Regulators and healthcare providers are developing tools and standards to assess medical devices and their digital defenses, as medtech cybersecurity takes some giant steps from the theoretical to the practical.
As early as next month, the Medical Device Innovation, Safety & Security Consortium plans to launch 2 pivotal pilot programs. The 1st includes a series of security standards, developed in collaboration with medical device manufacturers, that a handful of large companies plan to begin using in development of next-generation devices.
The 2nd is a software service, initially available to a select group of healthcare groups, that will allow hospitals to compare varying levels of cyber-defenses in medical devices and see how lower or higher levels of built-in security will impact overall IT costs.
Everything is hackable
MDISS is a close-mouthed organization, releasing few public statements and almost never commenting on the headline-grabbing medical device hacks that have put healthcare security in the spotlight in recent years. But behind closed doors, MDISS has been very active.
The group’s default position is that all medical devices, like pretty much all Internet-connected technologies, are hackable and inherently vulnerable. The insulin pump and pacemaker hacks that have been so popular at high-profile security conferences like Black Hat and Def Con in Las Vegas aren’t big news to MDISS executive director Dale Nordenberg.
"Many of our leading experts believe that you can hack basically every medical device out there," he told MassDevice.com. "So the question is, what is the significance of a given hack?"
“We should assume that every medical device is hackable, we should assume that medical devices are vulnerable to malware, so what we really need to do is really rapidly figure out how to design more secure medical devices.” – Dr. Dale Nordenberg
"The fact that hospital enterprises have infections or malware issues and that medical devices may be infected with malware and that they would have impacts really should not be a surprise to anybody," he added. "We should assume that every medical device is hackable, we should assume that medical devices are vulnerable to malware, so what we really need to do is really rapidly figure out how to design more secure medical devices."
The highly publicized single-device hacks (such as Jay Radcliffe’s insulin pump hack, Barnaby Jack’s pacemaker hack or Billy Rios’ and Terry McCorkle’s hospital management system hack and password vulnerability report) may draw more attention to the issue, but they also put manufacturers in an awkward and sometimes defensive position.
"You’ve not seen MDISS publicize anything sensational, because what we want to do is do the quiet, strong work of bringing people together without putting anyone in an uncomfortable position that might drive them away from the table," Nordenberg said.
If you build it, they will pay
The 1st thing that anyone will tell you when you ask about medical device cybersecurity is that there have been no real-world reports of a hacker harming anyone via a medical device. All hacks have occurred in laboratory settings by so-called "white hat" or ethical hackers, researchers with an interest in digital security who have then brought their findings to the public.
That’s small consolation to hospitals and other healthcare providers who are only growing increasingly concerned about their technologies and their overall networks as more and more medical devices make the leap to Internet-connectivity. Hospitals want security now, and they’re ready to pay for it, Nordenberg said, and manufacturers are starting to understand that.
"Healthcare systems will pay for security," Nordenberg said. "That’s been a major change in the last, maybe, 18 months where we’ve been able to demonstrate across our stakeholder community that the healthcare enterprises are concerned enough and committed enough on the issue of security… that they’ve started to factor in security capabilities of medical devices when they’re actually going through a procurement cycle."
MDISS itself was founded about 3 years ago by healthcare systems who were even then looking for ways to forge partnerships that would result in more security medical technologies. Since those devices rest on hospital networks, vulnerabilities there may mean risks to the hospital as a whole. With more personal medical devices such as pacemakers and insulin pumps becoming wifi-capable, the risk carries over the patients as well.
Voting with their dollars
MDISS plans early in September to release its medical device cybersecurity comparison tool, a software service that will guide users through a series of questions that will help them not only assess a given device’s defenses but also provide some insight into what it will cost to further secure a device with insufficient security.
"That is influencing or will influence their buying decisions because they can really understand the true cost of ownership," Nordenberg told us. "If a medical device has no security capabilities built into it, the healthcare system may have to spend more money down the line to compensate and secure the device, whereas if the device comes with an already hardened architecture and specifications, they might pay a little more up-front but they may end up in the long-run spending a lot less."
