How to Respond to FBI Alert on Medical Devices
With increasing networked medical devices and sensors in healthcare, the Federal Bureau of Investigations cyber alert warning last week about the vulnerabilities of the Internet of Things (IoT) and the opportunities they pose for exploitation by cybercriminals is a wakeup call for the industry.
With increasing networked medical devices and sensors in healthcare, the Federal Bureau of Investigation’s cyber alert warning last week about the vulnerabilities of the Internet of Things (IoT) and the opportunities they pose for exploitation by cybercriminals is a wakeup call for the industry.
Health Data Management spoke to cybersecurity experts to get their advice on what hospitals and practices should do now to protect their IoT devices from cyber threats and to ensure patient safety.
While most experts agree that the security risks of these devices have been well known for some time, they say the FBI’s “public service announcement” effectively raised the red flag for healthcare organizations and the general public about the potential for malicious cyber actors to wreak havoc.
Also See: FBI Issues Cyber Alert for ‘Internet of Things’ Medical Devices
The alert from the law enforcement agency about the “deficient security capabilities” of IoT medical devices, such as wireless heart monitors and insulin dispensers, reinforces the need for providers to adopt best practices that limit unauthorized access to the devices and their sensitive data. One of the potential threats to unprotected IoT devices that the FBI warned the public about involved scenarios in which hackers might change the coding controlling the dispensing of medicines or health data collection.
“You can imagine that if a state or criminal network were to exploit a widespread vulnerability in medical devices like that it could be a significant hack not only impacting infrastructure but people’s health and safety,” says Garry McCracken, vice president of technology for security vendor WinMagic. “The damage that can be done to individuals is more acute in the healthcare industry. We’re not just talking about health records but control of medical devices that people depend on for their health.”
In its alert to companies and consumers, the FBI provided a laundry list of general recommendations to better safeguard IoT devices:
Likewise, Carl Landwehr, a research scientist at the Cyber Security Policy and Research Institute at George Washington University, believes that the FBI’s advice to organizations and consumers is “reasonable,” adding that “CISOs of hospitals have probably all pretty much implemented these best practices at this point.”
First and foremost, Scott Montgomery, Intel Security’s chief technology strategist, believes providers need to assess whether Internet-connected medical devices are needed to provide essential patient care, or as the FBI asks: whether IoT devices are ideal for their intended purpose. If the answer is no, then healthcare organizations need to increase their security posture by not permitting those devices.
According to Montgomery, the second “demarcation line” is making sure IoT devices reside on segregated/protected networks so that they cannot be accessed remotely by unauthorized users via hospital networks.
However, McCracken notes that providers should also address one area the FBI did not comment on in their alert, namely securing data at rest with strong encryption—a critical step given that unauthorized users can potentially gain access to any personal or medical information stored on these devices.
Mac McMillan, CEO of information security and privacy consulting firm CynergisTek, takes issue with one of the FBI’s recommendations: buy IoT devices from manufacturers with a track record of providing secure devices. According to McMillan, there are no good choices when it comes to purchasing these devices from a cybersecurity perspective, leaving consumers with “choosing the best of the worst.”
In addition, he charges that there is nothing new in the FBI’s alert or “revelations in terms of novel ideas” for how healthcare organizations can deal with the inherent lack of IoT device security. Further, McMillan calls the FBI recommendations “compromises” not “fixes” for the problem that only serve to limit—not eliminate—exposure to cyber threats. An FBI spokesperson was not immediately available for comment.
“We know these devices are basically insecure in almost every case in large part because there are no standards for how the devices are developed,” he argues. “A lot of times these devices are written on antiquated operating systems or operating systems that are not up to spec with respect to service packs and patches. Oftentimes, default passwords are written into the software itself or they can’t be removed.”
Much-Needed Standards
McMillan asserts that as an industry “we’re still putting a Band-Aid on this instead of actually addressing the problem and fixing the devices.” He believes a medical device standard must be developed to ensure that these devices operate on a secure platform and supported operating system so communication is protected in such a way that they are “set up to only communicate with legitimate sources,” eliminating automatic authentication protocols that “talk to anybody.”
According to McMillan, until those standards are developed and adopted by medical device manufacturers, the healthcare industry will continue to “treat the symptoms” of IoT insecurity instead of the problem. “It really comes down to the manufacturers and whether they are willing to put the time, effort, expense and investment into producing better devices,” he adds.
For its part, IEEE—a professional association of engineers in multiple industries including healthcare—has issued draft guidance to help software developers establish a baseline of security for software development and implementation of medical devices. The goal is to reduce or eliminate security vulnerabilities that could enable unauthorized persons to access the devices.
“What I’ve been trying to encourage the development of is something akin to a building code for these kinds of devices,” says Landwehr, co-author of the IEEE guidance. Similar to McMillan, Landwehr believes medical device manufacturers bear responsibility for improving the security of IoT devices— which is the underlying problem—and he is “reasonably positive” about their response to the guidance.
