Cyber-attacks on health care organizations are becoming increasingly more common. Here’s how HTM departments can avoid becoming the next victim.

By Chris Hayhurst 

Stephanie Domas has some very bad news for biomed departments across the United States: The medical devices you work on every day may not be as safe as you think they are—especially when it comes to their vulnerability to cybercrime.

Domas, a “white hat” hacker with Battelle, a Columbus, Ohio-based research-and-development firm that, among other things, helps medical device makers bolster their products to withstand cyber-attack, spends much of her time probing software architecture and ensuring that code is up to snuff. That work, she says, has opened her eyes to the challenges faced by hospital systems charged with protecting personal health information and other sensitive data associated with health care delivery.

“And one of the things I’ve noticed,” says Domas, Battelle’s lead medical device security engineer, “is this really interesting push and pull between manufacturers on the one hand and providers on the other.” Manufacturers, she notes, are understandably under a lot of pressure to design secure devices, “but the majority of hospitals don’t have what they need to support this equipment once it’s in place.”

A big hospital system might have the budget, the infrastructure, and the personnel to set up unique encryption keys for each device and maintain “the 15 different segmented networks” that might be required for full cybersecurity, she says. “But if you’re a smaller facility that may not be practical.”

Instead, Domas says, most health care systems need medical devices with flexible security features “that you can basically turn off.” So while manufacturers might be capable of producing “lockdown devices” that are all but impenetrable to cybercriminals, in practice that’s not the way cybersecurity works. “What you usually see is much more emphasis on ‘cyber-hygiene’ and workforce education,” she notes. “It’s more about being careful about what you plug into a machine, or having it frequently scanned or even erased so that viruses can’t pivot from one device to another.”

Meanwhile, even those facilities that do employ security teams find they must be willing to adapt at times in order to meet the needs of the providers they serve. In the security world, Domas points out, there’s something called the CIA triad—for confidentiality, integrity, and availability. “When we’re looking at the security of a device, we’re always looking at those three things: confidentiality of data or the assets on that device; integrity of its performance or any of its data; and availability of its function.” A security professional, Domas explains, will emphasize confidentiality first and availability last.

But BMETs and clinical engineers typically see things the other way around. “Their emphasis is on availability, so what you have is this struggle between competing priorities,” she says. “A security person is always going to add features to a device that protect confidentiality but may hurt its usability. But a biomed’s main job is to make sure these devices are working and available when they’re needed,” which in turn might lead to compromises in confidentiality and integrity. “It can be tough to find the right balance,” Domas says. “Security is important, but you also can’t work if your hands are tied.”

An Uphill Battle

That hospital systems and manufacturers alike face an uphill battle for cybersecurity is, of course, nothing new. The difference now, security experts say, is that cyber-attacks are becoming increasingly frequent and potential vulnerabilities are being unearthed all the time. Unfortunately, the consensus is that the situation will only worsen in the future. One recent report, published by Experian, noted that 91% of health care organizations experienced at least one data breach over the last two years. The health care industry will “remain one of the most targeted sectors by attackers,” the report predicts, primarily because of “the high value compromised data can command on the black market, along with the continued digitization and sharing of medical records.”

In fact, according to analysts on the frontlines of cybercrime, medical data filched from health care organizations can be worth 10 to 20 times the value of a stolen credit card number. And recent headlines nationwide show that cybercriminals see this data as something akin to gold: Back in February, you may recall, one large hospital in Los Angeles paid hackers a $17,000 ransom following a malware attack that prevented employees from using its computer network. Other “ransomware” attacks soon followed, including one at a hospital in Henderson, KY, and another that forced Washington, DC-area MedStar Health to shut down its computers for days.

So far, the cyber-attacks on hospital systems have not targeted medical devices themselves. But that doesn’t mean these devices aren’t vulnerable—or that such an attack won’t happen soon. “We’ve seen that they can be hacked in testing,” notes cybersecurity consultant Rob Maliff, director of the ECRI Institute’s Applied Solutions Group. “It’s just a matter of time before it happens in a clinical environment.”

Maliff points to last summer’s recommendation by the FDA that facilities no longer use an infusion pump made by Hospira because the device could be accessed remotely through a hospital’s network. (Testing, according to the FDA notification, showed “this could allow an unauthorized user to control the device and change the dosage the pump delivers.”) “I think that got everyone’s attention,” Maliff says. “Now medical device security is a really hot issue.”

First Considerations

So what can health care facilities do right now to make their networks and equipment as secure as possible? A good place to start is with the FDA’s own recommendations on the subject. (See the agency’s draft guidance document, “Postmarket Management of Cybersecurity in Medical Devices,” published last January). But in general, Maliff says, the HTM community should focus on the “bedside measures” that security pros have preached since the dawn of the Internet, including attentive patch management, careful procurement and communication with vendors, and establishing a strong system for tracking device inventory.

