At the HIMSS17 conference at the Orange County Convention Center in Orlando, experts in the cybersecurity space dove into the latest emerging trends regarding healthcare information security and protection, with newfound emphasis on medical device security.
Not likely to be a surprise to anyone, Mac McMillan, CEO of the CynergisTek consulting firm, as he has done many times in the past, noted that the greater sophistication of the level of attacks that he is seeing today continues to be one of the biggest trends related to healthcare cybersecurity. McMillan said that artificial intelligence (AI) is starting to "creep into attacks," and that hackers are now using the same technologies that the "good guys are using for benefit." He said, "Now [criminals] are teaching malware to do amazing things that it couldn't do before, thus making it harder for the good guys' systems to block, protect, or stop it."
McMillan added that the volume of attacks has also not slowed down at all, as evident by recent research. "Extortion has taken on totally new approaches, so it's not just encrypting data and holding it ransom, but attackers are wiping it out and making copies, and telling the organization that they to pay to get their data back. Extortion has taken on a whole new realm," he said. McMillan then touched on another noteworthy trend: attacks that are purposed to take advantage of just the devices connected to the network, either wirelessly or otherwise. "I worry about inadvertent health or safety issues with patients in the hospital who are relying on these devices that are connected," he said. Indeed, he continued, the disruptive nature of such attacks are incredibly disturbing as they affect business, revenue
, service, and confidence—"all the important things for a hospital."
Further discussing the emerging attacks on medical devices, McMillan noted that at the recent security-based RSA conference, several medical device manufacturers made comments that they were not the problem in respect to the non-secure medical devices, but rather that it's the providers who are the problem since they are continuing to use devices past their end of life. "So the [manufacturers] are saying that the providers are not renewing the devices fast enough, which is another way of saying 'buy more of my devices'. However, it doesn't matter if I buy more devices if the devices I am buying still are not secure," McMillan said, referring to the conversation at the RSA conference as "a crazy experience." He added, "Here at [HIMSS], folks have come up to me who were at RSA asking if I could believe what the manufacturers said there. And I said absolutely I could, if they could make the case that it's your problem and that you need to replace your devices, think about that as a sales opportunity."
To this end, during an education session on the evolving state of medical device cybersecurity, Seth Carmody, Ph.D., cybersecurity program manager, FDA, noted that medical devices in the clinical environment, in the health and public health clinical infrastructure sector, "represents a major large attack surface for national security today." Carmody added, "We don't want people to check boxes; we need to make sure that medical devices are more secure, not more compliant."
Carmody said that FDA guidance in medical devices serves as a policy framework to enable patching and reconfiguration, if appropriate, as they have historically been designed without secure development techniques. "The FDA's mission is for safe and effective devices," he said. "Where are we as a center? We are maturing; we just got started in 2013. Some other sectors have had a 25-year head start on us. Now, it's about raising awareness, and there are both early adopters and deniers. We want to promote safety and security by design through establishing clear regulatory expectations," he said, adding that a "whole community approach"—inclusive of all of federal regulatory bodies, such as ONC, OCR, DHS, ICS-CERT, and the private sector of device manufacturers—is necessary to coordinate, collaborate, and share information. Carmody said that manufacturers have come to the FDA and have had transparent conversations. "That's when you start to get things done," he said.
Meanwhile, during the same session on medical device cybersecurity, Margie Zuk, senior principal cybersecurity engineer at The MITRE Corporation, identified several gap areas identified after the organization's research, including: the need to share best practices for securing legacy devices; the need to adopt threat-based defense for the sharing of threat intelligence; the need for coordinated disclosure of vulnerabilities and the transparency of vulnerabilities in third-party software; the need for solutions for small and large organizations; the need for a common risk framework for security and safety; the need for cybersecurity baselines for medical devices; and the need testing and certification of medical devices.
What's more, when asked about where the biggest gaps lie in regards to defense and protection, McMillan said, "Still amazingly enough, the most important thing that organizations can do is the basics." He gave specifics, such as: better hygiene in how they manage the environment; making sure they are using systems that are up-to-date; and taking an overall approach of hardening and patching up things. "And whether they like it or not, they will have to invest in smarter technology," he said. "Technology of the past won't protect us against threats of today or tomorrow. You will need smarter systems will have to rely on heuristic capabilities with behavioral analytic-type capabilities and machine learning capabilities.