“The medical device community is beginning to recognize that they have a problem in this area and they want to address it, and the FDA has started to provide some very general guidance to them,” he observes. “But, in many cases, people in the medical device community haven’t had much acquaintance with security concerns. It’s not at the top of their list of priorities.”
Montgomery notes that “there are no set guidelines [for cybersecurity] from the manufacturers, but merely FDA approval of medical devices.” And, he says, certain kinds of devices “preclude after-market adjustments for the purpose of security.” What manufacturers need to do is make security part of medical device design upfront, rather than “reacting” after the fact, Montgomery adds.
Regulatory Front
The U.S. Food and Drug Administration has authority to regulate medical devices. Current regulations allow the FDA to take action against products that impact or potentially impact the health and safety of patients when they do not function as originally intended.
But, according to McMillan, the regulatory approach of the FDA “isn’t necessarily from a cybersecurity perspective” and so far “the government has proven ineffective in being willing to regulate the market to conform.”
In a written statement, a spokesman for the FDA refuted those charges arguing that the regulatory agency approaches medical device cybersecurity from a “total product life cycle perspective” by collaborating with researchers, software engineers, manufacturers, government staffers, information security specialists and healthcare professionals to “address the shared responsibility of managing cybersecurity vulnerabilities.” FDA claims it “works closely with other federal agencies and industry to identify and communicate with manufacturers, healthcare professionals and facilities about specific vulnerabilities.”
Case in point: the agency recently issued an alert strongly encouraging healthcare facilities to discontinue use of certain infusion pumps due to cybersecurity vulnerabilities. “The FDA takes cybersecurity issues associated with medical devices seriously,” states the spokesman, who adds that the agency is “actively monitoring cybersecurity issues associated with infusion pumps.”
And, agency says it is actively working with several government agencies, including the Department of Commerce, Department of Homeland Security, Department of Justice, and Federal Communications Commission, in sharing and understanding cybersecurity vulnerabilities as they pertain to medical devices.
Nonetheless, McMillan argues that the FDA doesn’t “stray into the cybersecurity side of things unless it presents a clear danger to patient safety.” Generally, he asserts, the agency “does not regulate security” as it relates to IoT devices. “Nobody has taken responsibility in the government to regulate the quality of these devices from a pure cybersecurity perspective.”
Health Data Management spoke to cybersecurity experts to get their advice on what hospitals and practices should do now to protect their IoT devices from cyber threats and to ensure patient safety.
While most experts agree that the security risks of these devices have been well known for some time, they say the FBI’s “public service announcement” effectively raised the red flag for healthcare organizations and the general public about the potential for malicious cyber actors to wreak havoc.
Also See: FBI Issues Cyber Alert for ‘Internet of Things’ Medical Devices
The alert from the law enforcement agency about the “deficient security capabilities” of IoT medical devices, such as wireless heart monitors and insulin dispensers, reinforces the need for providers to adopt best practices that limit unauthorized access to the devices and their sensitive data. One of the potential threats to unprotected IoT devices that the FBI warned the public about involved scenarios in which hackers might change the coding controlling the dispensing of medicines or health data collection.
“You can imagine that if a state or criminal network were to exploit a widespread vulnerability in medical devices like that it could be a significant hack not only impacting infrastructure but people’s health and safety,” says Garry McCracken, vice president of technology for security vendor WinMagic. “The damage that can be done to individuals is more acute in the healthcare industry. We’re not just talking about health records but control of medical devices that people depend on for their health.”
In its alert to companies and consumers, the FBI provided a laundry list of general recommendations to better safeguard IoT devices:
- Isolate IoT devices on their own protected networks;
- Disable Universal Plug and Play protocol (UpnP) on routers;
- Consider whether IoT devices are ideal for their intended purpose;
- Purchase IoT devices from manufacturers with a track record of providing secure devices;
- When available, update IoT devices with security patches;
- If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router;
- Use current best practices when connecting IoT devices to wireless networks, and when connecting remotely to an IoT device, and;
- Ensure all default passwords are changed to strong passwords. Do not use the default password determined by the device manufacturer.
Likewise, Carl Landwehr, a research scientist at the Cyber Security Policy and Research Institute at George Washington University, believes that the FBI’s advice to organizations and consumers is “reasonable,” adding that “CISOs of hospitals have probably all pretty much implemented these best practices at this point.”
First and foremost, Scott Montgomery, Intel Security’s chief technology strategist, believes providers need to assess whether Internet-connected medical devices are needed to provide essential patient care, or as the FBI asks: whether IoT devices are ideal for their intended purpose. If the answer is no, then healthcare organizations need to increase their security posture by not permitting those devices.
