By Steve Dallas
On Sept. 12, 2022, the FBI issued a notification on the “increasing number of vulnerabilities posed by unpatched medical devices that run on outdated software and devices that lack adequate security features.”[i] Only several days later, the FBI announced that it had indicted three men in an alleged planned cyberattack on Boston Children’s Hospital.[ii]
Medical device cyberattacks are a tremendous threat to patient care delivery and safety, and they are growing. Insecure medical devices ranked as the top cybersecurity threat of greatest concern among healthcare IT professionals surveyed by the Ponemon Institute, with 64% of respondents worried about the security of their network-connected devices.[iii]
While healthcare organizations have, on average, more than 26,000 network-connected devices used in care delivery, only about half of those surveyed (51%) said their organizations’ cybersecurity strategy includes prevention and response to an attack on these devices.[iv]
Health systems, hospitals, and the manufacturers of the medical devices within their facilities, all must work collaboratively to ensure devices have been built with security in mind. They must ensure the devices can identify and protect against an attack, alert users to compromise, and support an effective response and recovery plan.
Here are five elements of a comprehensive cybersecurity defense strategy, including checklists for items a medical device manufacturer should have in place to protect your devices and data.
A medical device manufacturer should provide users of its devices with the information necessary to better identify the assets as well as the possible cybersecurity risks known to it. Critical items include:
- Software Bill of Material (SBOM), which lists all third-party software components used in the product
- Disclosure of security advisories, which are critical in case new vulnerabilities of the product are found
- Instructions for Use (IFU), that describe, among other things, cybersecurity aspects of integrating the device into the customer network
- Manufacturer Disclosure Statement for Medical Device Security (MDS2), which aim to assist customers in assessing the security-risks associated with the management of medical devices
In a 2022 survey of medical device product security and cybersecurity compliance professionals, only 27% of respondents say their companies generate and maintain an SBOM. Less than half (46%) say they consider themselves compliant with medical device security regulations, standards and guidelines, with 78% saying they did the minimum to achieve compliance. Perhaps most notable is how 79% of those surveyed believe quick time to market is more important than security overall.[v]
By asking the right questions, a healthcare organization can differentiate device manufacturers that prioritize cybersecurity, meeting, or exceeding requirements, from those that do only the bare minimum to get their products on the market and into the hands of clinicians.
The device manufacturer should employ preventive measures in its product design and development processes to reduce the risk of a device being compromised in the event of a cyber attack. These measures should include:
- Authentication and authorization controls (e.g., authenticated access, restricted remote access) to balance the requirement for secure authentication with the requirement for ease of use to support clinical workflows
- Passwords as the first line of defense against unauthorized access to devices and systems, including the changing of default passwords to help ensure access is protected and restricted to authorized individuals or systems
- Session timeouts when there is no activity for a set period to help limit the risk of a medical device or system being exposed to unauthorized access
- Encrypted authentication to ensure user IDs and passwords cannot be monitored when coming across the network
- Secure/trusted boot chain to ensure the integrity of firmware and software running on the medical device, and guard against malicious attacks, rootkits, and unauthorized software updates that could happen prior to the operating system (OS) launching
- Internal encryption key management, including the protection of the keys in an internal secure key store
- Software integrity, meaning the manufacturer confirms that the code does what it should, has security features, is robust, and is easy to edit and upgrade without introducing new errors
- Encrypted transport channels and cryptographic checksums to protect data transferred to and from the device
- Deny all by default to ensure undefined TCP/IP ports cannot be used to access the medical device or system – ports are restricted to only allow authorized access and communication
- Security event log that contains all security-related events an administrator needs to analyze potential compromises and forensic evidence
Even in today’s cyber-conscious world, only 46% of device manufacturers surveyed say they set security requirements during the design phase, and only 38% said they perform continuous security testing across the device lifecycle.[vi]
Use this checklist to determine whether the devices entering your facility have the robust security features required to help protect against attacks and minimize the risk of patient harm.
In addition to preventive technical controls that protect a device from attacks, the device should also issue active alerts when attacks have been attempted. Timely alert to unusual actions or cybersecurity events is crucial for your healthcare organization to effectively respond.
Technical alerts are essential to this, particularly if there is a security event that indicates abnormal technical behavior. The device would notify the administrative user of the device or the hospital’s IT department following this alert.
A change in the device or system configurations can have an impact on performance, security, availability, and operation; therefore, the device notifies the administrator of change notifications and their details in real-time.
To enable a healthcare organization to respond quickly and effectively to a detected cybersecurity event, the manufacturer should send the organization’s IT administrators notifications that include information about the cause of the security event and recommended action.
For example, Dräger’s devices contain a component called System Health Monitor (SHM) which measures the resource consumption of the software running on the device during operation. The SHM continuously measures memory usage and processor load. If the consumption violates the limits set by SHM, the last resort reaction will be a reboot of the system.
Only 61% of medical device product security/cybersecurity compliance professionals surveyed say their companies take a proactive approach to post-production device security. And it is not smaller device manufacturers that are failing on this front as barely one-third (29%) of larger companies regularly release software security updates, and only 34% gather threat intelligence from multiple sources.[vii]
Prioritize manufacturers that work to keep their devices safe long after they have left the production line.
