Why the risk surrounding medical device security is still high
It’s no secret that every network, be it healthcare or not, is almost guaranteed to have insecure and often unknown devices attached to it.
We have all been conditioned to want the latest technology, and we want it to work immediately with little to no effort. In an effort to keep up with this exceedingly popular consumer demand, device makers do everything they can to make their “things” instantaneously work when you turn them on or plug them in. This is shockingly true and consistent, whether it’s a $15 smart light bulb or a multi-million dollar MRI machine.
The major issue with this approach is that it makes security an afterthought at best, leaving security gaps that attackers can exploit at will. To compound the problem, there are constantly more “things” being added and connected to the Internet. As of mid-2018, there were more than 17 billion devices, 7 billion of those IoT devices, connected to the Internet. This is expected to be 10 billion in 2020 and 22 billion just five years after that.
Most of these connected devices are in no way securely configured, especially when plugged in straight out of the box, and often send a surprising amount of data to the manufacturers.
Food and drugs are much more regulated than the medical device market, and what regulation there is has been, has proven to be marginally effective at incentivizing device makers to improve security.
One of the most blatant examples of this was recently brought back into the media’s focus after the Department of Homeland Security issued a warning about some of Medtronic’s defibrillators. Medtronic was informed of a critical vulnerability in the wireless communication of 17 its implants and has made no plans to fix the problem.
To compromise the defibrillators, it would require the attacker to be within a limited physical range of the target and have knowledge of the device and how it works. However, if an attacker is within 20 feet of the person wearing the device, they could kill the person. Medtronic’s response was that they are now monitoring the network for signs of exploit attempts, and they recommended anyone with an affected implant be careful. This is rather alarming, considering the life-threatening nature of the flaw.
All of that paints a pretty bleak picture of the current medical device security landscape and, sadly, that is truthfully where we are today. All too often, people assume the device is secure, which should not be an unreasonable expectation of a device that costs a minimum of $10,000. So, it is completely up to the consumer of the connected medical equipment and their providers to ensure the devices are not adversely impacting patient care or the technical security of the provider organization.
Now that the healthcare industry is finally beginning to understand the risks of this lack of security, healthcare providers must also understand the impact on patient care and the risk to clinical operations and data loss. Unfortunately, most medical device manufacturers have been slow to understand the security gaps and impacts and are barely addressing known issues and the risks.
As of now, in the event of an incident, it is unlikely that device makers would have to pay for breach notifications or manage incident response and remediation in the provider setting. The device makers could be held liable if a catastrophic event were to happen—particularly one that they were aware of as a potential risk.
Fortunately, no one has been intentionally or unintentionally injured or killed via implanted devices. So far, there have not been many attackers stealing data from these devices or imposing ransoms regarding their operation. But if these issues aren’t addressed soon, it is a matter of time before an attacker targets a person or a device maker and a bad situation unfolds.
The first thing that every organization needs to do is decide to take responsibility based on how they interactive with patients. There also has to be an understanding of the urgency of this need from the top down.
Healthcare IT executives need to talk about the impact on patient safety, clinical operations and trust with key decision makers. The financial impact of an attack needs to be a discussed with executives and boards; discussions regarding patient safety implications should include physicians, care teams and clinical engineering staff.
Finally, discuss the danger to the security of data and patient records with the information technology and security teams.
There is a long laundry list of items that organizations need to undertake in order to begin to secure and manage connected devices of all types, but here is a good place to start. It is important to keep in mind that progress will not be made without the involvement of the entire enterprise in these initiatives, which requires tailoring the conversation to the specific audience (for example, C-suite, providers or support staff). Doing so will make these efforts go a lot further and have a lasting impact on the security and integrity of an organization.