Medical Device Security: Making Progress, But Slowly
Another year, another flurry of reports on the precarious security of connected medical devices.
Which should prompt another reminder that while those security risks are real, should be taken seriously, and need to be addressed more aggressively, there is general agreement among experts that the benefits of those devices still outweigh the risks, by a lot. Indeed, there are potentially deadly risks in many areas of life — driving a car, flying in a plane, climbing a mountain and more.
But as we all know there are numerous things that have been done to make those activities much safer. And when it comes to the security of medical devices, there is still plenty that could and should be better, as documented in two of the more recent reports.
Neither the one from Forescout Research Labs nor another from security firm Ordr report any major new trends from those of the past decade, other than noting the reality that an ongoing pandemic means the focus of time and money in the healthcare industry is on that crisis, taking device security off the priority list.
Still, that “more-of-the-same” message alone makes those reports unsettling, since the general conclusion of report after report is that the security of connected healthcare devices is in “critical condition.”
Obviously that could put the users of those devices in critical condition as well — or worse. As has been noted all along, medical technology has produced lifesaving and life-sustaining tools, but the fact that they are online means there is a risk that they could be turned into lethal weapons by hackers.
The reasons for that are well established:
- Most medical devices currently in use weren’t intended to be connected to the internet when they were designed. So the security of the software that runs those devices wasn’t even a thought, never mind an afterthought.
- Devices were built to function safely for a long time — in some cases more than a decade, which is multiple generations in the world of information technology (IT). That means getting a new generation of devices with better security into the market takes an equally long time.
- They can be difficult to patch, especially if they are supposed to be running 24/7. Most lack built-in tools to upgrade the software even when vulnerabilities are made public and patches are available. It’s not like your smartphone vendor sending out incremental security updates to its operating system every couple of months.
- Tight security protocols are viewed as cumbersome by the medical professionals deploying devices. And vendors have responded to that — putting a priority on making devices easy to use, not on security.
“Doctors and nurses have enough on their minds — they see themselves, rightfully, as having a difficult job already and don’t want to add to it,” said Larry Trowell, associate principal consultant with the Synopsys Software Integrity Group.
So it’s no big surprise that the Forescout report, titled “Connected Medical Device Security: A Deep Dive into Healthcare Networks,” based on an analysis of more than 3 million devices, “found major issues with legacy systems and insufficient segmentation.”
Among its specific findings:
- Of network segments containing at least one healthcare device, 60% also have nonhealthcare IoT devices. Also, “90% of healthcare segments have a mix of healthcare devices and IT devices. These devices might contain vulnerable software or targeted malware [that] can make other devices on the same segment susceptible to infection as well,” the report said.
- Healthcare equipment — specifically patient monitors and CT scanners — had “default credentials alongside other IT and IoT (Internet of Things) equipment. In these scenarios, the healthcare devices act as the weak links in the network.”
Ordr, in its “Rise of the Machines: 2020 Enterprise of Things Adoption and Risk Report,” which analyzed more than 5 million “unmanaged” IoT and Internet of Medical Things (IoMT) devices, found that “86% of healthcare deployments have more than 10 FDA (Food and Drug Administration) recalls against their medical IoT devices.”
Along with those findings have come multiple warnings from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about vulnerable drug pumps and from the FDA, urging medical device-makers and hospitals to patch their hardware against vulnerabilities, ranging from SweynTooth, URGENT/11, Ripple20 and SigRed.
IBM’s X-Force Red Labs hacking team also reported on how modules from the French aerospace company Thales could be exploited to cause an insulin pump to overdose a patient.
This, more than two years after Josh Corman, then CSO at PTC and a founder of I Am the Cavalry (now senior adviser and visiting researcher at CISA), demonstrated at the2018 RSA conference, with the help of a couple of physician hackers, how an infusion pump could be compromised and put a patient at risk.
So, should all this make those who depend on medical devices uneasy? Even a bit paranoid?
Keep it in context
Well, as experts have been saying for a long time, the risks need to be taken in context.
