," he says.
The responsibilities related to addressing medical device cybersecurity have led to new job categories for some healthcare entities, Ransford notes. "Starting around 2017, the best-prepared healthcare organizations have created specific job titles for technicians who straddle IT and biomedical groups and coordinate responses to threats. This person is also in charge of background risk assessment and security preparedness."
But the ultimate responsibility rests with the leadership of the hospital to provide a safe and secure environment for patient care, McMillan says. "This is one of the issues we have in healthcare: We keep trying to make it an IT issue or a security issue or in this case a clinical engineering issue; it's an operational patient safety issue."
On the Look-Out
Independent security researchers often identify and report vulnerabilities in medical devices to federal regulators or the affected vendors. But should healthcare entities also play a role in identifying and reporting medical device cybersecurity problems?
"I can think of only a handful of healthcare organizations that should be spending time on original, forward-looking security research, and they know who they are," Ransford says. "I recommend against getting fancy when basic problems are still rampant. Security is plagued with deep rabbit holes that can be fascinating but lead to dangerous distraction."
But McMillan says anyone in the healthcare ecosystem potentially can play a role in uncovering and reporting security problems in medical devices.
"Everyone in the industry should be reporting vulnerabilities they discover in their medical devices for the benefit of the rest of the healthcare community," he says. "Each report could mean the difference to someone else in the industry in terms of avoiding an incident. To not do that is irresponsible."