Medical Device Security: The State of Play

When we read the words 'security’ and 'medical’ in the same sentence, if your mind works like mine, we race immediately to the plethora of data breaches caused by carelessness, poorly configured data storage devices, malicious competitors, or malware/ransomware. Rarely does our mind travel to the security of the medical devices themselves, which are meant to keep us alive and well.

This is not a new topic for those in the cybersecurity world. This author has been proselytizing on the need and benefits of securing our medical devices and infrastructure for years. We can no longer afford to continue to bifurcate the topic of medical information and medical devices/infrastructure; we must think of securing data associated with health care in a holistic sense.

Why do We Care About Medical Devices?

These devices contain and retain highly sensitive personal data of those to whom the device is attached, be it temporarily (Electrocardiogram - EKG) or more permanently (pacemaker). As you can imagine, your Protected Health Information (PHI) is being collected by the devices and either retained or shared in real time for interrogation and analysis.

Abbott’s (formerly St. Jude Medical) found itself the center of attention of both the Food and Drug Administration (FDA) and patient furor over their pacemakers, defibrillator, and other medical devices being vulnerable to a third party man-in-the-middle access via cybersecurity vulnerabilities, which could affect how the device operates, to include “rapid depletion of battery and/or inappropriate pacing or shocks.” In late August, the FDA approved a firmware update which addressed the cybersecurity vulnerabilities.

As did German electronics company, Siemens, who issued a customer alert in July 2017 warning of the highly critical vulnerabilities in a variety of their scanners. Pending a solution, which Siemens expects to push out soon (fall of 2017), Siemens has directed the devices be taken offline. The Department of Homeland Security (DHS) characterized the exploit as “low skill.”

They are not alone, they are only the most recent.

What Must Be Done?

The health care industry has awakened to the reality that medical devices require security to be baked in from design to market, to protect the patient and their Protected Health Information. To that end, in June 2017, the Health Care Industry Cybersecurity Task Force, formed in March 2016, issued their Report on Improving Cybersecurity in the Health Care Industry.

The task force included a smorgasbord of cybersecurity risks associated with the health care industry ranging from ransomware, medical identity theft, nation-state hacking, supply chain manipulation and disruption, attacks disrupting patient care, and more.

Not surprisingly, the task force found that “with the exception of IT security personnel, many providers and other health care workers often assume that the IT network and devices they support function efficiently, and that their level of cybersecurity vulnerability is low.”

We share the six imperatives and attendant recommendations titles only, and find them to be spot-on. The task force pushes both government and industry to move forward together, now.

They include:

Imperative 1 – Define and streamline leadership, governance, and expectation for health care industry cybersecurity

• Recommendation – create a cybersecurity leadership role within HHS to align industry facing efforts for health care cybersecurity
• Recommendation – establish a consistent, consensus-based health care-specific Cybersecurity Framework
• Recommendation – require federal regulatory agencies to harmonize existing and future laws and regulations that affect health care industry cybersecurity
• Recommendation – identify scalable best practices for governance of cybersecurity across the health care industry
• Recommendation – explore potential impacts to the Physician Self-Referral Law, the Anti-Kickback Statute, and other fraud and abuse laws to allow large health care organizations to share cybersecurity resources and information with their partners

Imperative 2 – Increase the security and resilience of medical devices and health IT

• Recommendation – secure legacy systems
• Recommendation – improve manufacturing and development transparency among developers and users
• Recommendation – increase adoption and rigor of the secure development lifecycle (SDL) in the development of medical devices and electronic health records (EHR)
• Recommendation – require strong authentication to improve identity and access management of health care workers, patients and medical devices/EHRs
• Recommendation – employ strategic and architectural approaches to reduce the attack surface for medical devices, EHRs, and interfaces between these products
• Recommendation – establish a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures

Imperative 3 – Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities

• Recommendation – every organization must identify the cybersecurity leadership role for driving for more robust cybersecurity policies, processes, and functions with clear engagement from executives.
• Recommendation – establish a model for adequately resourcing the cybersecurity workforce with qualified individuals
• Recommendation – create Managed Security Service Provider (MSSP) models to support small and medium-size health care providers

Imperative 4 – Increase health care industry readiness through improved cybersecurity awareness and education

