By Taylor Armerding
The journey to better security for connected medical devices continues to be a bumpy one. Yes, there is progress, experts agree. But it is incremental and still not keeping pace with the threats. It’s not so much one step forward and two steps back. It’s more that for every step forward the healthcare industry takes, the number and sophistication of the threats grows by two steps, or more.
There is little debate about the value of connected devices in improving health and prolonging lives — especially when everything from wearables to “implantables,” infusion pumps, and smart insulin pens can be operated remotely for those who live in areas far from hospitals or for elders who have difficulty traveling.
But as has been said many times and is still being demonstrated at numerous security conferences, cyber vulnerabilities in those devices or in the systems and networks that support them could allow malicious hackers to turn healing tools into lethal weapons, or to use them as leverage for ransom or blackmail.
Healthcare cyber security in ‘critical condition’
This is no secret. Awareness of the problem is widespread and has been for some time. The June 2017 Report on Improving Cybersecurity in the Healthcare Industry by a congressional task force declared that “healthcare cybersecurity is in critical condition.”
And there are substantive initiatives to address it. The federal Food and Drug Administration (FDA) published a Medical Device Safety Action Plan in April 2018 — a plan that Synopsys participated in crafting.
Among its key stated goals were to “update the premarket guidance on medical device cybersecurity to better protect against moderate risks (such as ransomware campaigns that could disrupt clinical operations and delay patient care) and major risks (such as exploiting a vulnerability that enables a remote, multi-patient, catastrophic attack).”
Three months later, in July 2018, the FDA announced its adoption of ANSI (American National Standards Institute) UL 2900-2-1 as a “consensus standard” for device manufacturers and for patients.
UL — formerly Underwriters Laboratories — is an independent third-party assessment firm that has certified consumer product safety, or lack of it, for more than a century.
UL 2900-2-1 calls for, among other things, “structured penetration testing, evaluation of product source code, and analysis of software bill of materials.” The progress is noticeable, said Larry Trowell, principal consultant at Synopsys. “Five years ago, security in these devices was more or less an afterthought if it was considered at all. Today security experts are being called in during the design phase of products to look for potential risk areas before the products are off the drawing board.”
That has led to “definable improvement,” he said.
Medical device security initiatives delayed
And yet, in some cases, the rhetoric is more ambitious than the actions.Among the proposed initiatives in the FDA’s action plan is the creation of a new public-private partnership called the CyberMed Safety (Expert) Analysis Board (CYMSAB), chartered to “assess, assist, and adjudicate coordinated vulnerability disclosures in medical devices” and, possibly, to investigate medical device security breaches.
That generated an enthusiastic response at the time from numerous advocates, including Cory Doctorow, journalist, blogger, author, activist, and Internet of Things (IoT) expert. He wrote on his Boing Boing blog that the FDA was “finally taking action to improve (medical device security).”
But 19 months later, there is no CYMSAB. Stephanie Caccomo, press officer at the FDA, said while the agency did include funding for that board in its $70 million FY 2019 budget request, so far it has designated only “a very small amount of money to fund an internal exploratory phase to research what the FDA would need to do to implement the CYMSAB. At this point, there is no CYMSAB created or running,” she said.
Of course, that is only one of the multiple initiatives the FDA proposed. And Caccomo added that the FDA’s “cybersecurity work never stops, and we continue to grow our engagements with the many stakeholders involved in this community to identify cybersecurity threats to medical devices.”
But there is apparently not enough money available to implement the agency’s entire action plan, even though connected medical devices are a prime attack surface. A recent survey by Irdeto, a digital platform security vendor, found that 82% of healthcare organizations’ IoT devices have been targeted by a cyber-attack within the last year.
Current state of medical device security
So how do experts see the current “state of security” for medical devices? The reviews are mixed. One view, expressed in a Threatpost story covering a presentation on connected devices at the recent ENFUSE 2019 event in Las Vegas, hospitals and healthcare centers in general “have notoriously lax culture when it comes to security.”
It quoted Ferdi Steinmann, industry strategist for life sciences at OpenText, declaring that “drivers across the industry,” such as an aging population and regulations, “are putting facilities and patients at risk.”
Trowell agrees. He said the physicians he knows have no interest in maintaining a high level of security in their workplace because “it is perceived as increasing the complexity and increases the decisions that medical professionals have to make every day.”
