At a recent seminar held by the Mass. Medical Device Industry Council (MassMEDIC), medical device executives, regulators and security experts discussed which systems and devices were most vulnerable to malicious hacking and what could be done to stop it.
MassMEDIC President Thomas Sommer said his group decided to hold the seminar in response to reports that hacking is on the rise, particularly the theft of patient data.
“It’s something that small and mid-sized companies are now focusing on. The larger companies have had robust plans in place for some time,” Sommer told MassDevice.com. “The medical device industry is now joining other tech-based industries in developing security plans for their devices.”
Know your hacker
How broad or extreme the risk is to patients is debatable. While a hacker could conceivably hack into a patient’s medical device and demand ransom for not harming them, such a scenario is unlikely, according to the experts at the seminar.
The bigger threat is the theft of patient data. According to the panelists, medical data is now far more valuable on the black market than credit card data. Scam artists are able to monetize the data by filing false insurance claims or placing fake orders for drugs such as painkillers.
Another real threat is hackers using medical devices to place “ransomware” on hospital networks. The malicious programs allows hackers to encrypt patient data, essentially holding it hostage until a ransom is paid for renewed access.
By and large, the incentive for hacking into healthcare systems is money, rather than inflicting harm on patients.
“Generally, the incentive is selling personal data,” said Stephanie Preston, a cybersecurity expert for Battelle, told us after the event.
But not all hackers are in it for the cash.
“The other main motivators that you have to keep your eye out for are ‘insider’ and ‘hacktivist’ threats. Those are the people who have a chip on their shoulder,” said Preston. “An insider threat would be someone who has special access to your systems, whether they be a contractor or an employee. … Their motivation may be more about defaming the company they’re working for.”
According to Preston, there are 4 types of hackers: Mercenaries, who are basically in it for the money; “hacktivists,” who are seeking retribution against a company or organization; state-sponsored hackers; and “insiders,” who want to disrupt an organization’s systems for personal reasons.
Of the 4 classes of hackers, mercenaries are the most credible threat to the medtech industry, said Preston.
“Your security strategy should be focused on how to lock down patient data,” she said.
In general, industry experts agree that medical device developers need to integrate cybersecurity into the product design process. Device makers also need to be more proactive in addressing reported flaws and issuing security patches in a timely manner. Risk testing is also critical.
“Hands down, the best approach that manufacturers can incorporate is testing,” said Preston. “Have that be an integral part of your design. … Do ‘white box’ testing, do code scanning that is specifically looking for these known vulnerabilities.”
What’s most vulnerable?
Mobile devices and legacy systems are the most vulnerable to hacking, according to experts.
Of particular concern are devices that operate on Windows XP, an older operating system still widely in use. Microsoft stopped providing security patches and technical support for the product in April 2014, making it particularly vulnerable to hackers.
Devices running older versions of Java can also be vulnerable, especially if they have not been properly updated. Adding to the problem is that some software makers don’t issue security patches for older versions of products, said Preston.
The industry needs to start, however, by taking inventory of what’s already out in the field.
“The industry first needs to assess the state of what’s out there and … assess the current state of security of those devices,” Preston said, noting that device makers generally have copies of all the firmware they’ve released over the years. That code needs to be reviewed to determine if there are any potential security flaws that need patching.
Operating manuals are another potential area of weakness. Some older manuals, for example, contain administrative passwords and other network credentials. To make matters worse, many of these manuals can be easily found online.
Meanwhile, the FDA has been actively issuing new cybersecurity guidance for the industry.
In October 2014, the agency issued pre-market submission guidance advising companies to pay closer attention to cybersecurity issues during the development and design phases of their products. Areas of concern included malware, password protection, the timely issuance of software patches and updates, and potential security flaws in off-the-shelf software. The agency also asked companies to submit cybersecurity risk assessment for their products as part of their premarket application process. Companies should also detail how they plan to provide validated software updates during the lifecycle of the product.
“Security isn’t just a design issue, it’s a lifecycle issue,” Dr. Suzanne Schwartz, the FDA’s director of emergency preparedness/operations, told listeners.
The agency is now working on guidance for post-market surveillance. “It’s devices out there in the field that create the greatest challenges,” Schwartz said.
To help streamline the process, most software modifications made solely for cybersecurity purposes will not have to be reviewed by the agency before implementation. Reviews would only be required when the modifications affect product safety and effectiveness.
In an interview with MassDevice.com, Schwartz said a major challenge for the industry will be evaluating systems already in the field.
“From a technical perspective, surely the legacy devices that are fielded are a very significant challenge,” she said. “This is a very complex space. Devices are often significant capital equipment investments within hospitals and so those devices will remain in place within a facility for way longer than other types of computers and systems. You can’t just take them offline and you can’t replace them easily. And that presents a real challenge.”