[glossary_exclude]Cybersecurity attacks on medical devices can disrupt or deliver inaccurate patient care, as well as negatively impact business operations, resulting in staggering financial impacts due to lost revenue, fines, and penalties. Bruce Schneider, security expert, defines the term “Wicked Problem” in his bestseller, Click Here to Kill Everybody. It’s not evil, just difficult or nearly impossible to solve because defining the problem and requirements are hard enough, let alone creating an effective and sustainable solution. Many healthcare organizations are employing new solutions and resources for additional support.
In May of 2017, the WannaCry ransomware attack indiscriminately encrypted 230,000 systems, demanded payment, looked for the next exploitable network device, and then replicated. It infected up to 70,000 devices at the National Health Service (NHS) in England and Scotland including blood-storage refrigerators, MRI scanners, and computers. In 2018, SamSam, yet another form of ransomware was responsible for over 25% of healthcare compromises. This Trojan horse ransomware encrypted the Hancock Health and Cass Regional Electronic Medical Record systems, took down the city of Atlanta, and in 50 minutes infected LabCorp’s 7,000 applications and 1900 servers.
Robert Herjavec forecasts 2019 will experience a five-fold increase in attacks on healthcare organizations through the Internet of Things (IoT), ransomware, and Insider Threats. The ECRI Institute forecasts “Remote Access” as 2019’s #1 technology and patient safety threat affecting healthcare institutions. Whether the medical devices are a random victim of malware or a hacker’s focused target, they are the perfect vector to leverage remote-access attacks, exploit IoT vulnerabilities, and monetize ransomware or, worse, impact critical patient safety within healthcare.
Like laptops, IoT devices are endpoints connected to a network, often wirelessly. Medical devices are a special category of IoT, with an astounding average of 15 per hospital bed. Connected medical devices, designed for remote access (support), do not permit anti-malware on the device and therefore can be easily hacked and manipulated, often more easily than a computer. Connected medical devices simply have more vulnerabilities and fewer security controls.
Hackers hunt to find IoT devices. Shodan, commonly used by hackers, is a searchable database of internet-connected devices. Every compromised IoT device can be a point of entry into the hospital network, allowing cybercriminals to monetize Protected Health Information (PHI) or Personally Identifiable Information (PII). Even worse, IoT-actuating sensors have the ability to reach out from a digital world and make changes to our physical world. Examples include altering the dosage of an infusion pump, modifying the frequency and severity of the shocks from implantable pacemakers, and impacting the accuracy of an MRI.
The Ponemon Institute surveyed 300 health systems in a 2018 study titled Medical Device Security: An Industry Under Attack and Unprepared to Defend. A staggering 44% of Healthcare Delivery Organizations (HDO) are aware that patients experienced an adverse event or harm due to an unsecured medical device, while 40% had malicious software installed on the device and 38% admitted to inappropriate treatment as a result. The study found 80% of HDO’s reported medical devices are extremely difficult to secure, but despite these figures, only 15% of HDOs are taking significant steps to prevent attacks on medical devices.
Healthcare cybersecurity leads all other industries, but in the bad way. The healthcare industry, per patient record, commands the highest resale (#1 target), the highest organizational breach cost, the worst overall malware detection and containment timeframes, and ranks first in lost clients due to a breach, but yet invests the least in cybersecurity as a percentage of IT budget.
Health and Human Services (HHS) suggests using the NIST Cybersecurity Framework (CSF), a risk management tool, in conjunction with the HIPAA Crosswalk, to improve abysmal HIPAA Privacy and Security compliance.
Before medical devices can be marketed to HDOs, the Food and Drug Administration (FDA) is required to approve submissions. In 2018, the FDA provided significant leadership through cybersecurity risk management requirements for manufacturer’s connected medical device approval submissions. However, the Inspector General’s September 2018 Report states the FDA needs to take additional steps to more fully integrate cybersecurity into its connected medical device review process.
To date, solutions have focused on manufacturers designing cybersecurity into the device, a Software Bill of Materials (SBoM) providing device content and coordinated industry-wide sharing of known vulnerabilities. These efforts do not address the expected long lifecycle of existing medical devices and the threats they currently pose to patient safety.
In 2017, Congress mandated the Healthcare Industry Cybersecurity (HCIC) Task Force to conduct a healthcare industry Cybersecurity Risk Assessment. The report findings concluded the healthcare industry is in critical condition. The Task Force defined six Imperatives that need to be addressed immediately, two of which were Information Governance and Medical Device Security.
