A report that highlights the vulnerabilities in medical devices and the risks they pose to patient health issued by Independent Security Evaluators comes at an opportune time as the past month has shown that hospitals are becoming targets for criminals.
Ted Harrington, executive partner at Independent Security Evaluators said, "It’s a scary report in a lot of ways, but our hope is to organize an industry in recognizing these problems. We are trying to make an entire industry start changing, especially one that is very regulated and complex. The conversations need to start happening."
What the report also evidenced is that the health care industry, guided by strict regulations for protecting patient data, "Has focused almost exclusively on protecting patient data and not patient health. The focus is entirely on making sure the patient’s record is protected and not tampered with, but that doesn’t directly correlate to protecting the patient" Harrington said.
These findings are not entirely new according to security expert Billy Rios, who said he's been fighting for stronger security in medical devices for five or six years now. The vulnerabilities in infusion pumps that Rios brought to light last year are but one example.
"The Telmed pump is not even a vulnerability. It's poor design, poor architecture. There is no patch for that. You can’t patch the fact that a pump is running. It requires significant configuration changes," Rios said.
Regulations are not the panacea to the issues of cyber security, and Rios said that he dislikes regulations. At issue, though, is the reality that unless vendors are compelled to do something, they won’t.
Ellen Derrico, senior director of health care and life sciences, RES
Rios said, "They have formal guidance for what they call pre-market solutions. You have to follow these to get clearance to sell your product. They have guidance, but guidance is up to you to follow."
Hospitals are doing all they can to minimize the risks of these devices, but for smaller hospitals, the budgetary limitations are confining. "They don’t have the budget or the staff, and device manufacturers don’t care about those folks," he said.
The general guidance, said Rios, is to put devices on their own networks. The problem is that hospitals have thousands of medical devices. "Having all devices segregated creates a burden for the delivery organizations," Rios said.
Many medical device vendors recommend that hospitals segment the devices, according to Rios, but he said, "That doesn’t mean every hospital is doing that. A small hospital is not doing that. Instead all of the devices are connected. More mature hospitals are the ones that are actually doing the segmentation."
"Hospitals that have money and staff, those guys are segmenting devices as much as they can. Trying to segment as many of these devices becomes unwieldy from an architecture standpoint. No sane person would design their network this way," Rios said.
Israel Levy, CEO, BUFFERZONE, disagreed arguing that today's technology allows for very flexible networks. Levy noted that the banking industry in some countries dictates that all the activities taking place with financials and money must be executed on a network not directly connected to the Internet. Still others execute a strategy of sub networks which allows them to keep the most important components in a separate location.
"Those separate locations create better security. You then regard subnets as insecure and take measures to transfer from the external to a secure network. These technologies are available today. As long as the strategy is to keep all the devices on a separate network, they will also need technology that allows the passing of information," Levy said.
Though none of the medical device vendors contacted were available to comment, security industry experts posed some technology solutions to mitigate the risks to patient health.
Jason K. Marchant, enterprise cybersecurity risk officer at Partners HealthCare System, said, “Most medical devices can be connected to a hospital’s network, either wired or wirelessly, and communicate with the electronic health record (EHR)." Hospitals, in allowing this communication, might inadvertently subvert security controls.
For example, Marchant said, "Ports may be opened in a firewall to allow the medical device system to communicate with the EHR but these ports may also be known to distribute malware.”
To best mitigate these risks, Marchant said, “Devices should be allocated to their own IP space and operate in their own virtual LANs. This can allow for more fine-grained control over the systems that can and cannot communicate with each other. It may also expedite the detection of anomalous activities on the network.”
Though Marchant believes that security is a shared responsibility, he said, "The healthcare industry, especially hospitals without dedicated cybersecurity staff, could benefit from detailed vendor-provided documentation that describes the security controls configured by default in medical device systems and those that have not been configured."
Ellen Derrico, senior director of health care and life sciences from RES said, "In reality, every hospital is a little different about how their landscape works. If the devices are all on the network as we saw from Hollywood Presbyterian, you are going to have vulnerability."
Everyone needs to be educated about the risks with the growing number of network connected devices because, "Anywhere there is a point of entry between a device and a system there is a vulnerability," Derrico said.
At the 2016 HIMSS Connected Health conference, Derrico spoke about the need to have technology in place to encrypt. "Hospitals need to have a white and black list of executable files. They need to elevate privileges so that not everyone can get administrative access, and they need to put in controls very carefully based on roles," Derrico said.
Other ways that security teams can take action to protect the network and patient health, said Derrico, "Have blanketing that protects the network and devices that is read only so that a hacker can’t write something on a device. Lock device ports so that someone can’t get information off of it from a stick."
There is both a technology piece and an education piece because if they are attacked, the whole network can get infected and affect the devices. Does this mean that protecting the network, where patient data lives, will in turn protect the devices?
Chris Doggett, a senior vice president at Carbonite, said that he was not trying to be critical of the ISE survey as it is a comprehensive blue print, but "They missed the mark a little. There are individual or small group actors using un-targeted and unspecific threats to get money. Those can directly impact patient health."
The kinds of threats and malicious actors assumed in the report, Doggett said, "The area of focus and the adversaries they highlighted--organized crime, terrorist, nation states--while those are true in theory, you’d be hard pressed to find real-life examples thus far where patient health was impacted by those threat actors in that manner."
While it’s important to focus on cybersecurity’s impact on patient health, Doggett said, "There are other categories that are more rampant today and they are going to unintentionally target patient health. Rasomware is a higher probability than an organized crime unit or nation state targeting a specific hospital."