His own team at ECRI, Maliff notes, provides facilities on-site consultation around cybersecurity best practices. Their bottom-line message everywhere they go: “No matter what you do, you’re never going to eliminate all the risks,” Maliff says. “But if you develop a strong cybersecurity plan, and if you set realistic goals, you can reduce those risks” as much as possible.

Ken Hoyme, senior technical leader with Adventium Labs and co-chair of the Medical Device Security working group at the Association for the Advancement of Medical Instrumentation, agrees. “The risk, I think, is not that hackers are buying infusion pumps and trying to write custom software they can use to attack hospital networks through those devices.” They could do that, he says, but there are “many easier-to-access vulnerabilities they’re likely try first”—including computer systems running on Windows XP.

“If I have a malware that works on an old version of XP, and it can probably get me in if I can get someone to open something up, that’s where I’m going to focus my energy,” Hoyme says. “All it takes is that small “foothold into a hospital’s network, where—once you’re in—the machines are designed to trust each other,” and a hacker would have everything required to put a virus or other malware to work.

Avoiding such a scenario, Hoyme adds, requires hospital staff to work closely with device makers. “Because if it’s a medical device that has this operating system on it, how malware might affect it will depend on how it’s configured and what the manufacturer allows.” He recommends asking “really tough questions” during the procurement of new products. “You should be able to get something like a software bill of materials so you know exactly what’s running on each device.” With that reference in hand, Hoyme notes, an IT or biomed department would know right away if their network was vulnerable when a breach was announced.

“I think that’s key,” Hoyme says. “You should push manufacturers for information about what’s in those devices. It’s the only way to really understand your risk profile when these kinds of things happen.” Maliff’s recommendation: Make sure any manufacturer you work with supplies a Manufacturer Disclosure Statement for Medical Device Security, or MDS2 form. “And if you look at that statement and it’s incomplete or filled out improperly, let them know you can’t do business with them,” he says.

Collaboration Is Key

One company that does supply its customers with MDS2 statements is Philips Healthcare, where Michael McNeil is global product security and services officer. “Any efforts around cybersecurity have to include open lines of communication,” McNeil says. His recommendation to HTM departments: “If a facility becomes aware of any type of threat or vulnerability, or any potential compromise to the devices on its network, they should notify the manufacturers and those that have responsibility for those devices immediately.”

The sooner a manufacturer is made aware of a potential issue, he explains, the more likely they can address it before it’s too late. “Because something that might be a vulnerability on one device could affect other manufacturers and other devices as well,” McNeil says. “So vulnerability-sharing—and communicating that information—is to me a critical step.”

Similarly, says McNeil, who represents Philips as a member of the U.S. Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force, when patches or updates are released for a medical device, they must be deployed in a timely and efficient manner. “Because when you leave a device with vulnerabilities out in the wild, that can only exacerbate the situation.”

From his perspective, agrees Ron Mehring, vice president of technology and security at Texas Health Resources, collaboration between relevant stakeholders is of utmost importance in the world of cybersecurity. Toward that end, he says, Texas Health is part of the National Health Information and Sharing Analysis Center, the HITRUST Alliance, and the Medical Device Innovation, Safety and Security Consortium. “We’re all sharing information with each other on best practices,” Mehring says. “If someone else is doing something really well, everyone else gets the chance to learn about it and apply their techniques to their own organization.”

Internally, Mehring adds, the collaboration continues between the various departments within the Texas Health network. “We all meet regularly and just talk it through: What are the threats? What security controls do we need to deploy to protect the medical devices we need to protect?” The biomedical department plays a major role in this regard.

“One of the most important things we do is develop profiles and strategies for each device we have on the network,” Mehring explains. “And biomed is involved in that on an ongoing basis: What is the device and what does it do? Does it support a critical care function or not? Is it network enabled? By asking those questions right off the bat, you automatically get a better understanding of how you can best protect things.”

Instead of looking at your system “like it’s this big black box of medical devices,” Mehring says, “you kind of peer inside of it and peel away the layers, and when you do you start to realize there are actions you can take that can really make a difference.”

Battelle’s Stephanie Domas agrees: The more you know about the devices in your system—whether it’s through the sharing of tricks and tips between different health care organizations, talking with manufacturers about product design, or any other means you have for gathering information—the better off you’ll be in the event of a cyber-attack. Still, she says, sometimes it can be the simplest mistake that ultimately brings down a system, and not necessarily a sophisticated hack by a cybercriminal from some far-off land.

Look no further than the surgeon who plugged his phone into the USB port of an anesthesia machine and caused the device to crash. “There was no malice there,” Domas says. “That device was simply not designed to handle that kind of an input.” Her final words of advice: Better cyber-education could resolve a lot of problems. “That’s probably what organizations should focus on first.”

Chris Hayhurst is a contributing writer for 24×7.