Would You Like a Wake-Up Call?
Looking back, the December 2016 Food and Drug Administration’s Pre-Market and Post-Market Cybersecurity Management Guidance captured the attention of many medical device manufacturers. Since then, we have seen the manufacturers increase the pace of their security vulnerability alerts rise by 400 percent per quarter. More importantly, the number of critical vulnerabilities reported before and after the FDA report jumped from over 550 percent when measured as a percentage of total reports.
So why have we not seen the same heightened response from the provider community? Perhaps it is because the message that drove the manufacturers’ response is not reaching appropriate management levels within the provider community. It could also be because providers still look at medical devices as hardware boxes, rather than computing endpoints. It also could just be risk fatigue. Regardless of the root cause, these same vulnerabilities discovered by the manufacturers are also being exploited by hackers who are looking for ways to break into the providers’ networks.
Don’t Hit the Snooze Button
The security threat exists in both new systems being developed today but perhaps more with legacy systems still in the inventory. A review of many hospitals’ inventory will discover a relatively few office and laptop computers more than four years old. On the other hand, the same review will often discover medical devices purchased 10 to 15 years ago. To understand the importance of this age gap, remember that while most providers’ workstations are running either Windows 7 or Windows 10, medical devices may be running Windows 2003, 2000, or even older operating systems on the same network. With few exceptions, these legacy medical devices cannot be patched to withstand attacks from modern malicious software, a.k.a., malware, or even install anti-virus software. These older operating systems would not typically pose a cybersecurity threat if providers were not connecting them to the network.
As technology advances, providers are now integrating medical devices into their electronic medical systems. Newer devices coming onto the market are even connecting to smartphones with the FDA’s encouragement. Devices and applications that may pose a moderate or high risk to patient’s health may be regulated by the FDA. Regardless, these advancements in mobile technology will allow providers to monitor patients longitudinally across time and open the door to better treatment. These advances also open new security challenges, including both hacking and the risk of physical theft or loss.
The hacker threat poses the highest security risk to medical devices because vulnerabilities can be exploited many places along the information “continuum of data .” More complex modalities such as MRI and CT imaging devices, as well as many mobile devices designed to be worn outside of the treatment facility, must rely on external communications in order to operate properly.
One of the top risks with medical devices is poor digital identity management which includes not using strong user IDs and passwords, or even worse when providers fail to change the factory default credentials that are available in several locations on the internet. There are even some medical device vendors using hard-coded digital credentials for access to their equipment as late as 2018; these hard-coded credentials cannot be changed. They are very easy to identify within equipment user manuals and clinical engineering-focused Internet resources.
Another high risk is when medical device vendors make business decisions to not update the operating system software to remediate a known or newly discovered vulnerability. The reasons vary, but many legacy medical devices were never designed with the ability to be updated, especially by end users. When these vulnerabilities are left exposed, they can be exploited by hackers to either steal data stored on or transmitted by the devices or used as ‘jump boxes’ to attack other computers on the network. Automated malware can also hide on these hosts to infect other computing devices.
High risks are not limited to technical vulnerabilities as physical loss, theft, or unauthorized access to medical equipment can result in a potential reportable breach under the HIPAA Rules. Medical devices, unlike laptops, are typically not issued to individuals but rather departments or not assigned at all. It does not matter if the management of medical devices is outsourced to a vendor, the responsibility for physical protection of these devices ultimately reside with the provider.
Time to Get Out of Bed
Providers have hit the snooze button long enough and it is time to create an action plan. The first step is to recognize that medical devices represent a real threat to the providers’ operations and patient safety. This can be accomplished by including medical device risks in your security management plans. Risks need to be identified, quantified, and assigned to the appropriate level in the appropriate functional area. This implies that a minimum level of oversight needs to be adopted through a formal governance structure. This formal structure will require active participation and increased collaborative efforts between an organization’s information technology, clinical engineering, procurement, protective services, and clinical staff resources.
Second, providers should validate that they have an accurate inventory. It is important to review all supporting internal processes for asset management, such as, procurement procedures, assigned accountability requirements, and device disposal practices. Each of these processes contributes significantly to keeping a managed inventory accurate and up to date. An accurate inventory is the basic building block required to start monitoring vendor alerts and software updates. The inventory should include robust technical details identifying, for example, how much patient data can be stored on the device, if passwords are enabled and if so, if the default passwords have been changed. The inventory should also be periodically validated in order to identify missing devices. Multiple independent processes, including periodic preventative maintenance, clinical staff shift changes, and protective services can be used as interim touchpoints to the “annual pump roundup.”
The medical device management process should be tightly integrated with the Information Technology or Security department so that compensating security controls can be implemented if the devices, themselves, cannot be secured. Compensating controls include isolating all medical devices from the main network and limiting Internet access to only those sites needed to support the clinical functionality of a device. This can be accomplished through firewall rules. In the past two years, vendors have developed the next generation of passive scanners designed specifically to address the unique patient safety requirements of medical devices.
Finally, the medical device management process should also be tightly integrated with compliance and risk, as we have learned that without oversight and attention at the appropriate management levels, these risks can adversely impact not only the provider’s security posture but also impacts patient safety when devices are not available or cannot be trusted. The task is not a simple one, as obtaining permission to take a device off-line, sometimes even for multiple days, to perform a software update will be challenging, especially when that device is generating tens of thousands of dollars in revenue every day. This highlights the need has solid executive leadership backing as the critical first step in securing these devices.