Medical device cybersecurity: Need for practical solutions
February 19, 2019
By Juuso Leinonen and Chad Waters
ECRI Institute, an independent, not-for-profit patient safety organization, ranked cyber threats to healthcare delivery as the top health technology concern for 2019. This marks the second consecutive year that cybersecurity topped the organization's Top 10 Health Technology Hazards list.
Each year, ECRI Institute produces its list and an accompanying report to help hospitals direct their time and energy toward practical technology management activities that can have the greatest impact on patient safety.
For 2018, the organization's report broadly addressed the challenges that healthcare organizations face from ransomware and other malware. The 2019 report, in comparison, focuses more narrowly on one key area of vulnerability: systems that allow remote access to a healthcare organization's network.
Remote access delivers both patient safety benefits and clinical workflow efficiencies, and thus, has become prevalent in healthcare organizations. Use cases range from allowing clinicians to remotely view radiology studies through PACS to enabling medical device manufacturers to remotely troubleshoot error conditions with their devices. However, if remote access is not appropriately configured or protected, an opportunity for unauthorized network intrusion and system disruption exists.
In the past year, healthcare organizations have been specifically impacted by SamSam ransomware that targeted publicly-facing remote access, leveraging the access to infiltrate the network and cause havoc. The rising trend in remote access hacks was also highlighted by a recent FBI notice, “Cyber Actors Increasingly Exploit the Remote Desktop Protocol to Conduct Malicious Activity” [https://www.ic3.gov/media/2018/180927.aspx].
Regardless of the nature of the vulnerability or how it is exploited, healthcare operations can be disrupted by cyberattacks, making cybersecurity a critical patient safety concern.
Cybersecurity as a patient safety concern
Increase in remote access is just one example of the increasing connectivity in the healthcare environment. This growing connectivity presents a challenge for network security as well as patient safety. ECRI Institute estimates that each bed space has an average of 15-17 connected medical devices, and clinical data exchange between these devices and their related systems has become integral in the diagnosis and treatment of patients. However, when disruptions occur in the well-established clinical processes that rely on this data exchange, errors that affect patient care can occur.
During the past few years, hospital operations, clinical processes, and even medical devices have been disrupted by security incidents. Several ransomware attacks, such as WannaCry and NotPetya, impacted healthcare facilities in the United States and globally. Attacks have forced a return to paper records, cancelled appointments, and even the closure of some healthcare facilities and business units. These disruptions undoubtedly led to delays in patient care. In the worst case scenario, such delays can lead to patient harm.
Challenges of managing medical device security
The increase in network-connected medical devices poses a unique security challenge for healthcare facilities. While organizations aspire to employ IT policies and best practices across connected medical devices in order to manage security risks and avoid costly disruptions, they often find the clinical use requirements and the available medical device security capabilities to be prohibitive. Managing the security of medical devices is associated with several complex challenges:
1. First, medical devices are used to deliver care and often life-sustaining therapy. This makes it inherently more complicated to access the devices for remediation, like installing urgent security patches or updates. Device utilization can be high, with some devices being in use 24/7. Also, disconnecting the device from the network as a mitigation to a security concern often is not practical, as doing so could disrupt clinical workflow.
2. Second, many medical devices have a long useful life. ECRI Institute estimates that most medical devices will last 7–10 years or more. While the long useful life may be an advantage from the clinical functionality perspective, it quickly becomes very challenging from the security perspective. The relative time scale of clinical versus security changes exacerbates the problem. Underlying clinical technologies may remain stable for years or even decades, if they change at all. In contrast, the security landscape is in constant flux, with new vulnerabilities, threats, and exploits discovered daily.
3. Third, facilities and vendors are still digging out from a historical lack of focus in security design controls with medical devices. Many medical devices were not built to communicate with the hospital network when initially designed, and many still on the market lack basic enterprise security capabilities. The unfortunate reality is that in order to get the clinical functionality needed, facilities will sometimes compromise and accept outdated security capabilities.
