Medical devices pose weak link in preventing cyber attacks
For many users of Johnson & Johnson’s OneTouch Ping insulin pump, the benefit of ease of use has been outweighed by the fear of hacking.
In early October, the company sent letters to patients using the devices, alerting them to the fact that the OneTouch contained a cybersecurity flaw that could allow a hacker to reprogram the device to administer additional doses of the diabetes drug, which could be life-threatening.
In its letter to patients, Johnson & Johnson portrayed the risk as minimal. “The probability of unauthorized access to the OneTouch Ping System is extremely low,” it noted. “It would require technical expertise, sophisticated equipment and proximity to the pump.”
A spokesman for the company says it’s working to eliminate the vulnerability; it has laid out a series of steps patients can take to reduce the risk, such as turning off the pump’s wireless connection to a blood-sugar meter, or setting a limit on the amount of insulin that can be delivered.
The announcement is yet another stark reminder of known security issues that exist with medical devices, widely used by both providers and patients. Indeed, this is not the first time concerns have surfaced about the ease of hacking medical devices.
In mid-2015, the Food and Drug Administration took the unprecedented step of alerting users about cybersecurity vulnerabilities of the Hospira Symbiq Infusion System. The agency strongly encouraged healthcare facilities to discontinue use of the pumps.
And the FDA is not the only federal agency shining a spotlight on the vulnerabilities of medical devices. In 2014, the Federal Bureau of Investigation issued a report that predicted hackers could assail medical devices, and followed that up with an alert last year warning companies and the public about cybersecurity risks to networked medical devices and wearable sensors.
The threat to patient safety carries the biggest shock value, and healthcare organizations are widely concerned about those risks.
But the devices also pose risks to the networks of healthcare organizations, because they typically have weak defenses against malware and a medical device could serve as an easy entry point to providers’ internal data networks.
And experts say there is no easy fix.
“There has been very little progress made toward a final solution for medical device security,” affirms Mac McMillan, CEO and founder of CynergisTek, an information security firm. “There are pockets of action, but no lasting or effective approach to solving this long-standing issue. The problem is there are multiple competing priorities, such as not wanting to stifle innovation, and no real incentive for the manufacturers to provide more secure devices.”
Security experts and federal officials say the devices could become the focal point of a perfect storm for compromising healthcare data security and placing patient safety at risk. That’s because the vulnerability of devices to cyber attacks is well known, and hackers are becoming emboldened to find new ways to attack healthcare organizations.
The mix for risk is especially effective now. Hackers are seeking payoffs from grabbing patient information; provider security staffs are stretched thin; and hundreds of different kinds of medical devices are attached to internal networks, offering multiple entry points for cyber crooks to gain access.
Most security professionals are worried about the vulnerability of a myriad of networked medical devices that have Internet connectivity—from infusion pumps and X-ray scanners to picture archiving and communications systems, blood gas analyzers, medical imaging devices, medical lasers, life support equipment and many more.
These devices are expensive and last a long time, and providers may have them in place for five, 10 or 15 years or more, says Axel Wirth, healthcare solutions architect for Symantec. Software running the devices may be years old as well, and typically not easily protected by cyber defense software. What’s more, in many cases the devices are managed just by the manufacturer’s technicians, not a provider’s IT security staff.
For these and other reasons, the cyber defense posture of medical devices are porous, contends a series of recent white papers by TrapX Security, which develops deception-based cybersecurity defenses.
“In contrast to regular corporate IT networks, the presence of medical devices on healthcare networks may make them more vulnerable to attack,” says the TrapX research. “These vulnerabilities within medical devices may render components of the hospital’s cybersecurity technology less effective—you cannot easily detect malware on a system you cannot scan, and the primary reason for this problem is centered on the fact that medical devices are closed systems; as FDA certified systems, they are not open for the installation of additional third-party software by the hospital staff.”
From the attack end, providers are facing motivated and well-equipped attackers, who are becoming increasingly sophisticated in exploiting security weaknesses of healthcare organizations.
Healthcare has always been a prime target for hackers, TrapX notes. For example, as of March 30, 2015, data from the Identity Theft Resource Center shows healthcare breach incidents were 32.7 percent of all listed incidents nationwide. Hackers are incentivized because healthcare records provide a greater return—cybersecurity firm Dell SecureWorks notes that cyber criminals were getting paid $20 to $40 for health insurance credentials, compared with $1 to $2 for credit card numbers.
Cyber criminals have a larger arsenal with which to attack, says Wirth of Symantec. He notes that in 2008, his company documented 1 million different types of malware created that year. In 2015, Symantec estimated that 1.2 million different types of malware were published each day of the year.
“Threats are growing exponentially, and any medical device that was built five or 10 years ago was designed in a much simpler world,” he says. “On the hacker side, we’ve seen a shift where they are getting more sophisticated. The old days of brute force attacks are over. The attacks now are much more under the radar. They’re looking for weak spots [in defense]. Malware volume is up, hacker strategy has changed, and medical devices are caught in the middle.”
While hackers have more tools to use, there are more medical devices they can target. Last year’s alert on medical devices by the FBI noted, “As more businesses and homeowners use web-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet also increases the target space for malicious cyber actors. Similar to other computing devices, like computers or smartphones, IoT [Internet of Things] devices also pose security risks.”
Garry McCracken, vice president of technology for security vendor WinMagic, calls the FBI alert “very significant” and says the IoT threat “has been sneaking up on a lot of people as these devices get deployed and become more ubiquitous.” Providing perspective to the scope of the problem, McCracken says, “There are more IoT devices connected than there are people on the planet.”
