The FDA recall of a medical device last week has caused a bit of a media storm as the general public scrambles to find out more. The fact that a medical device meant to help sustain life is insecure and could be hacked to kill a patient is alarming to all of us. More worrying is that the medical device subject to the recall, a cardiac rhythm management product, or “pacemaker” to the rest of us, is probably not an anomaly. Many other medical devices more than likely also lack adequate security.
To understand the risks, we first need to understand the problem. To be honest, this could require an extensive series of blog posts over weeks to fully examine and explain this properly, but here’s the 50,000-foot version.
Different types of medical devices and the risks they pose
First, there are the implantable medical devices (IMDs) like the medical pacemaker at the center of this story. This group of medical devices includes the implanted insulin pump that security researcher Barnaby Jack hacked live on stage at the Miami Hacker Halted Conference in 2011, reconfiguring the device to deliver a lethal drug dose. It also includes a pacemaker that was hacked, again by Jack, at the Melbourne BreakPoint Security Conference in 2012 to deliver a lethal 830 volt electric shock to a patient.
Second are the much wider range of network-attached medical devices used in healthcare delivery. These include:
- Diagnostic imaging systems: ultrasound, MRI, PET, CT scanners, and X ray machines
- Treatment equipment: infusion pumps, medical lasers, and surgical machinery
- Life support: ventilators, anesthetic and dialysis machines
- Medical monitors for oxygen saturation, blood pressure, ECG and EEG, and many, many more.
The greatest data-security risks for medical devices
Network-attached devices far outnumber implantable ones, but both have one thing in common—a very long life span! No one wants a pacemaker that needs to be replaced every couple of years, and hospitals simply can’t afford to rip and replace their multi-million-dollar investment in x-ray machines, and PET and CT scanners if they still work perfectly. Many current medical devices are 15 or 20 years old already, placed into service when the rest of us were deploying Windows 95 and dial-up modems.
The greatest risk to medical devices, however, is that many lack even the basic security protections that a $200 home PC has - things like antivirus software and a host firewall. The danger is that when a malware worm gets into a hospital and spreads its way laterally across the network to reach highly vulnerable medical devices, it either quickly infects them (many of the newer models run a form of Windows XP), or the malware multicast traffic storm causes the medical device to crash or just stop working. It’s not that someone hacked and changed a parameter - although that is a distinct possibility, but it’s more likely that its battery becomes quickly drained and powers off, or the system blue screens and ceases to provide life-sustaining care.
Understanding the Problem
You can't protect what you don't know about and most hospital systems have very little idea just how many medical devices they have on premise and how many attach to their wired or wireless network and therefore pose the highest risk. Or more importantly, how many of those devices contain PHI and are therefore subject to annual HIPAA Risk Assessment and OCR validation that a risk assessment has been conducted annually.
To manage a problem you first need to understand the problem. Performing an accurate and periodic or ongoing asset inventory is a first step. The difficulty is twofold however: medical devices do not just simply show up in a Windows Explorer or Finder view of the network, nor can they be actively scanned in many cases. Secondly, many devices are powered on as needed for patient care and powered off when not and returned to storage. So understanding exactly how many you have, what each does, and what versions of OS and software each is running, while at the same time trying to avoid double counting is not exactly easy.
What is needed is a way to passively monitor the network to identify typical medical device network traffic along with endpoint IP addresses, VLAN and physical location, and to perform some sort of profiling of devices including the identification and recording of unique device characteristics. Fortunately, there are tools and companies that do this now, so you don't need to reinvent the wheel.
Once an inventory is obtained you can identify potential weaknesses, known threats and vulnerabilities and evaluate probability and likelihood as you would for other IT devices subject to HIPAA Risk Analysis. Once you have identified your highest risk devices, you can set about patching or otherwise remediating risks, or implement compensating security controls till such time as a longer term solution can be implemented or the vulnerable assets retired and replaced. Unfortunately, most medical devices today exhibit some level of risk and older devices may prove to be more secure than newer ones thanks to obscure operating systems or firmware compared to today's COTS (commercial off the shelf) embedded OS versions.
How to reduce risk and protect devices
It’s going to take years to patch or replace the arsenal of insecure medical devices and billions of dollars that healthcare providers simply don’t have. So, we need to look at alternatives to secure them for the rest of their life-spans. This is best accomplished by the use compensating security controls, which doubles as an acceptable audit of risks as far as HIPAA and OCR are concerned.
By far the most effective approach is use of network access control (NAC) using microsegmentation, where medical devices are locked down and secured by the software defined network (SDN) they are attached to. (Attempting to manage 350,000 individual medical devices otherwise in a hospital is near impossible.)
Modern network infrastructure supports security technologies like Cisco TrustSec©, where each network port acts as a virtual firewall. Using security group tags (SGTs), and identity services engine (ISE), network traffic is controlled so that only specifically authorized users - biomedical equipment technicians (or BMETs, as they are known) - have access to reprogram devices, and these systems are only able to communicate with designated internal IP addresses using predetermined ports and protocols. The network will drop everything else, like malware traffic and any connection attempts from unauthorized users. Many of the more advanced healthcare providers have already adopted such an approach, and by employing compensating security controls like ISE and TrustSec have been able to secure their networked medical devices from attack at the click of a button.