According to Montgomery, the second “demarcation line” is making sure IoT devices reside on segregated/protected networks so that they cannot be accessed remotely by unauthorized users via hospital networks.
However, McCracken notes that providers should also address one area the FBI did not comment on in their alert, namely securing data at rest with strong encryption—a critical step given that unauthorized users can potentially gain access to any personal or medical information stored on these devices.
Mac McMillan, CEO of information security and privacy consulting firm CynergisTek, takes issue with one of the FBI’s recommendations: buy IoT devices from manufacturers with a track record of providing secure devices. According to McMillan, there are no good choices when it comes to purchasing these devices from a cybersecurity perspective, leaving consumers with “choosing the best of the worst.”
In addition, he charges that there is nothing new in the FBI’s alert or “revelations in terms of novel ideas” for how healthcare organizations can deal with the inherent lack of IoT device security. Further, McMillan calls the FBI recommendations “compromises” not “fixes” for the problem that only serve to limit—not eliminate—exposure to cyber threats. An FBI spokesperson was not immediately available for comment.
“We know these devices are basically insecure in almost every case in large part because there are no standards for how the devices are developed,” he argues. “A lot of times these devices are written on antiquated operating systems or operating systems that are not up to spec with respect to service packs and patches. Oftentimes, default passwords are written into the software itself or they can’t be removed.”
Much-Needed Standards
McMillan asserts that as an industry “we’re still putting a Band-Aid on this instead of actually addressing the problem and fixing the devices.” He believes a medical device standard must be developed to ensure that these devices operate on a secure platform and supported operating system so communication is protected in such a way that they are “set up to only communicate with legitimate sources,” eliminating automatic authentication protocols that “talk to anybody.”
According to McMillan, until those standards are developed and adopted by medical device manufacturers, the healthcare industry will continue to “treat the symptoms” of IoT insecurity instead of the problem. “It really comes down to the manufacturers and whether they are willing to put the time, effort, expense and investment into producing better devices,” he adds.
For its part, IEEE—a professional association of engineers in multiple industries including healthcare—has issued draft guidance to help software developers establish a baseline of security for software development and implementation of medical devices. The goal is to reduce or eliminate security vulnerabilities that could enable unauthorized persons to access the devices.
“What I’ve been trying to encourage the development of is something akin to a building code for these kinds of devices,” says Landwehr, co-author of the IEEE guidance. Similar to McMillan, Landwehr believes medical device manufacturers bear responsibility for improving the security of IoT devices— which is the underlying problem—and he is “reasonably positive” about their response to the guidance.
“The medical device community is beginning to recognize that they have a problem in this area and they want to address it, and the FDA has started to provide some very general guidance to them,” he observes. “But, in many cases, people in the medical device community haven’t had much acquaintance with security concerns. It’s not at the top of their list of priorities.”
Montgomery notes that “there are no set guidelines [for cybersecurity] from the manufacturers, but merely FDA approval of medical devices.” And, he says, certain kinds of devices “preclude after-market adjustments for the purpose of security.” What manufacturers need to do is make security part of medical device design upfront, rather than “reacting” after the fact, Montgomery adds.
Regulatory Front
The U.S. Food and Drug Administration has authority to regulate medical devices. Current regulations allow the FDA to take action against products that impact or potentially impact the health and safety of patients when they do not function as originally intended.
But, according to McMillan, the regulatory approach of the FDA “isn’t necessarily from a cybersecurity perspective” and so far “the government has proven ineffective in being willing to regulate the market to conform.”
In a written statement, a spokesman for the FDA refuted those charges arguing that the regulatory agency approaches medical device cybersecurity from a “total product life cycle perspective” by collaborating with researchers, software engineers, manufacturers, government staffers, information security specialists and healthcare professionals to “address the shared responsibility of managing cybersecurity vulnerabilities.” FDA claims it “works closely with other federal agencies and industry to identify and communicate with manufacturers, healthcare professionals and facilities about specific vulnerabilities.”
Case in point: the agency recently issued an alert strongly encouraging healthcare facilities to discontinue use of certain infusion pumps due to cybersecurity vulnerabilities. “The FDA takes cybersecurity issues associated with medical devices seriously,” states the spokesman, who adds that the agency is “actively monitoring cybersecurity issues associated with infusion pumps.”
And, agency says it is actively working with several government agencies, including the Department of Commerce, Department of Homeland Security, Department of Justice, and Federal Communications Commission, in sharing and understanding cybersecurity vulnerabilities as they pertain to medical devices.
Nonetheless, McMillan argues that the FDA doesn’t “stray into the cybersecurity side of things unless it presents a clear danger to patient safety.” Generally, he asserts, the agency “does not regulate security” as it relates to IoT devices. “Nobody has taken responsibility in the government to regulate the quality of these devices from a pure cybersecurity perspective.”
More for you
Loading data for hdm_tax_topic #care-team-experience...