By Arleen Thukral, MS
Medical devices are increasingly designed to be networked to facilitate patient care. These particular devices, like other networked computer systems, incorporate software that may be vulnerable to cybersecurity threats.
U.S FDA guidelines prevent tampering with or modifying the hardware and software on medical devices without a formal submission. With the primary focus on clinical function over security, manufacturers frequently fail to implement the most rudimentary forms of protection.
In particular, features that are often missing include operating system hardening, patch updates, client security services like personal firewall, antimalware, host intrusion prevention, and authentication services like 802.1x supplicant. Indeed, it is common to see medical devices that have been in operation for many years without any modifications that improve or address their security posture.
Proactively Addressing Cybersecurity Risks
In 2016, the FDA issued guidance for postmarket management of cybersecurity in medical devices. The guidance encourages manufacturers to address cybersecurity throughout the product lifecycle, including during the design, development, production, distribution, deployment, and maintenance of the device.
In addition, the FDA acknowledges the importance of sharing cyber risk information within the medical device community. Information sharing analysis organizations gather and analyze critical infrastructure information in order to understand cybersecurity problems and disclose information to help prevent the effects of cyber threats. Moreover, the FDA urges healthcare delivery organizations to collaborate with manufacturers to include regularly scheduled security updates or patches to a device.
For example, one recommendation for health providers is to complete cybersecurity risk assessments through understanding, assessing, and detecting presence and impact of a vulnerability. While there are many potentially acceptable approaches for conducting this analysis, one such approach may be based on qualitative severity levels as described in ANSI/AAMI/ISO 14971: 2007/2010: Medical Devices-Application of Risk Management to Medical Devices. Levels are divided into five categories:
- Negligible (1): Inconvenience or temporary discomfort
- Minor (2): Results in temporary injury or impairment not requiring professional medical intervention
- Serious (3): Results in injury or impairment requiring professional medical intervention
- Critical (4): Results in permanent impairment or life-threatening injury
- Catastrophic (5): Results in patient death
The multiplication of these defined exploitability scores based on the use of virtual local area networks (VLANs), access control lists (ACLs), active directory integration, vulnerability management, and service password management could be used to determine a cybersecurity risk score.
While many healthcare providers may not be aware of all the medical devices and their traffic requirements, they can take a first step in vulnerability management: endpoint discovery and classification.
Many medical devices are configured with static Internet Protocol (IP) addresses. However, the growing popularity of mobile clinical devices has increased the number of medical devices that rely on dynamic host configuration protocol (DHCP) to obtain an IP address. DHCP provides central management of IP addresses for both random assignment across a shared pool, as well as static assignment (DHCP reservation) for devices that require a deterministic IP address. A benefit of this trend is the availability of DHCP data for device classification.
In some cases, manufacturers populate specific fields in DHCP requests that help identify the specific vendor, device model, or organization. For example, Sonosite, a major supplier of ultrasound machines, includes the name of its MicroMaxx product line into the DHCP Class ID field. Similarly, Masimo, a leading manufacturer of patient monitoring devices, embeds the name MasimoSET in its line of signal extraction technology pulse oximeters used to measure the amount of oxygen carried in the body.
Once endpoints have been discovered, facilities can increase security through network design and segmentation considerations. A traditional method for segmenting medical devices is to isolate them in one or more dedicated networks. Although intuitive and straightforward, this method is diminishing in popularity due to the cost of managing separate networks.
Plus, the dedication of physical ports restricts the mobility of devices and carts. For wireless devices, it is possible—though, at times, cost-prohibitive— to deploy a dedicated network of access points and controllers. For these reasons, healthcare delivery organizations commonly opt for shared infrastructure for virtual segmentation.
Furthermore, the use of access control lists to limit or segment traffic may be preferred when allowed ports and destinations are well-known—with VLANs and wireless LANs commonly used as well. But don’t overlook this important fact: While VLANs are praised for their intuitiveness, they do not guarantee traffic separation. Unless VLANs are completely isolated through the use of virtual routing and forwarding, ACLs or other firewalls services are needed at the VLAN boundaries.
Arleen Thukral, MS, is chief biomedical engineer at VA Central California Health Care System in Fresno. Questions and comments can be directed to firstname.lastname@example.org.
*Schwartz, Susanne. Dec. 28, 2016. Postmarket Management of Cybersecurity in Medical Devices