The pandemic has put a lot of things on hold over the last year, but medical device security shouldn’t be one of them.
The millions of medical devices that help keep people healthy—and in many cases keep them alive—have drawn mixed reviews from security experts since the internet happened. Even more so in the past year since the pandemic happened.
There is just about unanimous agreement that the benefits of those devices outweigh the risks. Even security experts who directly depend on them say so.
Jay Radcliffe, a medical device security expert and Type 1 diabetic, famously declared more than six years ago at the Black Hat conference in Las Vegas that the benefits of connected medical devices vastly outweigh the risks. He told CNBC much the same thing a couple of years later after he hacked into his own Johnson & Johnson insulin infusion pump.
He acknowledged that malicious hacks are possible and could cause catastrophic damage to users, but said for the average person like himself, it would be much more likely for “an attacker to sneak up behind me and deliver a fatal blow to my head with a baseball bat.”
Still, there’s also general agreement that medical device security ought to be better—a lot better. And some Synopsys experts say the COVID-19 pandemic, bad as it is, isn’t a valid reason to put security on hold.
At one level, during an emergency like this, no healthcare organization wants to say that a long-term problem should take priority over trying to save people who are dying. If your kitchen is on fire and somebody calls to tell you your door is unlocked, you’re going to put out the fire before you do anything about the door.
But hackers know that too, of course. They know that a spike in COVID patients at hospitals, maxed-out ICUs, and exhausted staff have generated a corresponding expansion of their opportunities—the attack surface.
It’s not so much that there are new vulnerabilities in connected medical devices, although that’s sometimes the case. Chris Clark, senior manager of security solutions and standards with the Synopsys Software Security Group, said the COVID-related rush to get applications and other patient-care solutions into use “has introduced vulnerabilities that didn’t exist before.”
But the major increase in risk has come from the fact that existing connected devices are being used more.
“Healthcare organizations are trying to reduce contact exposure to patients, so they are starting to use remote access-type technologies out of necessity,” said Michael Fabian, principal consultant with the Synopsys Software Integrity Group. “That may be opening them up to increased risk because of latent vulnerabilities in the devices coupled with network-level access in less-than-ideal conditions.”
Indeed, more remote connections means more opportunities for attackers. And the pandemic has generated a sharp increase in the use of connected CT scanners, monitoring systems, patient telemetry systems, ventilators, and more, all of which need security and privacy protections built into them. But many of those systems and devices operate on legacy platforms that weren’t designed to be connected to the internet. They were designed to work safely, but medical device security wasn’t even a thought, never mind an afterthought, when they were created.
And being connected has changed everything. As Jonathan Knudsen, senior security strategist with the Synopsys Software Integrity Group, put it, “The internet is a hostile environment, to put it mildly. So making devices and services more available online has the direct consequence of exposing them to more attackers.”
“They might have had weak security but been partially protected by network perimeter security. But if they must now be on the internet, they could be easy pickings for attackers,” he said.
So, not surprisingly, attacks on healthcare organizations spiked in the past year. The U.S. Department of Health and Human Services reported that during the first half of 2020, they were up nearly 50%.
Those were not all aimed specifically at connected devices for patients—the attacks also targeted network servers, desktop and laptop computers, email and electronic medical record (EMR) systems, and telehealth platforms.
But attacks like those increase the risk that devices designed as healing tools could be turned into lethal weapons. Indeed, ransomware attacks can take down an entire system, which affects all functions of a healthcare facility, including connected devices.
Clark, Fabian, and other experts say security could and should be better, pandemic or not.
Fabian is blunt. “My view is that the pandemic changes nothing,” he said. “There may be more stress on the operational side of the house, as in hospitals are busier and they have a maximum operational capacity that’s being pushed with demands for specific therapies. But that doesn’t change the fact that the standard information security process, even if it’s accelerated, should still apply.”
Clark said if a hospital is using twice the usual number of remote, connected devices, its risk increases, but not because of the increased use. “The cause is using unsecure frameworks,” he said. “It’s failing to implement the necessary solutions in their pipelines and build security into their systems.”
Clark and Fabian also don’t accept the long-running arguments that it’s too difficult to patch connected devices when vulnerabilities are discovered. One reason often given for not patching is that many legacy devices don’t have built-in tools to install software updates. Another is that the U.S. Food and Drug Administration (FDA) requires recertification if a device is updated.
But the FDA eliminated the bulk of that problem four years ago with an update of its own—new guidance on “postmarket management of cybersecurity for medical devices.” That guidance made it clear that routine patches and updates don’t need to be reported or reviewed by the FDA.
The real resistance to patching and other security measures like requiring more rigorous authentication to access a device, Fabian said, is because “the medical industry historically has had a very low tolerance for change when it comes to operational practices. Clinical practitioners have been very resistant to even minute changes to their workflow.”
He said device vendors bear some responsibility for improving medical device security, but added that “it’s less about the complexity of updating these devices than it is about how they are deployed and the features they provide. It’s not a problem that various device vendors have been unable to solve.”
“The pandemic is just another excuse for, ‘How can I justify not doing this?’” Fabian said. “Because for basic stuff like remote access, there are ways to solve that problem. We’re not talking about splitting atoms here—it’s a relatively common use case. Vendors and operational personnel need to work together to make it happen in a secure fashion with a risk-based mindset.”
Clark agrees. “It’s not a matter of the number of assets,” he said. “It’s the usage.”
Whether defensible or not though, the reality is that the pandemic has put security on the proverbial back burner. But as the pandemic subsides, it doesn’t have to stay there. Plenty of resources are available to help healthcare organizations prepare to respond to the inevitable next emergency without sacrificing security.
The FDA published a “Medical Device Safety Action Plan” in April 2018—which Synopsys participated in crafting.
Among its key stated goals was to “update the premarket guidance on medical device cyber security to better protect against moderate risks (such as ransomware campaigns that could disrupt clinical operations and delay patient care) and major risks (such as exploiting a vulnerability that enables a remote, multipatient, catastrophic attack).” Three months later, in July 2018, the FDA announced its adoption of ANSI (American National Standards Institute) UL 2900-2-1 as a “consensus standard” for device manufacturers and patients.
UL 2900-2-1, which changed the premarket certification process of devices, calls for, among other things, “structured penetration testing, evaluation of product source code, and analysis of software Bill of Materials.”
Those are the kinds of software testing and analysis that security experts have been recommending for more than a decade. They include static, dynamic, and interactive application security testing, along with software composition analysis for open source software components and dependencies.
Also, last fall the FDA approved a rubric created by the MITRE Corporation designed to rank the severity of vulnerabilities found in medical devices. The approval qualifies the rubric as a Medical Device Development Tool (MDDT). It was developed because a single scoring system for vulnerabilities that could affect things ranging from smart watches to medical devices to critical infrastructure to vehicles could be worse than just misleading or confusing—it could be dangerous.
And it’s not just the scoring system that requires some discretionary flexibility. The management of security does as well. “The priority is patient safety,” Clark said, noting that depending on the situation, a security update might have to wait.
“COVID patients in hospitals are frequently on ventilators,” he said. “So obviously you don’t want to push an update that is going to require all of them to shut down at the same time.”
“There is no blanket solution that applies to every situation.”
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.