4. Fourth, medical device replacement can be cost-prohibitive. Even in situations in which medical devices exhibit significant security shortcomings, replacement is not a financially feasible option for many facilities. Facilities are often stuck with designing and implementing customized compensating controls to mitigate security risks until device replacement at a later date.
Practical steps to make a significant impact
Healthcare facilities are faced with a number of competing demands, and cybersecurity is just one of them. It is important to identify a game plan that is feasible, given the resources, time, technology, and staff available. Cybersecurity in a healthcare facility should not be looked at solely as an IT issue, but rather as a patient safety issue that impacts all personnel. From the frontline clinicians to clinical engineers and IT, everyone can and should play a role in ensuring a safe and secure care delivery environment.
Many facilities still struggle to find the best way to get started. ECRI Institute recommends prioritizing the following efforts:
1. Complete an inventory of all network-connected medical devices. The most common issue we have encountered with healthcare facilities is a lack of visibility to their own assets. Collecting and organizing the required networking details for each medical device in the inventory can aid in security risk mitigation and security threat response.
2. Establish a plan to respond to medical device security vulnerabilities, threats, and incidents. While most organizations have a general security incident response plan, it is paramount to develop policies and procedures that also address incident response for medical device security in particular. Consider assigning specific resources with responsibility for monitoring and responding to medical device security threats. Also consider running tabletop and hands-on exercises with scenarios that include unavailable network-connected medical devices or systems.
3. Develop minimum security recommendations for procurement of medical devices. Many facilities have identified that security should be factored in during the procurement stage, but resources for in-depth security assessment are often scarce. A good place to start is to define the minimum requirements appropriate for your organization. A joint effort between IT and clinical engineering is required in order to establish reasonable requirements.
4. Assign a medical device security specialist. While managing medical devices traditionally falls in the realm of clinical engineering, with the expanse of required network connectivity, IT has also taken a prominent role. Involvement from both groups is required to attain the understanding of the infrastructure, of the devices themselves, along with how they are used in a clinical setting, and of how the devices need to be configured as a part of the facility’s network to ensure safe and secure functionality. A medical device security specialist can also serve as a liaison between IT and clinical engineering staff.
About the authors: Juuso Leinonen is the senior project engineer for health devices at ECRI Institute. Chad Waters is the senior cybersecurity engineer for health devices at ECRI Institute.
ECRI Institute, an independent, not-for-profit patient safety organization, ranked cyber threats to healthcare delivery as the top health technology concern for 2019. This marks the second consecutive year that cybersecurity topped the organization's Top 10 Health Technology Hazards list.
Each year, ECRI Institute produces its list and an accompanying report to help hospitals direct their time and energy toward practical technology management activities that can have the greatest impact on patient safety.
For 2018, the organization's report broadly addressed the challenges that healthcare organizations face from ransomware and other malware. The 2019 report, in comparison, focuses more narrowly on one key area of vulnerability: systems that allow remote access to a healthcare organization's network.
Remote access delivers both patient safety benefits and clinical workflow efficiencies, and thus, has become prevalent in healthcare organizations. Use cases range from allowing clinicians to remotely view radiology studies through PACS to enabling medical device manufacturers to remotely troubleshoot error conditions with their devices. However, if remote access is not appropriately configured or protected, an opportunity for unauthorized network intrusion and system disruption exists.
In the past year, healthcare organizations have been specifically impacted by SamSam ransomware that targeted publicly-facing remote access, leveraging the access to infiltrate the network and cause havoc. The rising trend in remote access hacks was also highlighted by a recent FBI notice, “Cyber Actors Increasingly Exploit the Remote Desktop Protocol to Conduct Malicious Activity” [https://www.ic3.gov/media/2018/180927.aspx].
Regardless of the nature of the vulnerability or how it is exploited, healthcare operations can be disrupted by cyberattacks, making cybersecurity a critical patient safety concern.