For groups like MDISS, the issue of cybersecurity is not just about technological advancement but about public health. Under that frame, the need for collaboration and swift action becomes obvious.
“If a medical device has no security capabilities built into it, the healthcare system may have to spend more money down the line to compensate and secure the device.”
"We look at this as a problem that has broad exposure, that has the potential for serious adverse health impact," Nordenberg said. "We can work together in a non-threatening, if you will, highly collaborative environment to hopefully rapidly mitigate the risk factors and improve the public’s health."
For hospitals, that means ensuring that the software-driven, Internet-connected devices they place on their networks, and sometimes inside their patients, are able to defend themselves against attack, whether targeted or blind barrages from the digital world.
The evaluation tools that MDISS plans to release will help bring transparency to medical device security, but it has another purpose as well: To help hospitals communicate what they’re looking for.
Building standards from within
While hospitals are getting new tools to better understand existing cybersecurity abilities, medical device manufacturers are building their own set of standards to help guide they way they approach security in development of new technologies. In a few weeks MDISS will launch another pilot program to test the 1st iteration of a set of medical device cybersecurity standards for use by industry, a set of guidelines developed in collaboration with major manufacturers, which Nordenberg was not at liberty to name.
MDISS is adapting a set of security best practices, initially developed for industrial control systems, to help medical device makers decide where to invest their efforts in building security. The program will begin implementation in a small group of manufacturers, but MDISS hopes that the standards will eventually be adopted the the industry at large.
The guidelines were developed in short order and were designed to be flexible based on continual feedback from healthcare providers and medical device manufacturers.
"Because we’re taking a public health approach and recognize the urgency of this problem, what we want to do is develop a methodology that allows us to develop and test and iteratively improve a set of tools in a shorter time-frame than might normally be experienced," Nordenberg said. "We will work to have our requirements reviewed and ultimately, hopefully, processed by a [standards developing organization] and incorporated into standards, but that could be years down the line. What we’re trying to do is put something into the market, through the market, to be used by the market, so that when it is ultimately incorporated as standards it’s been vetted thoroughly."
Such standards often take 4-to-6 years to develop, he added, but the urgency of the security issue spurred MDISS to take more immediate action to get the ball rolling on industry security standards.
The spirit of collaboration
Although driven initially by large healthcare groups like Kaiser, MDISS has engaged collaborators from security companies, FDA and HHS, medical device manufacturing, anti-malware, universities and more, and interest has ramped up significantly in recent years.
"Today, versus 3 years ago, there is fortunately much more openness around acknowledging the problem of medical device security and associated vulnerabilities," Nordenberg said. "There’s more openness to collaborating on coming up with solutions so that companies don’t compete on security and safety, but they’re working with us collaboratively on security and security-associated solutions."
The Veterans Administration, which co-founded MDISS, has also played a large role in moving the conversation forward with lawmakers.
“There’s more openness to collaborating on coming up with solutions so that companies don’t compete on security and safety, but they’re working with us collaboratively on security and security-associated solutions.”
"Perhaps the most important group nationally around the issue of medical device security and safety is the VA," Nordenberg told us. "I just can’t emphasize enough the difference they’re going to make in terms of the lives of people in this country."
The VA has gotten some attention for its healthcare security, partly because it’s required to demonstrate that it maintains a certain level of cybersecurity at its hospitals and partly because it’s liable to Congress when something goes wrong. The VA has been long at the forefront of network security, and Nordenberg called the agency "one of the most forward-thinking, the most innovative and the most proactive enterprises in this country regarding medical devices and security and safety."
Nordenberg wasn’t free to name the "major" medical device manufacturers that are aligned with MDISS, but the group has appeared in presentations alongside such companies as GE Healthcare (NYSE:GE), Intel and Partners Healthcare Systems. MDISS membership also includes Codenomicon, the security company recently solicited by the FDA to help build its new “cybersecurity laboratory,” complete with penetration-testing tools that can test whether medical devices can stand up to common hacking techniques.