Sense of Urgency Needed in Combating Sizable Device-Related Cyberthreats
Posted June 10, 2019
Data- and software-based medical devices tend to be more vulnerable and considerably more difficult to secure than typical information technology (IT) equipment. Healthcare technology management (HTM) and IT professionals working in healthcare facilities face considerable challenges, explained presenters during a session on Monday at the AAMI Exchange in Cleveland, OH.
Nonetheless, HTM professionals have a variety of resources that they can arm themselves with in the cyber-warfare battle, said Stephen Grimes, managing partner and principal consultant for Strategic Healthcare Technology Associates, LLC, and Axel Wirth, distinguished technical architect for Symantec Corp.
Among industries, healthcare is the least prepared in terms of cybersecurity, said Grimes. To emphasize this point, he cited a 2018 Ponemon survey indicating that only 43% of healthcare organizations have a chief information security officer.
According to Grimes, medical devices represent a particular cybersecurity sore spot for healthcare because they are the least known, least protected, and most vulnerable assets—and they also present the most potential for harm.
To demonstrate the "least known" aspect, he said that despite medical devices outnumbering IT devices by five to one in most U.S. hospitals, they often are overlooked or at least inadequately considered by security professionals. According to the above-mentioned Ponemon survey, 65% of healthcare organizations said their cybersecurity strategy does not include—or they are unsure whether it includes—medical devices.
"Medical devices generally cannot be safely patched with OS [operating system] updates or have virus software applied until patches have been specifically tested and approved by the device manufacturer," said Grimes, highlighting the "least protected" aspect.
This lack of protection was explored in detail during a Sunday session at the AAMI Exchange. During that presentation, Wirth and David Clapp, security solutions systems engineer at Symantec Corp., focused on how the lack of available patches for legacy devices makes them particularly attractive targets for attackers, who will scan specifically for unsupported or unpatched devices.
Wirth and Clapp conducted an electronic poll of attendees, asking them, "Do you have medical devices running Microsoft Windows XP or older in your environment?" All (100%) of the participants indicated "yes." The presenters also asked, "Do you feel confident that older medical devices in your environment are being adequately protected?," to which approximately 84% of attendees said "no."
On Monday, Grimes explored medical devices with the greatest potential for harm. Failures related to, for example, imaging equipment, laboratory analyzers, physiologic monitors, and medication dispensers can lead to misdiagnosis/mistreatment, resulting in serious injuries to patients or death. In addition, he said that an estimated 5% of devices can lead directly to serious injury or patient death, with device examples including cardiac bypass machines, external pacemakers, infusion pumps, and ventilators.
Grimes and Wirth provided an overview of best practice guidelines and tools available to help healthcare delivery organizations identify and mitigate medical device security risks. Several example resources are listed below. AAMI members can access the full set of resources detailed in the presentation via their AAMI University account.
- Medical Device Cybersecurity: A Guide for HTM Professionals
- Securing Wireless Infusion Pumps in Healthcare Delivery Organizations
- Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook
- OWASP: Open Web Application Security Project
- IEC 80001 Series: Application of Risk Management for IT-Networks Incorporating Medical Devices
- Manufacturer Disclosure Statement for Medical Devices Security (MDS2)
- The FDA'S Role in Medical Device Cybersecurity: Dispelling Myths and Understanding Facts
- AAMI TIR57:2016: Principles for medical device security—Risk management
Developing and prioritizing a cybersecurity plan is "a big job, but you have to start somewhere," said Grimes. "Start collecting these data now."
An effective cybersecurity plan involves risk assessment, mitigation/control, and monitoring, he said. Key elements of the plan include:
- Documenting device/system category, quantity, location(s)
- Knowing the types of security risks (i.e., integrity, availability, and/or confidentiality)
- Determining risk scores, where risk equal function (severity, probability)
- Having a mitigation plan
- Prioritizing (based on risk score and ease of mitigating)
- Having a timetable
- Knowing who will be responsible for what
- After initial risk is mitigated, assessing and mitigating residual risk
- Acceptance (of residual risk)
- Adjusting as necessary
Securing the medical device ecosystem is challenging due to a variety of factors, including complexity, latency, dependencies, and economic limitations, explained Grimes. "Although we are making progress, significant challenges remain and we need to continue to press forward and be proactive."
"The sky is probably not falling, but we do need to proceed with a sense of urgency," added Wirth.