After a cyberattack is successfully eradicated, the device must recover functionality to continue normal operation. Manufacturers should support the recovery through the following safeguards:
- If the device detects a software runtime error caused by a cyberattack, it will initiate a system restart to restore it to a known-good-state
- As a last resort, the manufacturer’s service team should be able to restore hardware and/or software components
Disrupted care delivery and threats to patient safety are among the consequences of cyberattacks on healthcare organizations, with ransomware attacks more likely to hurt patient safety and care delivery than other cyberattacks. Among healthcare IT professionals in organizations that had experienced ransomware attacks, 64% said the attacks caused delays in procedures and tests that resulted in poor outcomes—such as increasing the severity of the illness—and 59% said patients had longer lengths of stay.[viii]
Ask device manufacturers in your facility to explain the steps they are prepared to take following an attack to determine the potential level of disruption to your clinical workflows. They should make every effort to restore devices as quickly as possible to support safe and effective care delivery.
As cybercriminals become more aggressive with their attacks, medical device manufacturers and healthcare organizations must enact stronger safeguards to thwart their efforts.
There is no such thing as a “cybersecurity silver bullet.” Cybersecurity requires comprehensive administrative, logical, and physical controls in place to protect medical devices and to avoid patient harm and financial damage. It is neither a short-term project nor is it once and done but a continuous, multi-layered process to minimize the risks of threats to medical devices to avoid patient harm.
Assess the security of devices currently in your facilities by reviewing the checklists provided with the manufacturers. Also put into place a process where stakeholders in device selection and purchase for your organization (e.g., value analysis, supply chain, clinicians) use these checklists to vet manufacturers of the devices they are evaluating for use. That way, healthcare organizations can prevent further risks—in the form of insecure devices—from occurring.
Steve Dallas is chief product security officer at Draeger Medical Systems, Inc. Questions and comments can be directed to [email protected].
[i] Private Industry Notification, Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities, FBI, September 12, 2022, https://www.ic3.gov/Media/News/2022/220912.pdf
[ii] $10 million reward: Iranian nationals accused of planning cyberattack on Boston Children’s Hospital, MassLive September 16, 2022, https://www.masslive.com/police-fire/2022/09/10-million-reward-iranian-nationals-accused-of-planning-cyberattack-on-boston-childrens-hospital.html
[iii] Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care, Ponemon Institute, September 2022, https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report.pdf
[iv] Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care, Ponemon Institute, September 2022, https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report.pdf
[v] Medical Device Cybersecurity: Trends and Predictions Survey Report, Cybellum, April 2022, https://7512951.fs1.hubspotusercontent-na1.net/hubfs/7512951/Assets/Medical%20Device%20Cybersecurity%20-%20Trends%20&%20Predictions%20-%20by%20Cybellum.pdf?utm_campaign=State%20of%20Medical%20Device%20Cybersecurity%202022&utm_medium=email&_hsenc=p2ANqtz-_HeNhfg-zjIlG1hYookXfJGbEP5O0j4THwIz6ubO_fVmnPfke5iqP_GbfwC2LpJ2q7Io50o9Ka7NOKpW-vph4yA2p8wcb5uqTcrGTFhASnYKo7Qeo&_hsmi=210297051&utm_content=210297051&utm_source=hs_automation&hsCtaTracking=ee6c6677-7fe3-40f8-9638-0d4b0862b124%7C66d0a737-a528-4f2f-939f-48c2dbe4ee15
[vi] Medical Device Cybersecurity: Trends and Predictions Survey Report, Cybellum, April 2022, https://7512951.fs1.hubspotusercontent-na1.net/hubfs/7512951/Assets/Medical%20Device%20Cybersecurity%20-%20Trends%20&%20Predictions%20-%20by%20Cybellum.pdf?utm_campaign=State%20of%20Medical%20Device%20Cybersecurity%202022&utm_medium=email&_hsenc=p2ANqtz-_HeNhfg-zjIlG1hYookXfJGbEP5O0j4THwIz6ubO_fVmnPfke5iqP_GbfwC2LpJ2q7Io50o9Ka7NOKpW-vph4yA2p8wcb5uqTcrGTFhASnYKo7Qeo&_hsmi=210297051&utm_content=210297051&utm_source=hs_automation&hsCtaTracking=ee6c6677-7fe3-40f8-9638-0d4b0862b124%7C66d0a737-a528-4f2f-939f-48c2dbe4ee15
[vii] Medical Device Cybersecurity: Trends and Predictions Survey Report, Cybellum, April 2022, https://7512951.fs1.hubspotusercontent-na1.net/hubfs/7512951/Assets/Medical%20Device%20Cybersecurity%20-%20Trends%20&%20Predictions%20-%20by%20Cybellum.pdf?utm_campaign=State%20of%20Medical%20Device%20Cybersecurity%202022&utm_medium=email&_hsenc=p2ANqtz-_HeNhfg-zjIlG1hYookXfJGbEP5O0j4THwIz6ubO_fVmnPfke5iqP_GbfwC2LpJ2q7Io50o9Ka7NOKpW-vph4yA2p8wcb5uqTcrGTFhASnYKo7Qeo&_hsmi=210297051&utm_content=210297051&utm_source=hs_automation&hsCtaTracking=ee6c6677-7fe3-40f8-9638-0d4b0862b124%7C66d0a737-a528-4f2f-939f-48c2dbe4ee15
[viii] Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care, Ponemon Institute, September 2022, https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report.pdf