Providers begin efforts to mitigate hacking risks for medical devices
Hackers have been targeting U.S. healthcare organization for nearly a decade, and now they have turned their attention to a new favorite target—medical devices. And they have a wide variety of devices to choose from.
Vulnerabilities of medical devices to hacking have become a rising source of concern for healthcare IT executives, and they are increasingly looking for ways to defend medical devices on their networks.
More tools and approaches are being devised to protect devices, and those approaches are the beginning steps in improving defensive perimeters around devices and the networks on which they operate. Lessons that healthcare organizations are learning have implications for security needed to expand protection from hacking to wearable sensors and devices that are on the Internet of Things.
However, healthcare organizations are struggling to catch up to improve the cybersecurity of medical devices, which most industry experts believe remain susceptible to hacking.
In general, hackers aren’t attacking devices—as well as the networks they sit on—to cause patient harm. Rather, they’re looking for an easy way to get into a system, and then use that as a launching pad to access a hospital’s core network, where they can gather a treasure trove of patient data that can be sold to thieves or held for ransom.
“Denying services is one thing; doing harm is another,” says John Fowler, deputy information security officer at Henry Ford Health System in metro Detroit.
Often, the easiest way to gain entry is through the hundreds of medical devices within a hospital. Many of those devices have been in service for a decade or longer, and they have little, if any, security protections. Infusion pumps, lasers, medical imaging devices, patient monitors, ECG/EKG machines, anesthesia systems, defibrillators and vital signs monitors are among the devices that commonly serve as entry points for hackers.
Vulnerabilities in other devices could cause more havoc by threatening patient care. While no cases have been reported yet, hackers may exploit devices linked to patients to cause harm, or at least threaten harm if a ransom is not paid—for example, by changing settings on pacemakers or delivering higher doses of chemotherapy, Fowler says. “That’s actually the scariest piece—that we could harm our patients.”
Historically, providers and medical device manufacturers have not collaborated on device security, and that has to change, contends Neal Ganguly, vice president and CIO at JFK Health System in New York. Manufacturers need to agree among themselves on the development of standards for security, in concert with providers, who can explain what they need, such as encryption protocols that do not hamper workflows.
“We need to put an industry focus on this,” Ganguly adds. “There is some talk of creating information sharing groups that can work without recrimination to foster manufacturer-provider collaboration.”
The College for Healthcare Information Management Executives, an organization for information technology professionals, is pushing to create a collaborative environment for provider-manufacturer discussions, he notes.
But there are signs of progress as medical device vulnerability has gained attention. Recent guidance from federal agencies could help providers and vendors as they work toward finding answers to better addressing cyber threats. The Food and Drug Administration issued final guidance entitled, “Postmarket Management of Cybersecurity in Medical Devices,” targeting device manufacturers. In addition, the National Institute of Standards and Technology released a draft update to the “Framework for Improving Critical Infrastructure Cybersecurity,” which addresses device vulnerabilities.
However, even hospitals that are attempting to improve their existing security levels are finding the task difficult because the devices they already have were not designed to support security upgrades.
“It is not easy to add on; you have to dig deep into the code and software to implement greater security in the devices,” contends Brian Finch, a partner in the law firm of Pillsbury Winthrop Shaw Pittman. “The chief information security officer likely won’t be familiar with systems in the device and you’ll have to retain outside help.” That extra help can save time and money, because already written software often has errors in it, and every error is a pathway for a hacker, so the more software you add, the higher the risk.
Another way organizations are looking to lower cyber threats is to segment medical devices on a dedicated network. That way, if a hacker attacks the devices, a healthcare organization can restrict the hacker on that segment, and he won’t be able to get to the electronic health record, imaging systems, workstations and other information systems, says John Fowler of Henry Ford.
“It takes a lot of work to set these up,” he cautions. This concept of segmenting is relatively new, can be done on a piecemeal process and requires new designs, additional infrastructure and more firewalls, which will require budgeting for it and allocation of resources.
Focused gap analysis
As healthcare organizations look to shore up device protection, they’re looking for outside help. For example, patient safety organization ECRI Institute in late 2016 launched a cyberattack gap analysis service for healthcare providers, focusing on threats to medical devices that interact with patients.
The organization is using internal experts to assess a hospital’s medical device inventory for cyber-exposures and to develop programs and policies to minimize a hospital’s vulnerability. This may include using reporting mechanisms like ECRI’s hazards and alerts system, as well as others like the National Healthcare-Information System and Analysis Center (NH-ISAC), says Robert Maliff, director of the applied solutions group at ECRI.
There are plenty of gaps to identify and assess Maliff notes. Too often, organizations do not understand which devices are connected to networks. Also too often, the medical device and information technology departments are not talking to each other.
And while providers may train employees against phishing attacks, they still let physicians plug their unsecured smartphones into a medical device to charge the phone during surgery, with the phone delivering a virus to the hospital’s network. “You don’t want staff members plugging personally owned devices into the hospital’s networks,” Maliff warns.
The ECRI assessment covers eight areas: managing equipment, installing patches, training security staff, managing risks, scanning for vulnerabilities, proper disposing of medical devices, including security features in requests for proposals and device integration lab tests. Other issues covered in these areas include password management, user identity and internal controls, biometrics, firewalls, culture, infrastructure such as secure servers, USB ports policy and a network security team.
The analysis generally will take one or two days depending on the size of the organization. Leadership that should participate includes the CIO, CISO, sourcing and purchasing personnel, and informatics, risk management and clinical engineering professionals. This is the group that will take the recommendations to the board.
If nothing else, the cyberattack gap analysis can help these leaders improve their relations with the board, Maliff believes. “The last thing any hospital leader wants is to be in front of the press because there is ransomware in their facility. This is a proactive approach for medical device security.”