Hospitals are growing increasingly interested in medical device digital security, and a pair of cybersecurity experts hope to consolidate those concerns into a groundswell.
Accuvant’s Jamie Gamble and Tim West spoke to an audience of healthcare and security industry stakeholders late last month at the RSA conference in San Francisco. A slew of audience members rushed to the stage following the talk, flush with questions, horror stories and words of encouragement for efforts to demand higher levels of security from network-connected medical devices.
Gamble and West devised a preliminary guide for hospitals navigating the complex issue of network security, and they hope to bring in collaborators to improve the process. The researchers plan to provide their risk-assessment framework free of charge to anyone interested in learning how to approach hospital security.
The goal is to build momentum among hospitals and other medtech buyers in order to bring device makers to the table.
"Hospitals are buyers. Hospitals hold checkbooks. Medical manufacturers want that money," West told MassDevice.com following his presentation. "By leveraging their buying power, by adopting any standard – and we’re just trying to provide the 1st to get the conversation going – they can use that leverage to help these manufacturers consolidate their practices and actually try to influence security at the front of what they’re doing."
Rather than targeting medical device makers or regulators, West believes that hospitals, when working together, hold the power to influence real progress in medtech cybersecurity. Manufacturers, he argues, don’t have enough of a monetary incentive or a clear enough message to drive efforts themselves.
"There is a reason to be pioneers when your customers want it. That is a financially driven, relevant incentive for manufacturers to get engaged and be perceived as highly engaged," West said. "There’s no point in creating a standard as a medical manufacturer if you’re not even sure your customers are going to care about it or that they’re going to agree with what you did."
The FDA isn’t in much of a better position to drive cybersecurity, West warned. The problem requires a depth of insight into hospital practices and challenges that must come from the ground up. Any high-level mandates may take years to hit the shelves, becoming obsolete by the time they’re published and leaving hospitals in a continued state of uncertainty about how to protect their networks.
"They’re not security experts; they’re going to create another checklist," West said of the FDA. "That checklist is not going to get adopted for 5 years, or published. Then it will get updated very infrequently, if at all. It’ll become a checklist that is probably a black box to a lot of people, because the manufacturers will just say that they went through that other FDA process."
The FDA has taken steps to promote medical device security, releasing new guidelines and building a "cybersecurity laboratory," although there’s been little public movement there in recent months. The efforts served to draw some attention to the issue of medtech cybersecurity and set a precedent for FDA oversight, but otherwise seemed to provide little actionable guidance aside from asking device makers to remain "vigilant" about cybersecurity risks and mitigation efforts.
There may be greater efforts on the way. The FDA last year solicited bids from security group Codenomicon Defensics to help build a testing lab where device software could be subject to "fuzz testing," barraging the device with digital probes in search of defects or vulnerabilities that could leave a system open to attack.
Headline-making medical device hacks tend to involve consumer medical devices such as insulin pumps or implantable devices such as pacemakers, but there’s a much larger universe of vulnerable technologies. Everything from drug infusion pumps to MRI machines and administrative databases are now communicating on hospital networks, making them potentially vulnerable to indirect virus or malware infections or direct attacks. Some of the devices contain patient information that, by some reports, are more valuable to identity thieves than credit card numbers. Some devices provide services that may put lives at risk if they freeze up at the wrong time.
A report released last month named radiology equipment, patient monitoring systems, and Internet-facing surgical and anesthesia devices as especially vulnerable "attack surfaces" for digital attackers. Researchers collected data for a period of 13 months, reporting a total of nearly 50,000 "malicious events" affecting 375 U.S. healthcare organizations and coming from 723 different IP addresses. Some organizations were compromised the entire time, meaning they never caught wind of the breaches, according to Norse, a threat intelligence security company.
Experts have frequently argued that medical device makers remain largely reactive when it comes to defending their devices from digital threats.
"Vendors have little interest to cooperate," according to Florian Grunow , a security analyst for German IT security company ERNW. "What is interesting is that vendors that do had an issue [sic], like a patient has been harmed by an exploding patient monitor, something like that, then they are interested."
Florian likened the lack of interest to hurdles faced in other industries that had to breach the issue of cybersecurity, such as email providers and keyless vehicle makers, speaking during a presentation he gave at at last year’s European DeepSec conference, where he demonstrated a live hack on an EEG system from an unnamed vendor.
"The vendors have to go through the pain of losing something, or breaking something, to make them see that they have to invest in security," Grunow said, warning that the ramifications of medical device digital vulnerabilities are different from security holes in cars or banks. "We are not talking about critical infrastructure that could cost a lot; we are talking about critical infrastructure that could cost lives."