The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Showing posts with label FDA. Show all posts
Showing posts with label FDA. Show all posts

A Pattern of Complacency


A recent story which ran on CBS News entitled “How medical devices like pacemakers and insulin pumps can be hacked” highlighted deficient plans and processes by the US Food and Drug Administration for addressing medical device cybersecurity compromises. The report issued by the Inspector General has been disputed by the FDA which says that it has worked proactively on the issue with security researchers and ethical hackers to identity and fix many of the problems.

This may be the case, but the fact remains that the industry as a whole has been largely in a state of denial over the breadth of depth of cybersecurity vulnerabilities in medical devices and has been very slow to inventory and remediate risks – even when researchers have shown evidence that many security vulnerabilities pose a significant patient safety concern.

The FDAs close working relationship with manufacturers and its preference for constructive ‘guidance’ rather than ‘enforcement’ has been criticized many times before. Despite a growing body of evidence of medical devices being hacked in research lab environments and live on stage at security conferences around the world dating back nearly a decade, it is only within the last couple of years that new devices were forced to undergo any sort of cybersecurity risk assessment prior to being approved for use on patients. Some say the FDA acted too slowly to bring about change and that nobody yet has really dealt with the legacy device problem. Medical devices have long expected life-cycles and more expensive systems like X-ray, CT and PET scanners are often depreciated over 15+ years, meaning that near-term replacement of insecure legacy devices is not a feasible option.


Whatever the case, the fact remains that most manufacturers have not taken any sort of proactive role to risk assess the security of their legacy devices in use today, even when informed of security vulnerabilities long before public disclosure. The onus for risk assessment of these devices currently seems to be placed squarely on the shoulders of providers, who in turn are ill-equipped to assess or remediate problems. Solving this problem will take a strong and concerted effort on all sides with robust leadership and oversight provided by the FDA.

The issues highlighted in the CBS report is remarkably similar to another case that I wrote about in 2016 concerning St Jude Medical, (now owned by Abbott Labs). Despite being informed of major patient safety risks to its implanted Cardiac Rhythm Devices (pacemakers), St Jude Medical chose not to do anything about these risks till Muddy Waters Capital made an example of the company by trading on futures while engaging a security firm to hack and disclose significant weaknesses in the St Jude devices, thus gaining from a downward adjustment of the St Jude stock price.

The St Jude disclosure caused the first ever FDA intervention in medical device security after mass public concern. The fact however remains that security vulnerabilities in medical devices are likely not limited to only a few manufacturers, but common across the thousands of vendors and hundreds of thousands of medical devices that are in circulation globally. Many, of not most of these are responsible for keeping patients alive. The trouble is that we don’t really know the true extent of vulnerabilities and the risks posed to patients by these potentially insecure devices.

Manufacturers do not have programs to risk-assess and penetration test their legacy medical devices and only the most recently approved devices were tested at all from a cyber risk perspective – all other testing being primarily functional in nature, in order to obtain FDA approval.

Hospitals and other healthcare delivery organizations that use or surgically implant medical devices in people’s chests rarely if ever test medical devices either. Even devices that remain in hospitals like network attached morphine and insulin pumps, X-Ray and CT scanners are rarely tested for their cybersecurity vulnerabilities, let alone devices that leave with patients and may not be seen again.

Without testing and without performing a thorough and bone-fide risk assessment to NIST SP800-30 standards in line with HIPAA and OCR requirements, we will probably never really know just how big a problem this is across the entire industry.

Until such times as a full forensic examination of implanted medical device takes place, rather than simply being burned or buried with the patient, we will probably never know the true number of deaths caused by device failure, how these devices failed exactly and whether a cyber-attack against the device caused its failure and the premature death of the patient.

The United States does a great job of evaluating and under-writing all kinds of risks – everything from crop yields, to natural disasters, to the likelihood of flood, fire or theft, yet as a country we really are rolling the dice when it comes to medical risk, and particularly medical device risk. In short, we as a nation, are gambling on the security of the medical devices that keep many of our citizens alive each day.

FDA announces first-ever recall of a medical device due to cyber risk

 

This week, the FDA took the unprecedented step of recalling a medical device – a pacemaker – because it was found to be vulnerable to cyber threats. The recall arose from an investigation by the FDA in February that highlighted a number of areas of non-compliance. While there are no known reports of patient harm related to the implanted devices affected by the recall, the step was taken as a preventative measure. A firmware update has been developed (and approved by the FDA) that can be applied during a patient visit with their healthcare provider.



