Medical device security: Still improving, but slowly
It’s become an annual thing. Every year there are stories or reports reminding us of the almost magical benefits provided by connected medical devices. Defibrillators, pacemakers, insulin pumps, and more, that can be attached or embedded into our bodies, and monitored remotely, to let us live relatively normal lives instead of being tethered to tubes and wires.
And every year there are stories or reports reminding us that those benefits come with risks — that both the security and privacy protections of those devices can be precarious.
Both of which prompt another reminder: Most experts agree that the benefits of these devices far outweigh the risks.
That view comes even from some experts whose lives depend on these devices. Jay Radcliffe, a Type 1 diabetic and director of product security testing and research at Thermo Fisher, famously testified to it at a Black Hat conference in Las Vegas.
While vulnerabilities in devices do make malicious hacks and catastrophic damage to users possible, he said for the average person like himself it would be much more likely for “an attacker to sneak up behind me and deliver a fatal blow to my head with a baseball bat.”
Radcliffe said much the same to CNBC after he hacked into his own Johnson & Johnson insulin infusion pump.
It’s also worth remembering that very few things in life are risk-free, from driving a car to playing a sport to hiking a mountain.
Manage the risks
It’s just that in those and other activities, society has created safeguards that make the risks manageable. But when it comes to better managing the risks from medical devices connected to the internet, the long journey continues.
Among this year’s documentation of that are the findings of “The state of IoT device security 2022,” a report by healthcare security firm Cynerio. The statistical highlights of the report include
- Healthcare is now the top target for cybercriminals, with more than twice the number of attacks than other industries. That’s in part because Covid-19 has stressed the industry to the point that there is less time and money to focus on security. It’s also because healthcare is a treasure trove of personal information that’s useful for identity fraud. And healthcare institutions are attractive targets for ransomware attacks because they — and their patients — can’t afford for their operations to be shut down for any length of time.
- More than half of internet-connected medical devices analyzed had a known vulnerability
- There were more than 500 healthcare breaches in 2021.
- Ransomware attacks increased 123% from 2020 to 2021.
- Ransomware cost hospitals $21 billion last year.
- The average hospital attacked by ransomware lost $8 million per incident and took 287 days to fully recover.
- The intravenous (IV) pump “makes up 38% of a hospital’s typical healthcare [Internet of Things] footprint, and 73% of those IV pumps have a vulnerability that would jeopardize patient safety, data confidentiality, or service availability if it were exploited by an adversary.”
- While unusual attack methods generate headlines, it’s “old standbys” like default passwords and settings that hackers can often obtain easily from manuals posted online that enable most successful attacks.
All of which makes it sound like things aren’t getting better. And in some ways, they aren’t. Shawn Merdinger, a security researcher and consultant, wrote just a few weeks ago on Medium that three years after a flood of headlines about millions of patient x-ray and CT scan images being stored on easily compromised servers — which led to pointed questions about the problem from the U.S. Health and Human Services Department and U.S. Senator Mark Warner (D-VA) — it’s still happening.
According to Merdinger, “anyone with a minimal amount of technical skill could access your medical images (and) modify and manipulate them, thereby deliberately misleading your doctor.”
He wrote that he had found 36 picture archiving and communication systems, known as PACS, that expose more than 2.9 million patient images.
But that doesn’t mean nothing has improved. Merdinger, along with other experts, also said there has been progress. “I’d say [security] awareness has gained traction,” he said. “The FDA has taken a leadership position and the guidance is solid,” he said in an interview.
That leadership goes back at least four years, to July 2018 when the FDA announced its adoption of ANSI (American National Standards Institute) UL 2900–2–1 as a “consensus standard” for device manufacturers and patients.
The standard changed the “premarket certification” process of devices and called for, among other things, “structured penetration testing, evaluation of product source code, and analysis of a software Bill of Materials.”
Those are the kinds of software testing and analysis that security experts have been recommending for more than a decade.
Merdinger added that some vendors are doing better about self-reporting vulnerabilities they have discovered internally. He cited Becton, Dickinson and Company (BD) notifying the federal Cybersecurity and Infrastructure Security Agency about vulnerabilities in its Pyxis automated medication system, and in its Synapsys microbiology informatics software platform.
“This voluntary reporting is a marked change from the past and shows a maturity in the process some vendors like BD are building,” he said.
Still, the journey to better medical device security is likely to be slow, given that improvements are more difficult than in most other industries, including other kinds of critical infrastructure like energy, food, water, transportation, and other utilities. The reasons are well established.
- Most medical devices still in use weren’t intended to be connected to the internet when they were designed. So the security of the software that runs those devices wasn’t even a thought, never mind an afterthought.
- Devices were built to function safely for a long time — in some cases more than a decade. So it can take that much time, or longer, to get a new generation of devices with better security to the market.
- They can be difficult to patch, especially if they are supposed to be running 24/7. Most lack built-in tools to upgrade the software even when vulnerabilities are made public and patches are available.
- Tight security protocols are viewed as cumbersome by medical professionals deploying devices. Vendors have responded to that by making ease of use, not security, the priority.
Jonathan Knudsen, head of global research within the Synopsys Cybersecurity Research Center (CyRC), said while it’s no surprise that numerous devices need updates and patches, the technology is now available to solve that problem — it just takes commitment and investment. “Maintenance and consistent patching cannot happen until security is woven into the fabric of how healthcare providers manage their software assets,” he said.
No more second-fiddle security
“Providers need to stop making software security play second fiddle to the primary mission of delivering healthcare — in fact, delivering healthcare and software security are inseparably intertwined. Reliable, consistent, safe healthcare can only happen when software systems — including embedded devices — are built, delivered, configured, and maintained in a proactive, security-forward environment,” he said.
Merdinger said that, as the Cynerio report notes, better security comes down to doing the basics. He said it’s encouraging to see that awareness.
“Recognition of the true risks is starting to emerge — that is, it’s not some spooky hacker trying to kill a patient with an esoteric attack on an infusion pump, but rather the denial of medical care to wider patient groups as a whole due to ransomware attacks,” he said.