Medical devices can pose a serious threat to patient safety and protected health information (PHI) if they are compromised by hackers, and hospital leaders should not trust that the manufacturer has adequately protected them, say experts in the field.
Many security researchers have discovered vulnerabilities in medical devices that could be used to cause physical harm and potentially even death, says Corey Nachreiner, chief technology officer at WatchGuard Technologies, a network security vendor in Seattle.
“The good news is that so far it’s been the good guys who have identified and reported these issues, rather than hackers with malicious intent. That said, the potential for real-world harm or death is still very much a reality,” Nachreiner says. “For example, around a decade ago, a researcher named Barnaby Jack found flaws in implanted pacemakers that he could wirelessly exploit, in close proximity, to shock those who were equipped with such devices.”
This year, another medical device security researcher uncovered methods he could use to remotely hijack the back-end systems that manage many patients’ pacemakers and use them to deliver booby-trapped software to those pacemakers, Nachreiner explains. The method would enable the ability to shock patients through a completely remote attack, he says.
The same researcher also has found major flaws in insulin pumps, neurostimulators, and more, Nachreiner notes. Over the years, other security researchers have discovered flaws in medical imaging technology and drug injection systems used in hospitals as well.
“In short, the medical Internet of Things today appears to be just as insecure as the consumer Internet of Things, only with the potential to cause much worse — and often physical — damage,” Nachreiner says. “The risk that hospitals should remain most concerned about is insecure medical devices that end up causing harm to, or the of death of, their patients.”
Patient Data Also at Risk
At the same time, hospitals must address the great potential for breaches involving patient information, he says. Hospitals, by their very nature, tend to have more sensitive personal information about their patients on file than the average business would ever collect from its customers. Specifically, hospitals often require patients to share Social Security or national identification numbers, which are highly valuable credentials to identity thieves.
“However, I am less worried about hackers stealing this information from the actual medical devices. Rather, hackers would target the traditional IT systems in hospitals for this type of information,” Nachreiner says. “The risks inherent to the medical devices themselves are more about either not doing their job correctly — risking a patient’s health — or being misused to actively, physically harm a patient.”
The solution is two-fold, Nachreiner says. For existing devices that are already insecure and difficult to update or replace, hospitals need to use traditional network security and segmentation practices to separate these devices from the internet and protect them from network and malware attacks, he says.
“But the more long-term and complete solution here will require regulating bodies and the public to put pressure on medical device manufacturers to prioritize security design in their new networked devices,” he says. “Hospitals can begin to address the latter solution by not purchasing medical devices from manufacturers who neglect to prioritize security, work with the FDA and other government authorities to identify which devices are least at risk, and start pushing for regulations that make vendors prioritize security.”
Consider Security When Purchasing
Patient safety risks associated with medical devices often come from hospitals purchasing technology that was not designed with security in mind, says Emil Hozan, threat analyst at WatchGuard.
General information security risks within healthcare organizations also can surface due to the absence of adequate security training programs for staff and common security vulnerabilities found in just about every type of information system and network, regardless of size or industry, Hozan says. Hospitals looking to address security risks in medical equipment need to verify that their chosen manufacturer has aligned its product to comply with existing and sufficient security standards, and then make it a policy to only purchase from vendors who have proven their offerings are security-oriented.
“Training hospital staff on cybersecurity best practices should be a standard practice for every hospital, especially given that nurses and doctors are often targeted by spear phishing campaigns with intent to download malicious content,” Hozan says. “Without the proper training, medical staff that fall victim to these attacks enable malware to potentially siphon sensitive and confidential information from the network to a remote command-and-control center.”
Hospital IT teams can harden their networks to shore up common vulnerabilities by implementing isolated virtual local area networks (VLANs), a group of devices configured to communicate as if they were attached to the same network, when in fact they are not, Hozan suggests.
“This means firewall protection for anyone trying to traverse between staff computers and medical equipment on the network,” he says. “Other key security strategies would be to enable advanced antivirus protections and religiously update software with new patches.”
Know Your Devices
Realizing that these devices pose a risk to patient safety is the first step to protecting patients, says Jeff Sanchez, managing director in the security and privacy division of Protiviti, a technology and management consulting company in Menlo Park, CA. Healthcare organizations use the NIST Cybersecurity Framework (CSF) to protect key IT assets, and a similar approach is needed with medical devices, he says. (More information on the CSF is available online at: https://bit.ly/2ePWDZM.)
“We find that many healthcare providers have foundational-level issues with identifying and tracking medical devices throughout their environment. It may sound silly, but some organizations can’t give an accurate number of how many devices they own, lease, and/or support,” Sanchez says. “They can’t tell what types of devices are under their care — the manufacturer, make, model, version, etc., where they are used or stored, if they are connected to the corporate networks or other devices via wired or wireless mechanisms, and if they create, store, process, and/or transmit sensitive patient information.”
Answering these questions with any degree of accuracy requires mature and robust processes to inventory devices and their key characteristics upon purchasing/arrival to the organization, and then implemented monitoring and tracking controls to ensure those assets are kept up with, Sanchez says.
Healthcare organizations also see many challenges in identifying whether any unauthorized devices have entered the organization and have potentially been connected to the corporate network, he says. This problem often occurs when vendors lend prototypes or trial devices to the organizations or to the medical professionals for try-out periods, he says.
Another common problem is a failure to physically secure medical devices.
“I should make a differentiation now that two very real risks exist here — one that carries malicious intent and one that very much does not. Many organizations see instances of employees and/or patients who have used available USB ports on medical devices and their accompanying PCs to charge their mobile devices,” Sanchez says.
“They weren’t trying to harm a patient or steal sensitive protected health information; they simply wanted their cellphone to be charged so they could receive texts from family and friends. While we wait for manufacturers to come up with technical ways of disabling those ports, many companies sell USB locks/keys that don’t involve ruining a motherboard with hot glue, or other DIY port blockers.”
Monitor Remote Access
On the more malicious side are deliberate attempts to steal protected data or harm patients, Sanchez says. The technology within medical devices is growing more complicated and compact, and the devices and their abilities to store information and connect to corporate networks are growing at a rapid rate. While those advances are beneficial, they also can make devices easier to physically steal or access, he says.
“Being able to identify when devices have left the umbrella of the organization and performing a comprehensive risk analysis on them could be a crucial component to understanding how patient information ended up on the internet months down the road,” Sanchez says.
“Remote access to devices is something that is often required for support and troubleshooting, but left ungoverned, it can be very dangerous.”
Healthcare systems need assurances that vendors can react in a split second to emergencies with certain devices, but other situations are not necessarily a matter of life or death, he explains.
For those vendors that do not need instant access at any time, Sanchez recommends that support access be suspended in times of business as usual, or that some type of emergency identification with transactional-level monitoring controls be put in place to verify when a credential is used and that it was for legitimate purposes.
Additionally, any remote access to the provider’s network should require some form of multifactor authentication, Sanchez says.
- Emil Hozan, Threat Analyst, WatchGuard Technologies, Seattle. Phone: (206) 613-6600.
- Corey Nachreiner, Chief Technology Officer, WatchGuard Technologies, Seattle. Phone: (206) 613-6600.
- Jeff Sanchez, Managing Director, Security and Privacy Division, Protiviti, Menlo Park, CA. Phone: (650) 234-6000.