Cybersecurity as a patient safety concern
Increase in remote access is just one example of the increasing connectivity in the healthcare environment. This growing connectivity presents a challenge for network security as well as patient safety. ECRI Institute estimates that each bed space has an average of 15-17 connected medical devices, and clinical data exchange between these devices and their related systems has become integral in the diagnosis and treatment of patients. However, when disruptions occur in the well-established clinical processes that rely on this data exchange, errors that affect patient care can occur.
During the past few years, hospital operations, clinical processes, and even medical devices have been disrupted by security incidents. Several ransomware attacks, such as WannaCry and NotPetya, impacted healthcare facilities in the United States and globally. Attacks have forced a return to paper records, cancelled appointments, and even the closure of some healthcare facilities and business units. These disruptions undoubtedly led to delays in patient care. In the worst case scenario, such delays can lead to patient harm.
Challenges of managing medical device security
The increase in network-connected medical devices poses a unique security challenge for healthcare facilities. While organizations aspire to employ IT policies and best practices across connected medical devices in order to manage security risks and avoid costly disruptions, they often find the clinical use requirements and the available medical device security capabilities to be prohibitive. Managing the security of medical devices is associated with several complex challenges:
Chad Waters
2. Second, many medical devices have a long useful life. ECRI Institute estimates that most medical devices will last 7–10 years or more. While the long useful life may be an advantage from the clinical functionality perspective, it quickly becomes very challenging from the security perspective. The relative time scale of clinical versus security changes exacerbates the problem. Underlying clinical technologies may remain stable for years or even decades, if they change at all. In contrast, the security landscape is in constant flux, with new vulnerabilities, threats, and exploits discovered daily.
3. Third, facilities and vendors are still digging out from a historical lack of focus in security design controls with medical devices. Many medical devices were not built to communicate with the hospital network when initially designed, and many still on the market lack basic enterprise security capabilities. The unfortunate reality is that in order to get the clinical functionality needed, facilities will sometimes compromise and accept outdated security capabilities.
4. Fourth, medical device replacement can be cost-prohibitive. Even in situations in which medical devices exhibit significant security shortcomings, replacement is not a financially feasible option for many facilities. Facilities are often stuck with designing and implementing customized compensating controls to mitigate security risks until device replacement at a later date.
Practical steps to make a significant impact
Healthcare facilities are faced with a number of competing demands, and cybersecurity is just one of them. It is important to identify a game plan that is feasible, given the resources, time, technology, and staff available. Cybersecurity in a healthcare facility should not be looked at solely as an IT issue, but rather as a patient safety issue that impacts all personnel. From the frontline clinicians to clinical engineers and IT, everyone can and should play a role in ensuring a safe and secure care delivery environment.
Many facilities still struggle to find the best way to get started. ECRI Institute recommends prioritizing the following efforts:
Juuso Leinonen
2. Establish a plan to respond to medical device security vulnerabilities, threats, and incidents. While most organizations have a general security incident response plan, it is paramount to develop policies and procedures that also address incident response for medical device security in particular. Consider assigning specific resources with responsibility for monitoring and responding to medical device security threats. Also consider running tabletop and hands-on exercises with scenarios that include unavailable network-connected medical devices or systems.
3. Develop minimum security recommendations for procurement of medical devices. Many facilities have identified that security should be factored in during the procurement stage, but resources for in-depth security assessment are often scarce. A good place to start is to define the minimum requirements appropriate for your organization. A joint effort between IT and clinical engineering is required in order to establish reasonable requirements.
4. Assign a medical device security specialist. While managing medical devices traditionally falls in the realm of clinical engineering, with the expanse of required network connectivity, IT has also taken a prominent role. Involvement from both groups is required to attain the understanding of the infrastructure, of the devices themselves, along with how they are used in a clinical setting, and of how the devices need to be configured as a part of the facility’s network to ensure safe and secure functionality. A medical device security specialist can also serve as a liaison between IT and clinical engineering staff.
About the authors: Juuso Leinonen is the senior project engineer for health devices at ECRI Institute. Chad Waters is the senior cybersecurity engineer for health devices at ECRI Institute.