With the recent publicized ransomware and cyberattacks, medical device security has become a hot topic in the boardroom. Senior management is not only concerned about sensitive patient data being leaked. Patient safety is now also at risk.
The organizational challenges of securing medical devices
Common cyberattacks that aren’t designed to harm patients are still a major threat to patient safety due to the fact that, in many cases, connected medical devices are unprotected. Even as a result of an everyday cyberattack, such as ransomware, where medical devices aren’t being targeted directly, patient treatments can be interrupted and devices might crash, causing service disruption.
There are new vulnerabilities discovered all the time, including Urgent/11 running on VxWorks, Wi-Fi vulnerabilities on Meditronic’s smart insulin pumps, NotPetya based on the same EternalBlue package as WannaCry, Sodinokibi malware running on Microsoft Windows 7 through 10 and Selective TCP Acknowledgment vulnerability known as SACK Panic that resides in the TCP stack of the Linux kernels.
This is in addition to the infamous WannaCry ransomware attack that is still active, and has been attributed to shutting down more than 60 hospitals in the UK and more than 100 million dollars in damages. But even though the danger is clear, and there are directives from the FDA and Office of Civil Rights to take action, not enough is being done to protect patient safety.
Who is responsible for medical device security?
Typically, IT is primarily responsible for information security in larger hospitals, but they need to rely on specialized expertise of biomedical engineers to know how to secure medical devices effectively. Sharing information and collaborating can be difficult when the relevant experts work in different departments. Communications are even more complicated when biomedical engineering is outsourced. Recently, we are seeing a new trend where biomedical engineering is reporting to IT, which makes collaboration easier. A new position is also emerging: The medical device security engineer which makes one individual ultimately responsible for the security of medical devices.
However, even if one person is charged with security, hospitals typically have specialized departments such as radiology, oncology, cardiology and pediatrics that each have their own medical devices with unique connectivity requirements, behaviors and workflows. This makes it difficult for one individual to define and enforce a unified security policy throughout the hospital.
Patient safety interfering with patient care
Doctors and nurses are already at their limit caring for patients. When devices do have authentication, punching in passwords to protect patient data and safety can appear counterproductive because they slow down patient treatments. Since remembering passwords is tedious, many caregivers share logins which can make devices even less secure.
In addition, if a medical device is malfunctioning, caregivers are likely to yank the device and replace it with another without being aware that the product failure is due to a security incident. After a manufacturer announces a security vulnerability and a patch is available, the installation needs to be coordinated with the manufacturer and all the departments to help minimize the impact on patient treatments.
If a patch isn’t available, all the relevant departments need to collaborate to apply a mitigation, such as limiting device communications by utilizing access lists or implementing network segmentation. All of these measurements can impact business processes related to patient care.
Collaboration with verification
Because of all the complexity and the high level of collaboration required, voluntary compliance to medical devices’ security procedures isn’t strong enough. To protect patient safety, medical device security should be fully regulated with specific measurable requirements, and then enforced. Doctors and other caregivers should also be educated about the potential risk to patient health by not securing medical devices as part of their formal training.
However, there are steps that hospitals can take today without waiting for regulations and cybersecurity training to take effect. Hospitals should make sure that all the responsible people in the relevant departments share all information related to medical device operations and clinical workflows. IT security needs to be part of the procurement process so that security requirements are taken into consideration.
Hospitals need to have full visibility when it comes to medical devices, including those that were added by vendors on a trial basis. Hospitals must also have the ability to assess all vulnerabilities and prioritize them based on their impact on patient safety, service availability and data confidentiality. Following the prioritization, hospitals should implement the proper compensating controls, such as network segmentation and access control lists, to limit the attack surface. Devices should also be continually monitored for anomalous behavior to detect and prevent potential threats.
Medical device cybersecurity is a must, but it requires cooperation from everyone. A combination of training, sensible policies, enforcement and automation can help keep patients safe. Because in the end, patient health and safety are equally important.
All IoT Agenda network contributors are responsible for the content and accuracy of their posts. Opinions are of the writers and do not necessarily convey the thoughts of IoT Agenda.