Getty Images/iStockphoto

The Key to Improving Medical Device Security is Collaboration, Visibility

Manufacturers, healthcare delivery organizations, policymakers, and even patients need collaboration to better understand and address medical device security risks and improve visibility.

The recently reported Ripple20 vulnerabilities found in more than 52,000 medical device models that could allow for remote code execution, highlight the need for greater collaboration between healthcare delivery organizations, manufacturers, and other entities to improve response time to critical flaws and fuel a more coordinated response. 

Awareness around medical device security has drastically improved in recent years, as security researchers have continued to spotlight just how easy it would be for a hacker to break into a device and disrupt its function. 

However, many providers are still struggling to keep pace with the continual stream of vulnerability disclosures and necessary patch management. 

For Kelly Rozumalski, Booz Allen’s Secure Connected Health Director, to move the needle on medical device security, providers need to better understand the risk extends beyond data security. 

“Yes, a hacker could get into a device and change its function, which is a real patient safety issue,” Rozumalski explained. “But it can also be used to gain access into an entire hospital network. And ransomware continues to be a relevant threat, especially in the hospital environment. The consequences are severe." 

Vulnerable medical devices can provide a foothold into the network for ransomware and other attacks, as can telehealth, edge computing, the remote workforce, and bring-your-own-device policies, as healthcare continually becomes a more connected environment.

Hospital networks have a host of connected devices, from the MRI and infusion pumps, which pose serious risks from a security perspective. Recent Forescout research found the most at-risk medical devices include radiotherapy systems, the HL7 gateway, and Picture Archiving and Communication Systems (PACS).

Further, security researchers have previously noted that many providers under-estimate the number of devices connected to the enterprise environment. CHIME has also stressed that gaining real-time insights into medical device vulnerabilities is not currently a possibility.

It takes just one vulnerability to give a hacker access to the device, and if it’s connected to the network, the attacker leverage device acces to access patient records and other sensitive data on the network, she explained.

“The consequences are much greater than you would think when you initially look at the problem,” Rozumalski said. 

Shared Responsibility 

As stressed by the majority of security researchers, the key to healthcare cybersecurity lies with people, policies, and processes. Rozumalski explained there are many stakeholders that need to be involved in the process to improve healthcare’s security posture. 

For example, one of the overlying issues is determining just who is responsible for the security of the device, and when there is an incident, who is to blame? 

“There needs to be a shared responsibility between regulators, healthcare delivery organizations, and manufacturers to secure these devices,” Rozumalski said. “Everyone needs to plays a role in a collaborative effort. And even patients need to be aware of the challenges.” 

“Everyone needs training. And beyond training, there also lies the challenge of legacy devices, which occur because most devices don’t have replacement options that could serve the required function,” she added. “These devices were built before modern security standards and not designed with security in mind. And the fact is, legacy devices aren’t going anywhere soon.” 

While some manufacturers are limiting risk through compensating controls, she stressed that the healthcare sector still needs more solutions to shore up these vulnerable devices. More manufacturers need to work on securing the cyber infrastructure throughout the product life cycle, as medical device security must begin with its design and continue through to its end-of-life. 

“Yes, a hacker could get into a device and change its function, which is a real patient safety issue. But it can also be used to gain access into an entire hospital network."

“What the FDA is going with standards and guidance is really cutting edge. And there will be additional guidance going forward that will empower manufacturers to build in security at the beginning,” she added. 

But policymakers also need to take a strong role by establishing regulation to match new product innovation, Rozumalski explained. There’s a significant need to make a fundamental shift to build reliable cybersecurity operations and take control of innovation. 

Coordinated vulnerability disclosures will also play an important part in reduce the risk medical devices pose to the healthcare sector. Rozumalski stressed that manufacturers need to also share those disclosures with other manufacturers so everyone is on the same page. 

“All of these things play into medical device security, and stakeholders need to come together to solve the problem,” Rozumalski said. “We're at a critical moment where integrated cybersecurity across all facets of the industry are needed."

“Manufacturers, cyber practitioners, patients need to play a role in building and maintaining connected devices,” she continued. “It’s made a lot progress. At the end of the day, we’re talking about patient safety. It’s the most critical and important thing.” 

Mitigating Steps 

To close some of these gaps, organizations first need to understand what devices are connected to the network. For Rozumalski, medical device visibility is crucial to reducing risk. Not only assessing the devices on the network, but how they each communicate to each other and detailed information into all components installed by the manufacturer. 

By leveraging a bill of materials, for example, organizations can view a comprehensive inventory of the assemblies, raw materials, and components installed on the devices and the quantities. However, she stressed that there isn’t a universal list to expedite the process. 

“As new vulnerabilities come to life, the bill of material can allow [administrators] to verify the components within a specific device, which allows you to quickly act and mitigate the risk,” she said.  

However, hospital organizations are struggling to invest enough in cybersecurity and many lack the adequate amount of cyber staff or tools to help consistently approach medical device security. Rozumalski said that in the future the money may follow, as more guidance, regulations, and standards are implemented across the sector. 

In the end, everyone needs to be on the same page. Administrators should sit with fellow chief information security officers to determine how they’re tackling the issue, while reviewing freely accessibly resources that can support organizations attempting to security the connected medical device environment. 

Rozumalski recommended insights from the Healthcare and Public Health Sector Coordinating Council (HSCC), H-ISAC, and FDA premarket guidance with checklists that manufacturers can use to make sure security is built into the device. 

All parties need to be engaged to facilitate the effort to mitigate cyber threats, she added. 

“Sometimes when talking about patient safety, security might not be top of mind,” Rozumalski said. “The industry needs to continue to transform, and bring awareness to hospital systems to regulate the issue. Progress needs to continue to be made, so everyone is aware of the consequences.” 

“Security will take time, and progress has been made,” she concluded. “There’s a cross sector of government bodies out there helping to bring these parties together to coordinate vulnerability disclosures. We’re headed in right direction. We need to continue to spotlight on the challenges and consequences on what could potentially happen if there’s an attack on a device.”

Next Steps

Dig Deeper on Cybersecurity strategies