HCIC’s Information Governance Imperative specifies identifying, valuing, and managing assets and risks, which include medical devices and their PHI. These should be achieved through establishing controls, processes and procedures, creating incident response plans, and sharing information. Health and Human Services (HHS) suggests using the NIST Cybersecurity Framework (CSF), a risk management tool, in conjunction with the HIPAA Crosswalk, to improve abysmal HIPAA Privacy and Security compliance. Organizations like the Health Information Sharing Analysis Center (H-ISAC) are challenged to manage known vulnerabilities through a complex ecosystem of coordinated disclosure, discovery, patching, distribution, and deployment.
The Medical Device Security Imperative specifically calls out HDOs, manufacturers, and service organizations to address several vulnerabilities. Action items focus on securing legacy systems, upgrading and patching processes, strengthening authentication, implementing superior network segmentation strategies, and mandating an SBoM detailing components within a device.
HDOs attempting to pinpoint legacy systems and security weaknesses must first establish an accurate and detailed inventory. Most inventories are conducted manually, are time consuming, and are highly inaccurate.
Standard network security tools cannot properly assess medical devices nor provide details like classification, model, Operating System, IP/MAC fields, configuration, serial numbers, known vulnerabilities, how it sits on the network, and whether it stores PHI.
Per the HIPAA Security Rule covered entities (CE) and business associates (BA) are required to make reasonable efforts in securing the PHI that is created, used, disclosed, transmitted, or stored. Most HDOs are at financial risk of HIPAA fines because they cannot produce an accurate device list, much less the device location, its risk level, what PHI is on each device, and which devices are missing.
HHS convened over 150 cyber and healthcare experts from the government and the industry to deliver creative and practical voluntary best practices to address medical device cybersecurity. In December 2018, this Healthcare and Public Health Sector Critical Infrastructure Security Resilience Public-Private Partnership released the four-volume publication providing guidance for the HCIC Report Imperatives. Medical device security remains a “Top 5 Threat” according to this HHS lead publication.
HDOs have recently turned to sophisticated security software architects in hopes of tackling this “Wicked Problem.” These advanced solutions offer several benefits. The first benefit is an automated detailed device inventory, in which devices are discovered and grouped based on information gathered from network behavior and device communication traffic patterns allowing for increased security intelligence. These solutions are generally hyper-focused on medical devices and layered within a broader existing security framework, leveraging existing perimeter security investments and reducing costs. This medical device security software can provide an additional level of visibility and control, but integration with the existing IT systems internal and external networks can result in unique and challenging configurations.
Another benefit supports the HCIC report’s #1 action item for medical device security, implementing operationally personalized network segmentation. But manually provisioning a network security policy for each device protracts implementation and increases costs to a point of project failure. Intuitively, these tools leverage inventory, behavior, and risk profile information in order to automate security design and policy enforcement, which significantly reduce the time and expense associated with micro-segmentation.
The real sophistication occurs when all of these manically complex features are combined. The system discovers the entire inventory of medical devices, leverages the device details, integrates known and active vulnerabilities, detects network intrusion activity, and determines anomalous device behavior, simultaneously. All of this previously unavailable and unrelated information is correlated by the most advanced solutions in real time, prioritizing device risk and escalating alerts.
Where to begin a device security plan:
Create a Medical Device and IoT Security Plan
Form a multi-stakeholder team by establishing roles
Review policies and procedures to include
Supply Chain Risk Management
Maintain good cyber hygiene and monitoring
Conduct an asset inventory (using new automated tools)
Prioritize devices based on the business mission
Access devices, remediate risks, and harden
Correlate the device risk assessment findings
with a HIPAA risk assessment
Establish effective Governance
Prepare a detailed response plan to contain and eradicate
Design recovery strategies that leverage forensics
and insure resiliency
Patient safety, financial loss, and new laws holding executives personally responsible are increasing cybersecurity investment at the board level. The Office of Civil Rights (OCR) continues its stringent enforcement of HIPAA violations, looking back six years when any violation is reported. Increased penalties are the trend, where courts will award damages for potential future harm resulting from yesterday’s breach of PHI. Lost future business, legal costs, and downtime are also financially devastating. These losses, due to confidentiality failures, will pale in comparison to the additional penalties resulting from cyberattacks impacting device availability or integrity that result in adverse patient outcomes.
These risks will not magically disappear. The extent they are reduced will be a result of deliberate integrated multi-stakeholder participation. Therefore, progressive HDOs are increasing collaboration, implementing a device security plan, exploring leading-edge solutions, and leveraging additional resources in an effort to solve a “Wicked Problem.”
Ty Greenhalgh is a managing member of Cyber Tygr. He has 30 years of healthcare technology and information management experience. Ty is a contributing member of the health and public health coordinating counsel and NCHICA Biomedical Taskforce. He can be reached at [email protected].