“Even the few I know who attempt to keep up with security issues by say, listening to popular security podcasts, only use that information to better their personal lives, not their professional ones,” he said.
Focus on ‘critical service delivery’
But Megan L. Brown, a partner with the Washington, D.C., law firm Wiley Rein, said “notoriously lax” overstates reality. “Hospitals operate in challenging real-world and regulatory environments,” she said. “They want to do the right thing and have been investing in security, but their cultures are focused on critical service delivery.”
Brown also said she thinks some conference presentations are aimed more at generating publicity than anything else. “There is a whole hacking industry that has sprung up to identify issues and freak the public and press out about security at conferences,” she said.
Not that she blames all hackers. “I’ve seen a real culture shift in the past five years on coordinated disclosure and vulnerability handling and openness to working with groups like HackerOne,” she said.
“But some hackers don’t act responsibly or are focused on public attention rather than discreet remediation. Often they don’t have access to full information, for good reason. Remember, not all vulnerabilities are exploited or exploitable.”
Funding, device longevity impediments to medical device security
Anura S. Fernando, chief innovation architect, medical systems interoperability and security, at UL, agreed that the healthcare industry still has a long way to go to provide even better-than-average security in connected devices. But he said one reason security tends to be uneven because not all facilities are as well-funded as others.
“Many hospitals and healthcare centers have very strong security policies and practices,” he said. “But small, independently run, rural clinics have to deal with the same security issues as large healthcare delivery networks, budgets, access to skilled workforce, and many other factors.”
There is also the reality that change will not happen quickly. Most medical devices are made to operate safely for years, sometimes decades. Consequently, many of those now in use were never intended to be connected to the internet.
That means the provisions of UL 2900-2-1, which call for the elimination of hard-coded passwords, among other things, will take considerable time to become mainstream.
Trowell noted that devices being designed for release this year “were being designed about three to seven years ago. This means that the best-case scenario is that a larger number of the devices arriving next year will have been designed with the suggestions made by UL 2900-2-1 in effect.”
Fernando said things are moving toward better security. The adoption of UL 2900-2-1 “by regulators around the world such as the U.S. FDA, Health Canada, Australian TGA, etc., has started to drive some alignment in the global approach to generating objective, test-based evidence supporting manufacturers security claims.”
The hope, he said, is that this will mean that “innovative new healthcare technologies can reach the patient bedside more quickly.”
No medical device security incidents yet
Meanwhile, in that extended interim, most experts agree that the value to patients of their connected devices far outweighs the risk of it being compromised by a cyber-attack. Caccomo said that so far, the FDA “has not received any reports of patient harm directly linked to a medical device cybersecurity incident.”
She acknowledged that this doesn’t mean patients shouldn’t be concerned. She said a day-long meeting this past September titled “Cybersecurity in Medical Devices: Communication that Empowers Patients” included patients, industry representatives, health care providers, independent security researchers, and other stakeholders. She said patients “told us they believe that medical device cybersecurity is a matter of national security, as well as one of patient safety.”
But experts agree patients shouldn’t abandon the use of connected devices out of fear of those threats. “Many of the reported issues are real and they can be dangerous, but only in specific circumstances that are unlikely to occur in real life,” Trowell said. “For example, internal medical devices that are able to talk to external interfaces over wireless have a built-in security constraint,” which is that the human body is mostly water.
“Most wireless communication has access to these devices on wavelengths that are absorbed or reflected by water, which makes the range of effective communication so short that the attacker would have to have direct skin contact or in some cases closer contact to be able to effectively talk to the device,” he said.
Security should be part of critical service delivery
Still, the bottom line is that physicians and others involved in direct care need to understand that security is a crucial component of what Brown called “critical service delivery,” because poor security can undermine it.
“Even those individuals involved in healthcare with a high level of education, like doctors and nurses, are just starting to become aware of the clinical implications of cybersecurity,” Fernando said.
“The healthcare community is taking significant strides forward, but there is still a long way to go, and the road just keeps getting longer, so we need to maintain momentum.”
(Disclaimer: The author is a Software Security Expert at Synopsys Software Integrity Group and the views expressed in this article are his own and may not necessarily be those of the publication)