Cybersecurity is a fairly new idea for many medical device makers, but the industry can learn from technologies that came before in developing means of protecting devices from malware, viruses and other threats.
Microsoft’s U.K. chief security advisory Stuart Aston took to the company’s blog to address the growing concern, offering steps to consider when developing a security strategy for medical devices, including realigning priorities to bump cybersecurity in the top tier and shelling out for updated software when possible.
Aston called for device makers to consider some basic information security "hygiene," building on lessons learned from similar embedded technologies that have had to navigate the increasingly turbulent and interconnected digital world.
Unlike smartphones, laptops and other consumer technologies, which exist in in a "thriving ecosystem of economically priced defensive technologies," medical devices are highly customized, expensive and not designed for frequent security maintenance, Aston said.
"If you found a disease that was rampant inside a medical organization, you would try to understand the method of transmission in order to similarly understand what controls could you institute to prevent that transmission," Aston said. "In many cases, good hygiene will prevent the transmission of the majority of disease. Malware propagates in a very similar way: good basic hygiene prevents the vast majority of malware propagation."
Aston compared the devices to those used in the aerospace or industrial sectors, where embedded devices with long service lifespans are the norm. Since the specialized devices often run on unique, proprietary software systems, off-the-shelf anti-virus programs aren’t likely to be compatible with many medical devices.
"The assumption in the past was that medical devices are largely disconnected from the outside world, whereas we see more and more cases now where malware will find ways, perhaps with the help of an unwitting member of staff, of breaching services even when they are offline," Aston said in the Microsoft blog. "When those devices were procured it often wasn’t envisaged that security updates would be a regular part of day to day maintenance; yet that’s exactly the case. … Neither users nor suppliers appreciated security updates as a factor in the procurement, delivery or management of those devices in the past."
Device makers may not be able to ignore cybersecurity any longer. As more devices communicate wirelessly or through internet connections, they may becoming intentional or incidental victims of viruses and malware. There have been no reports to date of patient injury as a result of cyber-infection, but hospitals are already dealing with infected machines.
Legislators and government agencies are also calling on the FDA to take a stronger hand in overseeing software protection on medical devices. The Government Accountability Office last month released its audit of the FDA’s cybersecurity oversight for medical devices, acting on a request from a trio of U.S. House members.
The GAO report called for more cybersecurity oversight of medical devices, urging the FDA to take stock of its resources and boost efforts to review medtech software for potential vulnerabilities.
The 1st step to a medical device cybersecurity solution is for device maker to put malware protection "at the top of the technology agency," according to Microsoft. That’s a step that at least one medtech giant has already taken.
Pure-play medical device maker Medtronic’s (NYSE:MDT) CEO Omar Ishrak told MassDevice.com earlier this month that the company considers medical device cybersecurity a serious issue.
"It’s a high priority for us," Ishrak said. "We need medical devices to be more secure but also internal corporate systems to be more secure."
Last October Medtronic announced that it had hired tech security giant Symantec to investigate cybersecurity in its medical devices.
Hopefully Medtronic won’t have to reinvent the wheel in order to better defend its devices. Taking lessons from PCs and other technologies that have long been communicating on the internet and through wireless networks, device makers can get a head start on building in cybersecurity without having to start from scratch.
Microsoft outlined 5 steps that IT managers should implement in daily practice:
- No device should be without comprehensive malware protection.
- All devices should be regularly patched. Aston says, “Most compromises that we see use an already known – and already patched – attack vector. You can defeat 99.9% of malware with existing patches.”
- Implement clear acceptable use, security and download policies across all staff.
- To minimize the human factor, apply the security benefits of Windows 7 (AppLocker, User Account Control, ASLR, Data Execution Prevention and more…) – see the Enhanced Mitigation Experience Toolkit tool for an easy execution of all these elements.
- Minimize the opportunity for attack by disabling Autorun features, removing unused software and carefully controlling any ‘run-as-administrator’ privileges.
The software giant may be looking to temper some of criticism from a slate of news articles that have targeted Windows operating systems as part of the problem in medical device software vulnerability.
An attention-getting article published in MIT’s Technology Review noted that variants of Windows software in hospitals have already been hit by malware, calling the popular operating system a "common target for hackers."
Part of the problem, Aston said in the blog, is that the some clinics are stuck on outdated versions of Windows that don’t have the same defenses. Windows XP, for example is still "the workhorse operating system" in many of the U.K. National Health Service Trusts, but the software is more than 10 years old.