The lack of adequate security standards for connected devices, and vulnerabilities in these devices, pose significant risks to the country’s digital infrastructure and could result in serious consequences if cyberattacks target medical devices in particular, according to several security experts who testified during a Congressional hearing.
Two panels of the U.S. House of Representatives Energy and Commerce Committee—the subcommittee on commerce, manufacturing and trade and the communications and technology subcommittee—held a hearing Wednesday to explore issues about the cybersecurity of connected devices. The hearing focused on the role of connected devices, or Internet of Things (IoT) devices, in recent cyberattacks, with legislators specifically focused on a massive distributed denial-of-service (DDoS) attack that occurred back in October on Internet-infrastructure provider Dyn.
The hearing was intended to review the recent series of connected device-based DDoS attacks, understand current countermeasures, and consider future efforts to combat malicious actors that could target vulnerabilities in modern digital infrastructure. Several security experts testified that with the exploding proliferation of IoT devices, the lack of security on these devices poses a serious risk and the current lack of any security standards for IoT devices needs to be addressed.
There are currently billions of IoT devices in operation and Rep. Marsha Blackburn cited a report that there would be 20 to 50 billion IoT devices by 2020. In a statement to House committee members, the College of Healthcare Information Management Executives (CHIME) stated that “tens of thousands of medical devices can be used throughout large healthcare systems, many of which are connected directly to the patient or serving to provide information to inform clinical decision making.”
“The highly interconnected nature of medical devices, combined with the constraints of inconsistent patching cycles, has created an ecosystem ripe with technical vulnerabilities that cannot be managed with standard processes and procedures,” CHIME said in its statement.
CHIME emphasized the need for improved threat and information sharing across the industry. “Only by pulling together and sharing best practices can we thwart cyber criminals and protect patients.” And, to improve the cyber hygiene of networked medical devices, CHIME specifically noted that Congress should “ensure that manufacturers configure their devices according to an industry accepted security standard that accounts for the basic principles of cybersecurity controls and alleviates risks.” CHIME advocated that manufacturers should, as part of the pre-market approval process, be required to undergo a level of security validation in order to provide healthcare providers with a simple and easy to implement mechanism for managing its security.
During the hearing, legislators were particularly interested in gaining insight into what regulation, if any, was needed at the federal level and what kinds of security standards should be implemented. While none of the security experts were from the healthcare sector, the topic of medical devices, and the potential cybersecurity risks to hospitals and healthcare systems, was a frequent point of discussion.
As a researcher, Kevin Fu, CEO of Virta Labs and associate professor, department of electrical engineering and computer science at the University of Michigan, said, “We’re going to have some serious trouble if we don’t answer these questions. I fear for the day that every hospital system is down because an IoT attack brings down the entire healthcare system. We need to spend more time on the pre-market.”
Dale Drew, senior vice president, chief security officer at Level 3 Communications, said, “What we’ve seen, the Internet of Things has changed the nature of the game, as its easier to break into those devices and it goes unnoticed for longer periods of time.”
Drew also said, “I think that the average chief security officer has to manage 75 separate security vendors and to bolt on security controls for products and services that they are purchasing. You get one of those dials wrong and there are some significant consequences. So focusing on making sure that free market controls are placed on that infrastructure will be a significant adaptable win for us,” he said.
Many of the security expert witnesses emphasized the need to place more responsibility on the device manufacturers.
“Security needs to be built into IoT devices, not bolted on,” Fu said. “If cybersecurity is not part of the early design of an IoT device, it’s too late for effective risk control."
According to Fu, one issue that needs to be resolved is the economics of device security as customers, such as hospitals, don’t want to pay more for better security, and manufacturers want to upsell in order to include better security on devices.
On the topic of medical device security, Blackburn asked the security experts about mitigation strategies for hospitals and health systems to address device security.
“I can’t give you a satisfying answer. If you were to be a fly on the wall in the board room in the hospitals as they are discussing the topic of how does IoT security affect their assurance of their clinical operations being continuous, at the moment, they don’t have a plan,” Fu said. “It’s more along the lines of, ‘We need to get a plan, what can we do.” Fu said one particular problem is that chief information security officers and healthcare IT leaders typically don’t know their inventory.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.