Security of medical devices needs intensive care

Manufacturers, health care organizations must make bigger effort to prioritize patient safety

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Med­ical devices, such as such as pace­mak­ers, insulin pumps and defib­ril­la­tors, could become lethal in the hands of a hack­er tam­per­ing with them remotely. 

 A new study that shows med­ical devices—and patients—are vul­ner­a­ble to cyber attacks is a wake-up call for man­u­fac­tur­ers, accord­ing to a Sil­i­con Val­ley soft­ware com­pa­ny that spon­sored the study.

Device man­u­fac­tur­ers must change their cul­ture and look at secu­ri­ty as an equal to patient safe­ty,” says Chris Clark, prin­ci­pal secu­ri­ty engi­neer of strate­gic ini­tia­tives for Moun­tain View, Calif.-based Synopsys.

The company’s study, which sur­veyed about 550 employ­ees of device man­u­fac­tur­ers and health care deliv­ery orga­ni­za­tions (HDOs), found that near­ly 70 per­cent of man­u­fac­tur­ers and near­ly 60 per­cent of HDOs believe an attack on a device built or in use by them is like­ly to occur dur­ing the next 12 months.

The most sur­pris­ing find­ing, Clark says, is that about 40 per­cent of man­u­fac­tur­ers and 45 per­cent of HDOs—despite being aware of the risks—take no steps to pre­vent med­ical-device attacks.

Relat­ed arti­cle: FDA weighs in on secu­ri­ty of med­ical devices

There are, how­ev­er, some pos­i­tive take­aways,” he says. The study, con­duct­ed by the IT research orga­ni­za­tion Ponemon Insti­tute, showed that “a sig­nif­i­cant per­cent­age” of HDOs are con­cerned about the risk of inse­cure med­ical devices, and many are tak­ing mea­sures to test them for vul­ner­a­bil­i­ties. That’s a good sign, Clark says, because most study respon­dents work for small orga­ni­za­tions “with lim­it­ed resources and exper­tise in this area.”

Secu­ri­ty painful­ly lacking

About 60 per­cent of respon­dents work for orga­ni­za­tions with few­er than 1,000 employ­ees, 10 per­cent said they had no bud­get for device secu­ri­ty, and 40 per­cent said their annu­al bud­get was less than $500,000.

The study found that 59 per­cent of respon­dents employed by HDOs rat­ed the impor­tance of med­ical device secu­ri­ty as very high rel­a­tive to all oth­er data and IT secu­ri­ty mea­sures deployed. Yet, only 37 per­cent of those who work for man­u­fac­tur­ers con­sid­er such secu­ri­ty of very high importance.

Chris Clark, Syn­op­sys prin­ci­pal secu­ri­ty engi­neer of strate­gic initiatives

This tells us the man­u­fac­tur­ers still oper­ate under the pre­tense that secu­ri­ty is an HDO issue, and med­ical device secu­ri­ty will be a low­er pri­or­i­ty for the fore­see­able future,” Clark says. “This sta­tis­tic alone should be of great con­cern and a crit­i­cal les­son for HDOs who are tru­ly inter­est­ed in pro­tect­ing their infrastructure.”

A cyber attack on a med­ical device can man­i­fest in var­i­ous ways.

An attack­er could take con­trol of a device to admin­is­ter inap­pro­pri­ate or harm­ful treat­ment to a patient, Clark says. The attack­er could dis­pense the wrong dosage of med­ica­tion via an infu­sion pump, manip­u­late the elec­tri­cal out­put of a pace­mak­er, crash or ren­der a device inop­er­a­ble, access the data stored or trans­mit­ted by a device, or use it to piv­ot to oth­er sys­tems or devices with­in the same network.

Hos­pi­tals risk ero­sion of patient confidence

Each of these sce­nar­ios has a phys­i­cal impact to a device or group of devices, but the real dan­ger is a loss of con­fi­dence in the abil­i­ty of HDOs to deliv­er qual­i­ty care and pro­tect patient infor­ma­tion,” Clark says. “A breach could be cat­a­stroph­ic for a hos­pi­tal system.”

The Syn­op­sys study found that 80 per­cent of respon­dents who work for med­ical device man­u­fac­tur­ers or HDOs say med­ical devices are very dif­fi­cult to secure. The top rea­sons cit­ed for device vul­ner­a­bil­i­ty include acci­den­tal cod­ing errors, lack of knowledge/training about secure cod­ing prac­tices and pres­sure on devel­op­ment teams to meet prod­uct deadlines.

Secu­ri­ty an afterthought

Secur­ing med­ical devices also is dif­fi­cult, Clark says, because secu­ri­ty is not a pri­ma­ry con­sid­er­a­tion ear­ly in the design process. “This, along with the need for flex­i­ble com­mu­ni­ca­tions that are often unen­crypt­ed or have no secu­ri­ty char­ac­ter­is­tics, cre­ate a wide range of challenges.”

Respon­dents in the Syn­op­sys study were sur­veyed before the Wan­naCry ran­somware attack in May. The world­wide cyber attack tar­get­ed com­put­ers run­ning the Microsoft Win­dows oper­at­ing sys­tem and, with­in a day, report­ed­ly infect­ed more than 230,000 com­put­ers and med­ical devices in more than 150 countries.

Health care orga­ni­za­tions are “some of the most com­mon­ly tar­get­ed cyber attack vic­tims, sec­ond to only the bank­ing and finan­cial indus­try,” Clark says. “If you cou­ple that trend with the results of this sur­vey show­ing how lit­tle is being done to pro­tect med­ical devices, it’s not unrea­son­able to expect things to get worse before they get better.”

Most stake­hold­ers, though, are “gen­uine­ly con­cerned” about the impact of inse­cure med­ical devices—“both in terms of patient safe­ty and risk to their orga­ni­za­tions,” Clark says. “What remains to be seen is whether the indus­try steps up to vol­un­tar­i­ly address these chal­lenges or the U.S. Food and Drug Admin­is­tra­tion takes a more aggres­sive stance.”

More sto­ried relat­ed to health care security:
Will hack­ers turn your life­sav­ing device into a life-threat­en­ing one? 
Cyber crim­i­nals fol­low the mon­ey to your health care data 
Health­care data at risk: Inter­net of Things facil­i­tates health­care data breaches


Posted in Featured Story, Healthcare