Cybersecurity Threats Continue to Find Vulnerabilities in Healthcare
By Ian Ségal
30 May 2019
Over the past several years, we have witnessed an accelerated evolution of medical devices that have been heralded by advancements in materials science, sophisticated analytic modeling, and a global web of device communications flourishing across the Internet. As medical device technology continues to develop on the cutting-edge of progress, it is most probable that we are likely to see these devices further innovated into servicing expanding areas within healthcare. For example, smartphones and similar mobile devices are increasingly used as a patient-to-device interface between the phone’s local processing power to transmit data back to hospitals and healthcare practitioners. This effort has provided doctors with the information they need to diagnose and deliver remedies quickly and efficiently while reducing and eliminating health concerns for patients. But with the frontier of technology ever-expanding within the realm of health and life sciences, we must remain vigilant of the growing and tangible threat to sabotage medical devices at the expense of patients’ lives.
The security danger to medical devices in healthcare organizations is no secret. With the augmentation of networking these apparatuses into a more extensive web of health-related services for patients, their risk exposure points have been amplified. In a recent study conducted by the College of Healthcare Information Management Executives (CHIME), it has been reported that 18 percent of healthcare organizations were impacted by malware or ransomware going back to December 2017 (Wagenen, 2018). Although the investigation noted that only a few instances did result in compromised health information, the threats did present themselves as having an acute risk of disrupting patient care continuity—thus impacting lives. In a statement offered by Russell Branzell, CEO of CHIME, he stated, “Unsecured and poorly secured medical devices put patients at risk of great harm if those devices are hacked” (Wagenen, 2018). While hospitals and healthcare organizations continue to interconnect devices to facilitate the fluidity and speed of patient care and information, the cybersecurity risk has dramatically increased its exposure in recent years.
What’s more interesting is that reports such as the one spearheaded by CHIME have also triggered the “blame game” of where the responsibility of securing devices needs to live. Most healthcare organizations and providers point to the manufacturer of medical devices. But almost three-quarters of those polled stated that their resources were deficient and too burdened to secure these devices thoroughly. Adam Gale, president of KLAS Research—the firm that assisted CHIME in this study—stated that “Safeguarding medical devices requires a joint effort from both provider organizations and device manufacturers” (Wagenen, 2018). Although we are beginning to see some medical device producers becoming more proactive and accountable, it remains evident that they cannot exist alone in the fight against cybersecurity attacks. With government involvement increasing, the FDA has delivered language and enacted policies for affecting necessary change within cybersecurity disciplines as applied to medical devices.
On the U.S. Food & Drug Administration website, within the section focused on cybersecurity, FDA provides comprehensive information surrounding their position and policies regarding medical device security. If reasonable assurances for protection are in place and benefits significantly outweigh risks, FDA is copacetic with medical devices being marketed to healthcare providers. But there remains the concern regarding the increased exposure to security threats as the business model continues to network these devices across the Internet, hospital networks, and the interconnection between apparatuses for treating patients. With this continued drive from both the commercial supply and demand from healthcare, vigilance is no longer enough to address medical device vulnerability.
FDA prescribes several best practices that medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs) need to adopt to ensure proper defenses to preclude attacks and mitigate risks. MDMs must be responsible for maintaining acuity in the identification of cybersecurity-related dangers and threats; HDOs must assess their network security infrastructures and safeguard all hospital systems; both MDMs and HDOs are obligated to implement measures to reduce and preclude patient safety dangers while guaranteeing optimal medical device performance (FDA, 2018). The FDA offers a downloadable fact sheet document that further details these principles regarding the U.S. Food & Drug Administration’s role and how it pertains to medical device security. To further educate the health and life sciences community of providers, manufacturers, and consumers (patients), the FDA offers clear illustrations on their website to dismiss allegory, which has been overwhelmingly embraced as a doctrine. To add additional value to their oversight, FDA recently released a manuscript to provide practical guidance for healthcare organizations to secure their medical devices.
On October 1, 2018, the U.S. Food & Drug Association, in collaboration with MITRE Corporation, unveiled a medical device security playbook intended to enable healthcare organizations to proactively plan for and respond to cybersecurity occurrences involving medical devices (Donovan, 2018). This playbook allows for both effective operational cadence for an HDO as well as protections ensuring patient privacy. As a result of this effort, healthcare organizations have the direction needed to design and build a holistic cybersecurity preparedness and response framework. Including areas of managing asset inventory, creating a baseline of device cybersecurity information, and overseeing training exercises, the manual has given healthcare organizations the capacity to be operationally exhaustive in approaching medical device cybersecurity. Additionally, the Office of Inspector General (OIG), a U.S. Department of Health and Human Services division, has officially advocated their support of FDA process changes to improve medical device security.
In addition to authoring the medical device security playbook, FDA has also signed two memoranda of understanding, which has established the framework of creating information sharing analysis organizations—also known as ISAOs. These groups are subject matter experts who gather, analyze, and distribute information on cyber threat intelligence. FDA is also working in collaboration with the U.S. Department of Homeland Security to enhance further medical device security, including, but not limited to, joint cybersecurity and tabletop exercises to simulate a myriad of situations involving acute threats to medical device security in healthcare organizations. FDA Commissioner, Mike Gottlieb, remains committed to spearheading the effort to thwart these looming dangers spawned by cybercriminals, and similar Internet rogues, who never rest in unlocking cybersecurity vulnerabilities that put patient lives in danger (Donovan, 2018).
And still, with collaborative efforts, vigilance, awareness, and continuous education, medical device vulnerabilities continue to be besieged by malefactors across the world—some more sophisticated than others. Over the years, mounting evidence has demonstrated that medical devices inherently pose more significant security risk potential with their widening interconnection across organization infrastructures. Every day we witness the influx of inescapable cyber threats that continues to burrow their way into unsuspecting machines designed to save patient lives. But while there remains an alarming increase in the number of issues impacting medical device security, there are also steps that healthcare organizations can adopt to harden their defenses, which ultimately ensure the safety of patients’ lives.
Building a cybersecurity strategy, along with preventative and responsive tactical planning, is rudimentary in buttressing fortifications for all organizations sparring on the vanguard of cyber incursions. And as we continue to layer our security defenses with more formidable architecture and next-generation technology to counter these cyberattacks, we cannot rest assured that it’s ever enough. Unfortunately, many organizations rely solely on reactionary planning rather than a holistic approach that prioritizes proactive initiatives for facilitating cybersecurity across infrastructures. In such cases, while these firms are quiescent, walls will be breached, data will be compromised, and an entire organization will face ransom. And while cyberattacks continue to spawn across the global expanse, they remain fueled by the greed of unflagging rogues who never rest—and neither can you.
References
FDA. (2018, October 17). Cybersecurity. Retrieved May 15, 2019, from http://www.fda.gov/medical-devices/digital-health/cybersecurity.
Donovan, F. (2018, October 3). FDA Unveils MITRE's Medical Device Security Playbook. Retrieved May 15, 2019, from http://www.healthitsecurity.com/news/fda-unveils-mitres-medical-device-security-playbook.
Wagenen, J. V. (2019, May 1). Medical Device Vulnerabilities Continue to Plague the Industry. Retrieved May 15, 2019, from http://www.healthtechmagazine.net/article/2018/12/ medical-device-vulnerabilities-continue-plague-industry.
Comments