Rising Vulnerabilities of Medical Devices

Developing a Plan to Protect Medical Devices

By Clyde Hewitt, Executive Advisor, CynergisTek
Twitter: @cynergistek

It is safe to assume that most hospitals still struggle to find ways to address their medical device cybersecurity risks. The primary challenge is not technical, it’s the organizational inertia that keeps getting in the way. At the same time, the pace of these risks increase as hackers find new ways to exploit the litany of vulnerabilities, so the risk-control gap continues to grow.

In order to get in front of the issue, we need to first explore the factors increasing the cybersecurity risks. To start, the percentage of new medical equipment that is ‘Internet aware’ is rising substantially. A decade ago, clinical engineering departments concentrated most of their efforts on standalone equipment, and patient safety issues remained the primary focus. There was little concern about vulnerabilities in the operating systems and it was not considered a high risk factor. Today’s medical devices proliferate on a healthcare organization’s network, with connectivity to the local area network and to the Cloud. Additionally, the complexity and interconnectivity of patient wearable devices mean that cybersecurity can adversely impact not only the ability to accurately monitor patient’s vitals, but the ability to administer the correct treatments.

Device manufacturers reported 400% more vulnerabilities per quarter since the FDA released the Postmarket Management of Cybersecurity in Medical Devices in December 2016. Criminals also took notice, with 67% of device manufacturers now believing their systems will be attacked in the next 12 months. Many medical devices still operate on older, out of date operating systems, like Windows 7; however, even new devices sold on today’s market are vulnerable the moment they are “out of the box.” To help remedy this issue, providers should implement compensating controls, such as network micro-segmentation to limit remote access to these systems, since they generally cannot be protected with end-point protection, including anti-virus products.

The same 2016 FDA Report stated that providers have shared responsibility with manufacturers for securing their medical devices. Since only 17% of manufacturers are taking significant steps to prevent attacks, providers are carrying the highest risks, as well as the full burden of liability in the event of a medical device security incident.

Developing a support strategy
Information technology (IT) departments can generally stay ahead of life cycle management problems by implementing short technology refreshment cycles – generally 3-4 years for laptops and 5 years or less for servers and network components. Clinical engineering departments are hampered with high acquisition costs and long system life cycles that are expected to exceed 15 years – thus, the disconnect. This means that clinical engineering departments need to adopt common elements from an IT support strategy to stay ahead of the risks. These elements include better inventory management, formal patch management processes, and understanding of security risks by requiring and utilizing the Manufacturer Disclosure Statement for Medical Device Security (MDS2) documents. These forms provide a means for medical device manufacturers to share information and updates about security related features of their medical devices.

The clinical engineering staff should also leverage IT networking tools to segment the medical devices in order to tightly limit access to only known systems. IT will realize this effort is labor intensive if the provider does not have access to some of the more modern network scanners specifically designed to work with medical devices. Typical vulnerability scanners using brute-force scanning methods is discouraged as it can increase the risk of crashing medical devices and cause catastrophic results, especially if those devices are connected to patients.

A recent KLAS survey discovered that 18% of all hospitals had reported a malware attack on their medical devices within the past 18 months. This is a wake-up call for the senior executive team to ensure the clinical engineering department is working closely with IT. These changes to medical device management will take additional resources, but the consequences of not making these changes can not only impact patient care, but also potentially cause harm to patients, so all preventative steps must be taken.