Medical device vulnerabilities have been on the FDA’s radar for some time. In July 2015, the FDA issued an Alert highlighting cyber risks related to infusion pumps. Then, at the end of 2016, it issued what it called “guidance” on the post-market management of cybersecurity for medical devices. But aside from market pressure, there was no enforcement mechanism for any of these alerts and statements. To make matters worse, a recent study revealed that only 51 percent of medical device manufacturers and 44 percent of healthcare organizations currently follow the FDA guidance to reduce or mitigate device security risks. Many thought leaders in the healthcare security space have been pushing for greater governance of medical devices as more and more security vulnerabilities and back doors to these devices have been discovered.

While “homicide by medical device” may seem like a far-fetched Hollywood-esque scenario right now, it’s not completely out of the realm of possibility. “The potential for immediate patient harm arising from hackers gaining control of a pacemaker is obvious, even if the ability to do so on a mass scale is theoretical,” Fussa pointed out. “For example, imagine a ransomware attack that threatens to turn off pacemakers unless a bitcoin ransom is paid. In this week’s recall alone, 465,000 devices are affected. An attack of this type would pose an immediate risk to all of these patients and would likely overwhelm the ability to respond.”

While it’s good news that the FDA is acting to protect patients from harm due to cyberattack, connected devices continue to pose a threat to both patients and facilities. There’s been no shortage of press on the subject, and most healthcare executives are keenly aware of the problem. However, very few have an effective or scalable solution.



Many hospital systems have in excess of 350,000 medical devices, before you even start to count the implantable ones that leave with patients. Most of these devices were never designed with security in mind, and many have multiple ways in which they can be compromised by a hacker. The fact that we are not aware of any reported patient deaths yet is a good thing, but the industry has a very short window to secure its medical device arsenal before hospitals and patients get held to ransom. Health systems need to be looking at segmentation as a compensating security control to prevent attacks, until the medical device industry catches up.

Do you have a plan in place to secure your facility’s medical devices? Are you able to segment and isolate traffic to them?

Do you have visibility into who and what is communicating with your biomed systems and do you have ransomware protection?

Having specific answers to these questions will be key to a strong, ongoing defense against attacks.


This blog was originally published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.


New Guidelines for Securing Medical Devices and Networks

Medical Device Security

The increased use of technology in healthcare over the past decade has resulted in greatly improved patient outcomes. However, the addition of IP-enabled devices has elevated concerns about security. The U.S. Food and Drug Administration recently published an advisory on Cybersecurity for Medical Devices and Hospital Networks and a new draft guidance document, Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.

It’s likely that the FDA’s guidance responds to a presidential Executive Order and Policy Directive aimed at reducing critical infrastructure risk and a Department of Homeland Security bulletin about the vulnerability of health system LANs due to unsecured medical devices connected to them.

As things stand, medical devices, which include everything from intravenous pumps and pharmacy robots to implanted pacemakers, can represent a huge vulnerability to the security of networks used to deliver healthcare. Many networks connect to hospital LANs via older, insecure wireless technology. Furthermore, many still retain their default security settings, making them easy targets for hackers. Medical devices have become, therefore, a potentially unsecured backdoor to vast amounts of highly valuable, personally identifiable health information stored on healthcare networks.

Not all providers have firewalled and segmented their networks to isolate these insecure medical devices, or implemented “bent-pipe” application security to encapsulate all communications to and from endpoints. As the black market price of a medical record continues to soar, cybercriminals are directed increasingly to the easy pickings of poorly secured healthcare networks, making the risks all the more apparent.

While the FDA’s guidance to medical device manufacturers has been a long time coming, in its current form it directs manufacturers to evaluate and address cybersecurity risks and vulnerabilities for current and planned devices. It does not necessarily address the millions of devices that may no longer be supported by manufacturers, but that still dominate hospitals and healthcare systems.

Despite an increased awareness about the vulnerability of these older devices, financial pressure on healthcare delivery makes it challenging for health providers to rip and replace them. Alternative security controls need to be considered to protect these devices and the networks to which they are attached.

While the new FDA guidelines and DHS bulletin stress the risks that medical devices pose to hospital networks, we also need to take into account the reverse situation. If hospital networks can be compromised via wireless medical devices, it stands to reason that life-sustaining medical devices can be compromised through poorly secured hospital networks. While some healthcare providers have state-of-the-art networks with high levels of performance, reliability and security, others have yet to make this investment in people, process and technology.

With ever-growing numbers of medical devices used in critical patient care, the risks that one or more will be compromised should be a huge concern to all of us. As they stand currently, these life-sustaining devices could be targets for cyberassassins or cyberterrorists seeking to extort or hold for ransom patients, medical device manufacturers and healthcare providers.

While attacks of this sort are not yet common, some have already occurred. A real possibility exists that more attacks of this type will take place in the not-too-distant future unless better security controls are used to protect these devices and the networks to which they are connected.

This post was co-authored with Sam Visner, who leads CSC’s global company‐wide cyber strategy.