In the world of medical device security, success comes down to having the capability to fail gracefully.
This is not as oxymoronic as it might seem, Kevin Fu told an audience at the Security of Things Forum in Cambridge, Mass., on Thursday. What is more important than bulletproof security, he said, is the ability to contain or “localize” breaches or infections so they don’t disrupt the continuity of operations.
Fu, CEO and cofounder of Virta Laboratories. whose opening keynote was titled, “Your Fly is Down: Managing Medical Device Security Risk,” was just one of multiple experts who said the security of those devices could be drastically improved just by practicing basic security hygiene.
But even without that, the reality in the medical field is different from that of most other sectors of the Internet of Things (IoT): The risks of vulnerabilities in connected medical devices are frequently outweighed by the benefits offered to patients by those devices.
Just one example, he said, is pacemakers, which used to require the use of a needle to adjust or maintain them. “That created an infection risk, which in some cases was fatal,” he said, “so there are great benefits to wireless devices because they increase the sterile field.”
In general, he said, “patients prescribed an implant are far safer with those devices than without, even though we have found major security problems with them.”
This, he said, is not to imply that improving security is unimportant. He said a major risk to health care organizations, which has exploded in the past year, is ransomware, which in general is not aimed at specific devices, but the entire operation.
“That can result in shutting down operations, and disrupting the clinical workflow,” he said.
But when it comes to individual medical devices, he and others said the majority of flaws fall into the “low-hanging fruit” category – they could be addressed with the digital version of zipping up your fly.
Part of the problem, which has been widely reported, is that the industry is still early in the transition to connected devices. Many are legacy systems or devices, designed without any expectation that they would be connected, and therefore without any security built in.
Dr. Julian Goldman, a physician at Massachusetts General Hospital, made that point during a panel discussion following Fu’s keynote titled, “Securing Connected Health Devices and Networks.”
He said a major obstacle to security is, ”the age of the equipment – a lot of it is 10 or 15 years old. The developers may have left the company. Those aren’t excuses, they’re just the facts. It’s very complex.”
Fu, who was also on the panel, agreed. “Of course everything is hackable,” he said, “so the key is how do you fail gracefully? How can you localize the problem so it doesn’t interrupt the continuity of operations?”
Security risks come from multiple directions, he said. They include:
- Vendors using infected USB drives.
- Vendors repairing infected machines.
- Vulnerabilities on the product assembly line.
- Software updates.
- Outdated operating systems.
Fu gave the example of a pharmaceutical compounder running with Windows XP, for which Microsoft no longer supports with security updates.
“When it was brought in for repair, the malware on it spread to others in the shop,” he said. "It was like Typhoid Mary.”
The risks of porous security can have serious medical consequences, he said, noting that if medical sensors have been compromised, then they become unreliable for medical staff to use to make a proper diagnosis.
He said it is crucial for designers and developers to start “building security in from the get go, because it is very difficult to bolt on after the fact.”
But, he said it is even more crucial not to sow panic among patients. “They are making risk choices,” he said. “In the medical world, it is not always true that it is best to eliminate the security problem, because it may introduce new risks that would harm the patient more.”
A more rigorous authentication protocol for a pacemaker would improve security, he said, “but if the patient is unconscious or can’t remember the password, the safety problem outweighs the security risk.”
That was the message from the panel as well. “Authentication, blindly applied, doesn’t work,” said Steve Christy Coley, principal information security engineer at Mitre.
As Fu emphasized, however, there are ways to improve before a new generation of devices with better security become part of the infrastructure.
“One thing is just to have a better inventory,” he said. “A large number of hospitals don’t even know what devices they have, what software they’re using. If we don’t know what we have, we can’t secure or manage risk.”
Audra Hatch, systems analyst at a regional New England medical center, said things would improve with better communication among different stakeholders and departments. “We’re very siloed,” she said. “There is finance, clinicians, administration. Do these groups talk? Are we all on the same page? Do the people doing acquisition understand the clinicians?”
Goldman said he is encouraged by more involvement in medical device security by the federal Food and Drug Administration, which has issued security guidance aimed at manufacturers. “The FDA is now deeply engaged,” he said.
Christy Coley said he sees progress, “but it is slower than any of us would prefer.”
Hatch agreed. “I’m an optimist,” she said, “but an impatient optimist.”