By Andy Solterbeck
Regional Director for APAC, Cylance
Hackers can take over your smartphone or intercept telemetry from your fitness band. That’s bad enough. But what about if hackers could gain control of a drug infusion pump, trigger false alarms that may prompt doctors and nurses to administer unnecessary and adverse treatment or hold a hospitals database and routine operations hostage?
Anything connected to a network is at risk. And it doesn’t matter what type of device, or what type of connection—LAN, WAN, wireless, wired, cellular, or WiFi—it is vulnerable, and must be protected.
This is a global issue, however, in some cases, the threats may be more severe in countries that lack a strong culture of security, or where there aren’t laws and industry regulations that not only specify best practices, backed up by strong financial penalties when organizations fail to take proper precautions.
A May 2016 study on privacy and security of healthcare data conducted by the Ponemon Institute revealed that criminal motivations are the leading drivers behind healthcare data breaches. Cybercriminals include those seeking financial profit as well as hacktivists and nation states who leak private information or threaten data integrity as leverage for geopolitical or economic gain.
The study showed that criminal motives top the list of the causes of healthcare data breaches. Employee negligence and lost or stolen devices still result in many data breaches, but one of the trends is a shift in data breaches—from accidental to intentional—as criminals are increasingly targeting and exploiting healthcare data. Ponemon says that “Cyber criminals recognize two critical facts about the healthcare industry: 1) healthcare organizations manage a treasure trove of financially lucrative personal information and 2) they do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect healthcare data.”
Compared to other attack vectors – such as employee negligence, cyber-attackers, attacks against smartphones, and the use of public cloud services – insecure medical devices are not at the top of the cyberattack food chain. They aren’t yet a primary attack vector, or a top target for cybercriminals. That’s just as well – since those devices aren’t particularly secure, and many organizations wouldn’t know where to begin to protect them.
When it comes to protecting connected medical devices, there are three main factors to consider: 1. Capability of the device, 2. the ability for the practitioner/provider to provide care and then 3. the critical function of the device itself. If any of those are compromised, patient health or privacy could be at risk.
Merely having some security built into the device, such as passwords or data encryption during transmission, does not assure security and privacy. The implementation and post-implementation support is a part of the entire life cycle to assure security of those devices and the information flowing to and from them.
Everything the device utilizes must be efficient and has to be secure; otherwise, this will have a detrimental impact on the facilities ability to provide care. The supply chain of technology including the device itself, the manufacturers, servers, network and the medical professionals themselves need to be secure in order to assure patient health and the appropriate delivery of the medical service.
In many countries or regions, the use of devices is regulated – they must be approved before they can be purchased or deployed. The government may carry out testing or certification, or have a specific set of requirements placed on the device and its manufacturers. The question raised is the mentality of how security is approached; is the government taking an active role in security, ensuring there are preventative methods for these medical devices?
In the United States, there are centralized agencies like the U.S. Federal Drug Administration monitoring these devices, setting standards, and publishing best practices, whereas in in other countries, those roles are played by a national health service, who have the authority to mandate the use of specific products and vendors.
MEDICAL DEVICE SECURITY DOWN-UNDER
One country that is aware of the problem, but has yet to take strong regulatory action, is Australia. The Therapeutic Goods Administration of the Department of Health offers regulatory guidelines for all medical devices. Last updated in May 2011, those guidelines are not up-to-date with the latest best practices about cybercrime and the Internet of Things. However, the government is working on measures and even beginning to take action in this area. In March 2016, the Department of Health published a Medical Devices Safety Update, which focuses on reducing the vulnerability of medical devices to potential hacking, malware and other such attacks. The update identifies a wide range of medical devices as potentially vulnerable to unwanted intrusion, including devices incorporating wireless communications that are particularly vulnerable as potential hackers can operate remotely.
Although there have been no reports of hacking attacks on medical devices in Australia, there have been reports of such attacks overseas. Cybersecurity experts in Australia have demonstrated a wide range of potential vulnerabilities in simulated attacks, advising medical device sponsor and asset owners to perform risk assessments by examining the specific clinical use of potentially affected products in the host environment.
The Australian report refers healthcare organizations back to the U.S., and guidelines from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). No specific requirements are highlighted for securing medical devices or the infrastructure supporting those devices.
WHAT YOU CAN DO
Medical device security is a multi–facetted problem; you can’t just point to the device itself and ask “Is it secure?” The security chain is only as strong as its weakest link, and that chain goes all the way from the hospital to the manufacturer to the regulator. At the end of the day, it starts with the doctor attaching the device to the patient and making sure the correct security checks have been made to ensure patient safety.
Part of ensuring strong security is having the right technology in place to guard the end-points – everything from servers to databases to laptops to medical devices. Cylance believes that traditional signature and heuristics-based protection fails to provide an effective defense as threats grow in sophistication (e.g., sandbox-aware malware). The concept of an effective prevention security layer needs to be brought forth in order for the healthcare industry to right itself and deliver on the promise of administering quality care through uncompromised medical devices and hospital systems.
Utilizing a revolutionary artificial intelligence agent, Cylance’s solutions and services are designed to proactively prevent the execution of advanced persistent threats and malware.
For more information about how Cylance can protect the healthcare industry — including the Internet of Medical Things, read “The Medical Device Paradox: Hospital Systems and Device OEMs Race Against Time to Close the Patient Safety Cyber Gap.”