Security experts view most medical devices as easy targets for hackers with basic technical skills and simple tools. Several demonstrations show that the cybersecurity used by devices can be easily solved. For example, at a security summit last summer conducted by BlackBerry, the entire hack of an infusion pump took fewer than five minutes. BlackBerry didn’t disclose the brand of device it hacked.
The demo “was provided as an example and not necessarily typical for all devices across the board,” says Graham Murphy, a security researcher for BlackBerry, which offers security services. “Once hackers make an initial connection to a pump, they could remotely access all devices connected to the same Wi-Fi network.
“In general, the skill set of a malicious hacker will only dictate how quickly they can compromise a system,” he says. “A compromised infusion pump could be used to access other devices and pumps on the network. Other devices could include laptops or call systems.”
“What is really alarming is the fact that it does not take an overly advanced set of skills to conduct this level of hack,” adds David Kleidermacher, chief security officer for BlackBerry.
Many factors are complicating efforts to harden medical devices against hacking.
The challenges in applying patches to prevent malware attacks are due primarily to the fact that the manufacturers service the devices, TrapX says, and the manufacturers may not pay enough attention to installing patches to prevent hacking. “To be blunt, there are very few diagnostic cybersecurity tools a hospital can use that can identify malware resident on the overwhelming majority of these devices,” TrapX notes. “The healthcare information and security teams view the medical devices as ‘black boxes,’ as they are generally not accessible to them at all.”
Wirth notes that many devices run on outdated operating systems for which current malware patches are not available; some are susceptible to malware that is years old.
Most hospitals have devices from hundreds of different manufacturers, and they are challenged just to locate devices, document where the devices are and manage the security risks associated with each.
And, the footprint for risk continues to grow as more medical devices come online. Some 6 billion devices are connected to the Internet, according to Adam Levin, former director of the New Jersey Division of Consumer Affairs and co-founder of two companies, Credit.com and IDT911, a data protection firm. “Most of them are vulnerable to hacking,” he says. “Manufacturers haven’t focused on how well to secure their devices from the possibility of having their default passwords accessed.”
CynergisTek’s McMillan agrees that the growing number of IoT devices increases the risk vector for providers. “Medical devices that communicate wirelessly with a network are not dissimilar to other ‘things’ that communicate with the Internet,” he adds. “Attacks that target the IoT do not necessarily discriminate with respect to the device that they compromise, so indirectly, medical devices could be at greater risk.”
Medical device manufacturers say they are working hard to improve the defense of their equipment, but they insist this will require coordinated effort by all industry players.
Blame for the vulnerability of medical devices doesn’t lie solely with the manufacturers, asserts Michael McNeil, global product security and services officer for Royal Philips, which manufactures medical devices. “We believe there are a number of constituents to this problem, from manufacturers to hospitals to regulators,” he says. “It takes that entire village to address any potential issues that are out there.”
CareFusion, another manufacturer of pumps, is ratcheting up testing of its devices, says Nivaldo Diaz, vice president and general manager of worldwide technology solutions for BD, which owns the CareFusion product line.
“Our multidisciplinary cybersecurity team closely monitors cybersecurity threats in the medical industry, as well as across other industries that could impact our company and our customers,” Diaz says. “We also work with third-party security researchers and experts to regularly test and validate the security of our products and internal systems. BD’s internal team and independent external IT security experts regularly perform testing to identify potential vulnerabilities of our infusion pumps.”
Network security at customers’ sites is an essential component of insulating infusion pumps from hacking, Diaz believes. “However, we never assume that a hospital’s internal security protocols are enough to secure our devices,” he says. “We approach cybersecurity with our devices so they are protected regardless of the network security that may or may not exist at the customer site.”
A variety of reasons exist for the vulnerability of connected medical devices, including pumps, says Scott Erven, associate director of medical device and healthcare security for Protiviti, a global consulting firm that specializes in security issues. But he feels the devices can be made secure. “We can engineer security into them,” he says.
Improving the security of medical devices will take a multiplayer approach, agrees McMillan.
“This should not be just a provider or consumer problem. It starts with the government and establishing appropriate standards for safety and security of these devices,” McMillan says. “We need to recognize that cybersecurity is a safety issue. Next, we move to the manufacturers, who need to engineer and deliver secure medical devices and ongoing support. Then, we come to the providers, who should acquire the right solutions and deploy them in a safe and secure manner.… Patient safety is everyone’s responsibility.”
One example of such an effort involves work being done by the National Institute of Standards and Technology (NIST), which is launching a collaborative project to improve the security of wireless infusion pumps.
The goal of the work, which is being conducted by NIST’s National Cybersecurity Center of Excellence (NCCoE), is to create a security structure that can protect the pumps—and the information systems to which they connect—from hacking, says Gavin O’Brien, a computer scientist from NCCoE, who is the lead author of a white paper that’s a final version of a use case on providing security for wireless medical infusion pumps.
The collaboration with vendors will help develop a framework to protect the devices, O’Brien says. The ultimate solution is an entire defense framework, not just development of a hardened infusion pump—the devices still need to be able to be deployed within a hospital network environment and accessible for network connections.
There is no single, ultimate solution to ensuring the security of medical devices, notes Levin. Like protecting security elsewhere in the information system landscape, challenges posed by hackers won’t stop.
“It’s a constant battle—literally an arms race,” Levin says. “It’s a marathon and not a sprint. You can’t rest on your laurels—your situation can literally change an hour from now. This is an around-the-clock situation, especially when you’re dealing with medical and health-related devices. This is a collaborative effort of government, business, providers and consumers, and we all have to work together.”