How to keep terrifying medical device hacks from becoming reality

Security of Things Forum panel addresses the threat of networked medical device vulnerabilities

While some of the scariest IoT hacks envisioned – those involving hijacked medical devices such as pacemakers and insulin pumps – have yet to surface in the real world, those in the medical and IT security fields are not letting down their guard. They’ve seen enough ransomware and other attacks on healthcare outfits of late to know they are major cyberattack targets.

The reality is that more medical devices are becoming connected ones, and that’s increasing the security threat surface, said panelists this past week at the Security of Things Forum in Cambridge, Mass.

MORE: Homeland Security issues call to action on IoT security 

Dr. Julian Goldman, who is medical director of biomedical engineering at Partners HealthCare and an anesthesiologist at Massachusetts General Hospital, has directed a program on medical device interoperability since 2004. While the goal of that program is to enable better data sharing and safety interlocks, among other things, effective security is a requirement – and you’re not dealing with an homogenous set of devices or even gear that you can run basic network checks on, he says.

One of the troubles with securing medical devices is that managing such gear takes a different mindset from managing traditional IT systems, says Steve Christey Coley, principal information security engineer at MITRE. It’s taken as many as 20 years to figure out how to manage vulnerabilities and do reasonable risk assessments within classic enterprise IT (say via the Common Vulnerability Scoring System), and the processes in managing healthcare systems are relatively immature, he says. Whereas there are plenty of legacy medical devices that can’t even be patched, “in enterprise IT it’s just simply assumed that everything is patchable and upgradeable,” he says.

What’s more, tired-and-true IT approaches to security, such as authentication, can be dicey when you’re talking about medical devices (i.e., locking a person out of their own pacemaker if they fumble for the password at a critical moment), Christey Coley says.

security of things Bob Brown/NetworkWorld

What would George Washington have thought about the Security of Things Forum in Cambridge, Mass.?

One basic challenge for healthcare facilities is simply inventorying what they have in terms of medical devices, says Dr. Kevin Fu, CEO & co-founder of Virta Labs, which offers a service to help healthcare organizations spot potential infiltrations. "We can say all we want about computer security of connected things, but if we don't know what we have there is no way we will be able to protect it."

And sometimes you almost don't want to know what you have. "How can you find this happy medium [between the IT side and the healthcare side] until we can get out of this place of technical debt and stop running [systems that use] Windows XP or older even," says Audra Hatch, a systems analyst with a regional medical center whose identity wasn't revealed.

Drilling down a level from there, researchers are also looking into inventorying the individual components and software that make up medical devices to figure out if any of those components might be vulnerable, Christey Coley says. 

Getting manufacturers of medical equipment to cooperate on the security front has been a frustration of hospitals for years as they try to put together systems of devices for patient care, Goldman says. "Certain key manufacturers have refused, they just did not see a pathway to do that for a number of reasons," he says.

But the federal government's growing attention to this issue, from the Food & Drug Administration holding cybersecurity workshops to the National Science Foundation funding research, is starting to bring about change.

Christey Coley says progress is going more slowly than he'd like to see, but he is also encouraged in seeing healthcare organizations, like Mayo Clinic, putting economic pressure on manufacturers by including language about security requirements in their procurement documents and making this publicly available for their peers to use.

Goldman adds that Partners and others are working on is "a roadmap to help provide guidance to industry on the kinds of things that will support the usability or acceptability of IoT technologies in hospitals. So we're looking at the entire risk management aspects from the information technology, biomedical engineering and clinical aspects."

Goldman says more will be revealed about this effort in coming months, and that can't hurt in possibly getting more C-suite executives at hospitals and manufacturers to begin paying attention to an issue that's only going to get more serious. It also can't hurt in terms of spurring innovation -- something that's stymied when hospitals hold off on buying new medical devices for fear of security vulnerabilities.

"The real risk here is yes, we have to deal with the mess that exists today," Goldman says, "but the problem is that it's inhibiting innovation, and we sorely need innovation to improve the quality of healthcare and reduce the cost of healthcare."

Join the CSO newsletter!

Error: Please check your email address.

More about GoldmanHatchMayo Clinic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Brown

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts