Medical Device Security: Steady Progress, But Still a Bumpy Road
Medical devices are among the greatest healthcare achievements of modern times. For millions of people, they improve both the quality and length of life.
But when they are connected to the internet, as millions are, malicious hackers could turn those healing tools into lethal weapons or leverage for ransom or blackmail.
One of the most prominent examples of that risk is former U.S. Vice President Dick Cheney, who famously had the wireless capabilities in his pacemaker disabled due to the threat of possible assassination attempts. He told a national audience about it on CBS’s “60 Minutes,” in 2013.
But even today, while threats like that are considered rare, they still exist. That’s because most devices in use, while built to work properly for years — even decades — weren’t designed to be connected. They weren’t built with cybersecurity in mind.
That’s why the focus of week 3 of National Cybersecurity Awareness Month (NCSAM) is: Securing internet-connected devices in healthcare.
NCSAM, an initiative of the federal Cybersecurity & Infrastructure Security Agency (CISA) within the Department of Homeland Security, is now in its 17th year. Its overall theme is “Do your part. #BeCyberSmart.”
There is some good news about the ongoing insecurity of connected medical devices. First, awareness of the problem is widespread and has been for some time. The June 2017 “Report on Improving Cybersecurity in the Health Care Industry” by a congressional task force declared that, “healthcare cybersecurity is in critical condition.”
For years, demonstrations of how medical devices could be hacked have been a staple at security conferences. At the 2018 Black Hat conference in Las Vegas, researchers Billy Rios and Jonathan Butts, in a session titled “Exploiting Implanted Medical Devices,” demonstrated that some devices they tested, including infusion pumps, pacemakers and patient monitoring systems, had vulnerabilities that were relatively easy to exploit remotely, which means an attacker could get control of those devices from anywhere on the planet.
Entry point for hackers
And even if a specific patient is not the target, insecure medical devices can be an entry point for attackers to compromise an entire network, which could affect the health, and lives, of those in a hospital if its network is shut down due to an attack.
This past spring, Interpol issued an alert to hospitals and other healthcare organizations overwhelmed by the coronavirus pandemic. It warned that “cybercriminals are using ransomware to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid.”
That, the agency said, “could directly lead to deaths.”
And as MedTechDive noted at the time, “medical devices are easy targets for hackers who use them as entry points into hospital networks.”
Beyond awareness, the other good news is that there are substantive initiatives to address the medical device security problem. The federal Food and Drug Administration (FDA) published a “Medical Device Safety Action Plan” in April 2018 — which experts with the Synopsys Software Integrity Group helped to craft.
Among its key stated goals were to “update the premarket guidance on medical device cybersecurity to better protect against moderate risks (such as ransomware campaigns that could disrupt clinical operations and delay patient care) and major risks (such as exploiting a vulnerability that enables a remote, multi-patient, catastrophic attack).”
Three months later, in July 2018, the FDA announced its adoption of ANSI (American National Standards Institute) UL 2900–2–1 as a “consensus standard” for premarket security guidance for device manufacturers and for patients.
UL (formerly Underwriters Laboratories) is an independent third-party assessment firm that has certified consumer product safety, or lack of it, for more than a century.
UL 2900–2–1 calls for, among other things:
- Structured penetration testing
- Evaluation of product source code
- Analysis of software bill of materials
- Known vulnerability testing
- Malware testing
- Malformed input testing
- Software weakness analysis
- Static binary and bytecode analysis
The progress has been noticeable, said Larry Trowell, principal consultant at Synopsys. “Five years ago, security in these devices was more or less an afterthought if it was considered at all. Today security experts are being called in during the design phase of products to look for potential risk areas before the products are off the drawing board.”
“I know a lot of medical companies are doing a lot more security in the planning stages and a lot more of the right questions are being asked in the design phase instead of the signoff to release stage,” he said.
And this month, in connection with NCSAM, the FDA put some reminders about all this on its website, noting that both its premarket and postmarket guidance “offer recommendations for comprehensive management of medical device cybersecurity risks, continuous improvement throughout the total product life cycle, and incentivize changing marketed and distributed medical devices to reduce risk.”
The bad news
It’s not all good news, however. Awareness and initiatives, while helpful, are unlikely to improve the security of connected medical devices anytime soon. As noted earlier, it can take years to decades to get a new generation of devices in place. And given the longevity of those devices, there is also the need to build in the capability to patch and update them to maintain their security over those years in the face of evolving threats.
So far, it remains difficult to impossible to patch or update software vulnerabilities in many devices.
“It’s not just the lead-up time that’s a concern — there is also the need to build in a secure method to update the devices during the design phase,” Trowell said. “This will also add to the time for proper development.”
That should be easier today. The FDA guidance, now in place for a couple of years, addresses what had been a complaint of manufacturers — some critics called it an excuse — that if they update a device, they would have to go through a certification process again.
But the guidance makes it clear that routine patches and updates don’t need to be reported or reviewed by the FDA.
A page on the current FDA website that addresses “myths” about the cybersecurity of medical devices, specifies that “Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity.”
No excuses, in other words.
Benefits outweigh risks
And both medical and cybersecurity experts say ongoing vulnerabilities are not reason enough to stop using the devices.
One of the slides Rios and Butts used in their presentation read, “The benefits of implanted medical devices outweigh the risks (for most people).”
And Trowell noted that most of the devices he has seen in use, “at least the implanted ones, have a very short communication range — some as little as inches.”
Ironically, that means the ongoing pandemic makes them even more difficult to compromise. “Social distancing helps out in that situation,” he said. “As far as the external devices, it depends on who has access to the machines and how that is established. I believe in most cases the risk should be less, as physical access is less than normal.”
Still, the journey to truly rigorous security for connected medical devices is likely to remain both slow and bumpy.
“Suggesting a course of action is easy — implementation is hard,” Trowell said. “Security requires not just that items released are secure now, but that they remain secure. Figuring out how to do that is challenging, especially when that structure must be built into multiple companies with different build platforms and workflows.”
“There is no one-size-fits-all solution that can be applied across the board,” he said, “so the scaffolding for such a solution is having to be built now. I believe progress will be made, but it’s not a quick and easy fix.”