Jay Radcliffe, a medical device security expert and Type 1 diabetic, famously declared more than six years ago at the Black Hat conference in Las Vegas that the benefits of connected medical devices vastly outweigh the risks.
He agreed that malicious hacks are possible and could cause catastrophic damage to users, but said for the average person like himself it would be much more likely for “an attacker to sneak up behind me and deliver a fatal blow to my head with a baseball bat.”
Radcliffe said much the same two years later to CNBC after he hacked into his own Johnson & Johnson insulin infusion pump — that the risk of an attacker being able to pull off that kind of attack was “extremely low.” And he obviously has a personal as well as professional interest.
Indeed, in many cases an attacker would have to have physical access to a device or be mere inches away from an intended target.
Also, security is improving, even if progress is slower and more incremental than anyone would wish.
Michael Fabian, principal consultant with the Synopsys Software Integrity Group, acknowledged that “some attacked devices were engineered prior to security scrutiny by both regulators and sourcing processes. But there have been improvements to this process since the early 2010s. It just takes time,” he said.
“All embedded or integrated systems require a balanced approach in evaluating security objectives with operational and clinical factors. Some of those tradeoffs may not be ideal when looking at the system from the singular view of cybersecurity without that full picture.”
Trowell agrees. He said the security of connected devices “has been taken a lot more seriously in the last 2 years than it has in the previous 20. Security experts are being brought in to do risk analysis during the design phases, consultants aid in intermediate stages with software/hardware reviews, third-party software is traced for known issues and the finalized devices are being pen tested to see if anything was missed in the process.”
Pushing the boulder
But he also said it’s going to be a long and bumpy road before rigorous security is mainstream. “It’s going to be a process similar to Sisyphus pushing the boulder uphill for a while,” he said.
Pushing the boulder is definitely under way, however. The FDA published a “Medical Device Safety Action Plan” in April 2018 — a plan that Synopsys participated in crafting.
Among its key stated goals was to “update the premarket guidance on medical device cybersecurity to better protect against moderate risks (such as ransomware campaigns that could disrupt clinical operations and delay patient care) and major risks (such as exploiting a vulnerability that enables a remote, multi-patient, catastrophic attack).”
Three months later, in July 2018, the FDA announced its adoption of ANSI (American National Standards Institute) UL 2900–2–1as a “consensus standard” for device manufacturers and for patients.
UL 2900–2–1, which changed the “premarket certification” process of devices, calls for, among other things, “structured penetration testing, evaluation of product source code, and analysis of software Bill of Materials.”
Those are the kinds of software testing and analysis that security experts have been recommending for more than a decade, and include static, dynamic and interactive analysis plus software composition analysis for open source software components and dependencies.
And Fabian noted that the FDA has become more aggressive in holding vendors to a risk-based evaluation with premarket submissions, which require the manufacturer to demonstrate that a device is safe and effective in both a clinical application and cybersecurity.
“The FDA provides guidance and enhanced requirements during premarket submissions,” he said. “It’s becoming a mandatory practice — the FDA has kicked back submissions if vendors don’t demonstrate a level of rigor in evaluating cybersecurity.”
Also, last fall the FDA approved a rubric created by the MITRE Corporation designed to rank the severity of vulnerabilities found in medical devices. The approval qualifies the rubric as a Medical Device Development Tool (MDDT). It was developed because a single scoring system for vulnerabilities that could affect things ranging from smart watches to medical devices to critical infrastructure to vehicles can be worse than just misleading or confusing — it could be dangerous.
Finally, while there have been some patient deaths attributed to ransomware attacks, the FDA confirmed last week that there are no documented reports — yet — of targeted attacks on a medical device that caused physical harm to a patient.
But that should be tempered by a reality that just because something hasn’t been confirmed doesn’t necessarily mean it hasn’t happened.
Stephanie Domas, then lead medical security engineer at Battelle DeviceSecure Services and now executive vice president of research at MedSec, said several years ago that a lot remains unknown about whether device malfunctions are caused by malicious cyber incidents or not. “I don’t know of a manufacturer that does root-cause forensics when a medical device misbehaves,” she said. “Nobody is looking to see how it happened.”
