Connected medical devices are transforming how patient care organizations deliver care and monitor patient health, with the potential to improve care and lower costs. However, networked medical devices, if compromised, can pose significant risks, both to data security, and potentially, to patient safety, if a device’s normal operation is disrupted.
As clinical medical devices, such as cardiac devices or wireless glucose monitors, become increasingly interconnected via the Internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, many security experts warn. Additionally, the exploding proliferation of the Internet of Things (IoT), in conjunction with the lack of security on these devices, also poses a serious risk.
“IoT devices, for the most part, are fairly new. You’re seeing a lot of things in the commercial world or in the public space, where things are just coming to the market very, very fast, and a lot of these organizations that are building these devices are trying to be first to the market. When that happens, usually what we see is those organizations tend not to think too much about security, it slows the process down,” says John Petersen, senior manager with The Chartis Group, a Chicago-based consulting firm. For instance, many IoT products, such as fitness wearables, and even some clinical medical devices were developed without the capability to change default passwords. “That’s a huge risk to any organization, as that’s a starting point for really any type of breach into the network, a device that has a password that’s easily accessible,” says the Albany, N.Y.-based Petersen, who leads cybersecurity capabilities in the informatics and technology practice at The Chartis Group.
There have been a number of events just in the past year that should be wake-up calls to the industry about the security vulnerabilities of connected devices and the role of IoT in cyberattacks. Back in October, there was a massive distributed denial-of-service (DDoS) attack on Internet-infrastructure provider Dyn. According to security experts, a botnet made up of 100,000 compromised gadgets knocked Dyn partially offline, ultimately causing a long list of high-profile websites to temporarily disappear from the Internet. Meanwhile, specifically, within healthcare, the U.S. Food and Drug Administration (FDA) issued a safety communication in January that identified cybersecurity vulnerabilities in St. Jude Medical’s implantable cardiac devices and home transmitters. The vulnerabilities, if exploited, could allow an unauthorized user to remotely access or influence the patient’s radio frequency-enabled implanted cardiac device by altering the transmitter, according to the FDA. In response, St. Jude developed an updated software version for the transmitters.
In November, two panels of the U.S. House of Representatives Energy and Commerce Committee—the subcommittee on commerce, manufacturing and trade and the communications and technology subcommittee—held a hearing to explore issues about the cybersecurity of connected devices. In a statement to House committee members, the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) stated that “tens of thousands of medical devices can be used throughout large healthcare systems, many of which are connected directly to the patient or serving to provide information to inform clinical decision making.”
“The highly interconnected nature of medical devices, combined with the constraints of inconsistent patching cycles, has created an ecosystem ripe with technical vulnerabilities that cannot be managed with standard processes and procedures,” CHIME said in its statement.
At Salt Lake City-based Intermountain Healthcare, a 22-hospital integrated system considered a pioneer in care transformation, there are currently more than 80 projects that involve mobile or connected device technologies, such as telehealth and telemedicine initiatives, according to Karl West, chief information security officer (CISO) at Intermountain, and the security of those connected devices is paramount to West and his security team. West says security leaders need to proactively accept the proliferation of connected technologies and work with clinical and operational leaders to integrate these devices, safely, into the health system.
“These devices are being largely driven by transformation and innovation of care, which are good things. At Intermountain, we are trying to recognize that the care practices and models of the past are not going to be sufficient in this new world. We have to be supportive and we have to enable, as opposed to becoming a barrier,” he says. And, to that end, West says IT security “sits right at the front of those discussions with both our transformation teams as well as the partners and vendors.”
Tackling the Challenges
Many cybersecurity experts stress the importance of implementing a robust inventory management program as a critical first step in an effective medical device security strategy. “When it comes to inventorying assets, which is one of the main things of an IT security program, it’s about knowing what’s on your network, what has an IP address, and that can get very difficult for organizations,” Petersen says. He adds that devices often come into a health system through various departments or clinical programs which tend to procure their own devices without including IT security leadership in the process, and some devices might be managed by vendors or through outsourcing.
At Intermountain, West says his team has developed processes within the National Institute for Standards and Technology (NIST) Cybersecurity Framework, which addresses the five core cybersecurity functions —identify, protect, detect, respond and recovery. “The first process we have is inventory, and we call it at Intermountain our ‘data dictionary.’ We try to assess and understand all data—where it lives, where it resides, whether that’s on a traditional end point, or a mobile device, or a new piece of technology that is used to collect A1C information. That ‘data dictionary’ is an inventory for all the devices and the data, where it goes, where it moves. Once we have that, we categorize the data, the inventory, and we assess, ‘what is the nature of the data, where it is stored, where does it move?’ Many devices coming in don’t have the ability to store, they might only have the ability to move or look at data, so we look at those characteristics and understand the risks. And then we look to say ‘what are the common controls that should be applied on that device so we have the protections?’”
Broadly speaking, cybersecurity experts recommend a number of key strategies for medical device security:
- Involve cybersecurity leaders in the process of vetting new technologies prior to procurement
- Assess medical devices before integrating into the technology ecosystem to ensure appropriate security controls
- Implement robust inventory management and keep inventory up to date so firmware updates are applied appropriately
- Set up separate virtual local area network (VLAN) to segment the network and deny Internet access to certain devices
- Change default passwords on connected devices and IoT to strong, unique passwords
Clyde Hewitt, vice president of security strategy at CynergisTek, an Austin, Texas-based cybersecurity consulting firm, recommends healthcare organizations implement physical safeguards, such as bringing biomedical devices under a robust storage and disposal process. “Anything that comes in the door, gets an asset tag, so you know where it is, and when it goes out, it’s securely wiped” to remove protected health information (PHI), he says.
Moving forward, Hewitt says executive leadership at healthcare organizations should see data security as an enterprise management problem and not an IT problem. “When it comes time to do a risk assessment, you have to make sure that not only the IT systems are in the scope of that assessment, but also IoT, which is anything from biomedical devices to printers to facility control systems,” he says.
From the regulatory standpoint, this past December, the FDA issued its finalized guidance outlining steps that medical device manufacturers and healthcare systems should take to monitor, identify, understand and address cybersecurity risks once medical devices have entered the marketplace. The FDA has made it clear that healthcare providers share responsibility for the security of medical devices. But, many in the industry feel that without enforcement for vendors, the guidance doesn’t go far enough. “The vendors really need to step up to the table and need to take on the standards. There’s nothing beyond those initial guidelines that actually motivate companies that specialize in medical devices to actually change. Are they changing? I think they will change over time,” Petersen says.
Petersen cautions, “This problem is not going away any time soon. Every time you turn around there is a new piece of technology. One of the important aspects is that anything that requires network access that’s coming into your organization, needs to have IT security leadership’s stamp of approval prior to a contract being signed. That’s step number one.”
According to Hewitt, awareness of the problem is growing and some hospitals are implementing advanced network control technologies to address it. “Number one, recognition of the problem is the first piece of the cure. It’s showing up in the press, which raises the attention of the community. Hospitals are starting to take notice and there are methodologies that are out there to address this problem. I’m seeing CISOs starting to pay attention to, not only the biomedical devices, but printer security as well, and facilities, which have long been slightly outside of the security realm. It’s happening, it’s happening slowly, but between the OCR [U.S. Department of Health and Human Services Office for Civil Rights] issuing fines and the press reporting on it, we’re seeing improvements,” But, he adds, “Not as fast as it needs to happen.”