• Recommendation – develop executive education programs targeting Executives and Boards of Directors about the importance of cyber education
• Recommendation – establish a cybersecurity hygiene posture within the health care industry to ensure existing and new products/systems risks are managed in a secure and sustainable fashion
• Recommendation – establish a conformity assessment model for evaluating cybersecurity hygiene that regulatory agencies and industry could rely on, instead of diversity of auditors
• Recommendation – the NIST Baldrige Cybersecurity Excellence Builder, should be further developed:
  • specific to health care
  • specific to the types of health care operations that are widely deployed across industry and have limited access to cybersecurity resources (e.g., small hospitals, rural locations with limited access to security resources)
• Recommendation – increase outreach and engagement for cybersecurity across federal, state, local, tribal, territorial, and private sector partners through education campaign including meetings, conferences, workshops and tabletop exercises across regions and industry
• Recommendation – provide patients with information on how to manage their health care data, including a cybersecurity and privacy grading system for consumers to make educated decisions when selecting services or products around non-regulated health care services and products.

Imperative 5 – Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure

• Recommendation – develop guidance for industry and academia on creating economic impact analysis and loss for cybersecurity risk for health care research and development
• Recommendation – pursue research into protecting health care big data sets

Imperative 6 – Improve information sharing of industry threats, risks and mitigations

• Recommendation – tailor information sharing for easier consumption by small and medium-size organizations who rely on limited or part-time security staff
• Recommendation – broaden the scope and depth of information sharing across the health care industry and create more effective mechanisms for disseminating and utilizing data
• Recommendation – encourage annual readiness exercises by the health care industry
• Recommendation – provide security clearances for member of the health care community

These imperatives and recommendations are a tall order, and appropriately call out the vulnerability of the small and medium size health care entities due to their limited resources. If patient wellbeing wasn’t sufficient impetus, the inability to compensate for lack of security in medical devices in these small-medium entities should seal the deal.

To that end, the Cybersecurity Act of 2015, which the aforementioned task force had in hand during their efforts, called for a public/private information sharing in an automated manner and enhanced cybersecurity across all of the health care sector. What it did not do was specifically address medical device security and privacy.

Specific to medical device security, Senator Blumenthal (D-CT) introduced in July 2017, the Medical Device Cybersecurity Act of 2017, which is now in committee. While it may not be a panacea, the bill’s elegance is in its simplicity. It tasks the FDA to create a report card indicating the cybersecurity functions of connected, or cyber, medical devices.

The FDA Report Card

The FDA report card will contain:

1. Information pertaining to all essential elements described in the most recent version of the Manufacturer Disclosure Statement for Medical Device Security, as set forth by the Healthcare Information and Management Systems Society and the National Electrical Manufacturers Association.
2. A traceability matrix, accepted by the Secretary, that—
   1. redacts content that is confidential, as determined by the Secretary; and
   2. establishes design components and traces such components to design compensating controls.
3. A description of any manufacturer compensating controls that—
   1. effectively address known common vulnerabilities and exposures; and
   2. provide providers with industry standard compensating controls for improving cybersecurity.
4. A description of—
   1. any cybersecurity evaluation conducted on the device, including any testing, validation, or verification of the device;
   2. who conducted such evaluation; and
   3. the results of such evaluation.
5. A cybersecurity risk assessment conducted by the manufacturer, or a third party, explaining the risk of the device to patient safety and clinical hazards.
6. An indication of whether the device is capable of being remotely accessed. If the device is capable of being remotely accessed, an indication of any security measures and access protocols the device has in place to secure such access.

Conclusion

If passed, the proposed legislature is a very large step forward for medical device security and transparency, as it ensures the medical device’s cybersecurity profile is present and available for both medical providers and patient examination. Indeed, the report card will be included in “any applications for premarket approval.”

These efforts, albeit slow in coming, are welcome, as the availability of medical connected devices is only going to increase and having cybersecurity as a mainstay for accessible devices is all toward the good.

And while we would like to say, hardening the medical devices will be sufficient, the task force introduced imperatives and recommendations show the wide breadth of effort required if cybersecurity is to be attained within the health care sector. 

About Christopher Burgess

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher served 30+ years within the Central Intelligence Agency. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, Secrets Stolen, Fortunes Lost - Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008).