While some of the scariest IoT hacks envisioned – those involving hijacked medical devices such as pacemakers and insulin pumps – have yet to surface in the real world, those in the medical and IT security fields are not letting down their guard. They’ve seen enough ransomware and other attacks on healthcare outfits of late to know they are major cyberattack targets.
The reality is that more medical devices are becoming connected ones, and that’s increasing the security threat surface, said panelists this past week at the Security of Things Forum in Cambridge, Mass.
Dr. Julian Goldman, who is medical director of biomedical engineering at Partners HealthCare and an anesthesiologist at Massachusetts General Hospital, has directed a program on medical device interoperability since 2004. While the goal of that program is to enable better data sharing and safety interlocks, among other things, effective security is a requirement – and you’re not dealing with an homogenous set of devices or even gear that you can run basic network checks on, he says.
One of the troubles with securing medical devices is that managing such gear takes a different mindset from managing traditional IT systems, says Steve Christey Coley, principal information security engineer at MITRE. It’s taken as many as 20 years to figure out how to manage vulnerabilities and do reasonable risk assessments within classic enterprise IT (say via the Common Vulnerability Scoring System), and the processes in managing healthcare systems are relatively immature, he says. Whereas there are plenty of legacy medical devices that can’t even be patched, “in enterprise IT it’s just simply assumed that everything is patchable and upgradeable,” he says.
What’s more, tired-and-true IT approaches to security, such as authentication, can be dicey when you’re talking about medical devices (i.e., locking a person out of their own pacemaker if they fumble for the password at a critical moment), Christey Coley says.
One basic challenge for healthcare facilities is simply inventorying what they have in terms of medical devices, says Dr. Kevin Fu, CEO & co-founder of Virta Labs, which offers a service to help healthcare organizations spot potential infiltrations. "We can say all we want about computer security of connected things, but if we don't know what we have there is no way we will be able to protect it."
And sometimes you almost don't want to know what you have. "How can you find this happy medium [between the IT side and the healthcare side] until we can get out of this place of technical debt and stop running [systems that use] Windows XP or older even," says Audra Hatch, a systems analyst with a regional medical center whose identity wasn't revealed.
Drilling down a level from there, researchers are also looking into inventorying the individual components and software that make up medical devices to figure out if any of those components might be vulnerable, Christey Coley says.
Getting manufacturers of medical equipment to cooperate on the security front has been a frustration of hospitals for years as they try to put together systems of devices for patient care, Goldman says. "Certain key manufacturers have refused, they just did not see a pathway to do that for a number of reasons," he says.
But the federal government's growing attention to this issue, from the Food & Drug Administration holding cybersecurity workshops to the National Science Foundation funding research, is starting to bring about change.
Christey Coley says progress is going more slowly than he'd like to see, but he is also encouraged in seeing healthcare organizations, like Mayo Clinic, putting economic pressure on manufacturers by including language about security requirements in their procurement documents and making this publicly available for their peers to use.
Goldman adds that Partners and others are working on is "a roadmap to help provide guidance to industry on the kinds of things that will support the usability or acceptability of IoT technologies in hospitals. So we're looking at the entire risk management aspects from the information technology, biomedical engineering and clinical aspects."
Goldman says more will be revealed about this effort in coming months, and that can't hurt in possibly getting more C-suite executives at hospitals and manufacturers to begin paying attention to an issue that's only going to get more serious. It also can't hurt in terms of spurring innovation -- something that's stymied when hospitals hold off on buying new medical devices for fear of security vulnerabilities.
"The real risk here is yes, we have to deal with the mess that exists today," Goldman says, "but the problem is that it's inhibiting innovation, and we sorely need innovation to improve the quality of healthcare and reduce the cost of healthcare."