In 2014, the FBI warned that healthcare systems, including medical devices, were at an increased risk of cyber-attacks due to the unfortunate coupling of poor cybersecurity practices in the healthcare industry with patient health information (PHI) that commands high value on the dark web.
This warning has largely been realized. The cost and frequency of data breaches in healthcare have risen over the past six years. This state of affairs should come as no surprise to medical device manufacturers and healthcare delivery organizations (HDOs).
According to a study by the Ponemon Institute, 67% of medical device manufacturers and 56% of HDOs believe that their medical devices are at risk for an attack. Despite recognizing the risk, only 17% of device manufacturers and 15% of HDOs have taken significant steps to prevent an attack. Remarkably, only 41% of device manufacturers and 22% of HDOs have an incident response plan in place in the event of an attack.
Recently, the UK’s National Health Service (NHS) system was crippled by the large-scale WannaCry ransomware attack. The WannaCry attack, which exploited vulnerabilities in unpatched Windows systems, also impacted Siemens and Bayer medical devices. Alarmingly, incidents of compromised patient care stemming from exploited medical devices are not unusual.
In the Ponemon Institute study, 39% of device manufacturers confirmed that attackers have taken control of medical devices, and 38% of HDO respondents admit that they are aware of incidents where patients received inappropriate therapy or treatment due to insecure medical devices.
Medical devices are vulnerable because they often include legacy operating systems like Windows 2000 and Windows XP, and healthcare IT teams are not equipped to address these vulnerabilities. Medical devices are treated by the IT team as ‘black boxes,’ which require cooperation from the device manufacturer for access.
Despite the risks to patient safety posed by vulnerable medical devices on hospital networks, device manufacturers and HDOs are reluctant to make proactive investments to secure medical devices, reporting that budget increases to improve the security of medical devices would only occur in the event of a serious hacking incident (61% of device manufacturers and 59% of HDOs) or regulation (40% of device manufacturers and 54% of HDOs).
The FDA has provided medical device cybersecurity guidance for pre-market submissions and post-market management for medical device security. The pre-market submission guidance urges medical device manufacturers to acknowledge cybersecurity throughout the design and development of the device and “establish a cybersecurity vulnerability and management approach as part of the software validation and risk analysis that is required by 21 CFR 820.30g.” The FDA further advises medical device manufacturers to monitor and remediate cybersecurity vulnerabilities in the post-market management of medical devices.
For example, updates and patches to address cybersecurity vulnerabilities are considered “to be a type of device enhancement for which the FDA does not require advance notification or reporting under 21 CFR Part 806.” Growing momentum and focus by regulatory agencies and stakeholders to improve medical device security has fueled expectations that the FDA will release regulations on medical device safety.
Given the risks to patient safety that stems from vulnerable medical devices, medical device manufacturers and HDOs must work together to mitigate cybersecurity risks. Here are some steps medical device manufacturers and healthcare delivery organizations can take to ensure the patient safety is not compromised by vulnerable medical devices.
Leverage VM and SCM Solutions
It is not possible to protect medical devices without visibility into what devices are on the network. Furthermore, because hackers can leverage vulnerabilities in legacy systems and other areas of your network, it is important that HDOs use vulnerability management (VM) tools and secure configuration management (SCM) tools to proactively ensure that critical assets are secure.
Enterprise-class VM tools discover and scan devices on the network for vulnerabilities, providing risk scores to help prioritize remediation efforts. Secure configuration management tools will provide alerts for misconfigured assets that could make critical assets vulnerable to exploits in a cyberattack. It is essential, as the FDA guidance states, for medical device manufacturers to take steps to mitigate cyber security vulnerabilities throughout the product lifecycle.
It is much more effective and rigorous for medical device manufacturers to assess their devices for vulnerabilities as these products are developed. This could be achieved by partnering with cybersecurity companies to test and validate that the software has no vulnerabilities. For example, Tripwire’s Vulnerability and Exposure Research Team (VERT) can help device manufacturers asses vulnerabilities in their devices.
Patch Medical Devices
Medical devices should be patched regularly to ensure that the devices are protected from known vulnerabilities. The onus is medical device manufacturers to evaluate their medical devices for cybersecurity vulnerabilities during the device development lifecycle; as part of the post-market management process, support against vulnerabilities, including ongoing patches, should be provided.
Healthcare delivery organizations must also be vigilant about applying patches as soon as they are available to ensure that their medical devices have the most up-to-date protection against exploits. Healthcare delivery organizations should also require medical device manufacturers to have a clause or plan in place for patching vulnerable devices or remediation in the event of an attack, reflected in the procurement agreement.
The FDA has stated that medical device manufacturers do not need approval from the FDA to make changes that ameliorate the vulnerabilities of medical devices. Thus, medical device manufacturers need to make provisions to HDOs for how medical devices will be patched to fix vulnerabilities.
However, HDOs operating on thin budgets often do not retire use of medical devices and as such have medical devices with legacy operating systems. Medical devices continue to be used even when these devices are no longer supported by the device manufacturers or when the embedded software is no longer supported by the software developer.
The result is that there are network-enabled medical devices on hospital networks rife with vulnerabilities. To remedy this situation, HDOs should implement network segmentation to isolate vulnerable legacy medical devices, which will help stymie the deleterious effects of a cyberattack.
In summary, the growing use of network-enabled medical devices by health delivery organizations contributes to a growing attack surface in the healthcare industry. Given the ramifications for patient health and safety, it is important the medical device manufacturers and HDOs proactively invest in mitigating the risks posed by vulnerable medical devices.
To learn more about how Tripwire provides advanced cybersecurity and compliance for healthcare organizations, click here.