Sheer number of medical devices enlarges security gaps
Hospitals that want to improve network security should carefully assess the hundreds of medical devices they’re using, including fetal monitors, medical imaging devices, electrocardiographs, lasers and gamma cameras, to name a few.
Some devices hold a sizable amount of data that can be hacked; others don’t have much data, but can increase network vulnerability. Infusion pumps, for instance, don’t have a lot of data but are a gateway to the network and “have become the poster child for medical device security gone wrong,” says Stephanie Domas, an ethical hacker and lead medical device security engineer at Battelle, a large research and development organization.
Infusion pumps are not designed for security, and their vulnerabilities are well known to researchers, who can easily buy a new device and assess its level of security.
For years, researchers have been trying to work with medical device manufacturers to improve the security of new devices being manufactured, often without much success, Domas says. But that is starting to change.
The breakthrough came when researchers released reports on infusion pump vulnerabilities, particularly the Hospira Symbiq Infusion System, and then the Food and Drug Administration alerted users of the Hospira Symbiq to significant cybersecurity vulnerabilities and recommended discontinuing use of the pumps.
Hospira learned to actively respond to researchers, Domas says, and there is growing cooperation among manufactures and researchers, with some researchers having access to devices under development to reverse engineer and look for flaws without running afoul of the Digital Millennium Copyright Act.
Manufacturers also increasingly are setting up procedures to accept information from outsiders who have found vulnerabilities in devices.
Hospitals themselves often are to blame for poor device security, Domas asserts, with poor patch management. Facilities use a wide range of devices, which often need security patches, and the increased complication is a contributing factor to increased vulnerability.
Hospitals aren’t trying to be lax about security, but the very number of devices makes it difficult. “They first need to know where all the equipment is,” she says. “It’s really hard to track what is available and where it is, and to track patching.”
The industry also has many third-party medical device resellers, so a hospital may not have a direct contact to a manufacturer, which may not even know that a hospital bought its products.
When providers do buy medical devices from the manufacturer, they should expressly specify the security and safety requirements that they expect a device to have, Domas counsels. The Mayo Clinic, for instance, has a list of expectations for vendors to meet before making a buy. More of that can really help drive the industry toward safer and better devices, she adds.
“Both sides are really trying to get better. The top goals for providers are patient care and safety. But there is a lack of good security talent for manufacturers to hire.”