Jul 6, 2020
Medical device security: A long journey to much better
The purpose of medical devices is to improve health and prolong lives. And that, in millions of cases, is exactly what they do.
But the reality of a connected world is that malicious hackers could undermine that laudable purpose, turning healing tools into weapons or leverage for ransom or blackmail.
That’s because too many devices in use today, while built to work properly for years — even decades — weren’t designed to be connected to the internet. They weren’t built with cybersecurity in mind.
That is changing — slowly. There is much more awareness of the problem now than even five years ago, and both regulatory and design changes are improving the security of new and even some existing devices.
“Five years ago, security in these devices was more or less an afterthought if it was considered at all,” said Larry Trowell, principal consultant at Synopsys.
“Today security experts are being called in during the design phase of products to look for potential risk areas before the products are off the drawing board.”
This, he said, has led to “definable improvement.”
Joshua Corman, founder of I am the Cavalry and CSO at PTC, Inc., a longtime critic of medical device insecurities, said more explicit guidance from the federal Food and Drug Administration (FDA) beginning in 2014 has put the medical device supply chain “on a very healthy path.”
But given that it takes at least six years to bring a device to the market, from intent to design, building, testing and clearing of premarket certification, “we won’t see the first fruits of it until late 2020,” he said.
And it is expected to take longer — perhaps much longer — for those first fruits to become mainstream.
A 25-year journey?
“It is a long journey,” Trowell said, given that the “refresh cycle” for existing medical devices is five years or longer. Some experts have said it will take up to 25 years to replace all the devices in use today.
None of this should be a surprise. Security experts, along with multiple U.S. government agencies, have warned about it for years.
- The June 2017 “Report on Improving Cybersecurity in the Healthcare Industry” by a congressional task force (which included Corman) declared that “healthcare cybersecurity is in critical condition.”
- At the 2018 Black Hat conference in Las Vegas, researchers Billy Rios and Jonathan Butts, in a session titled “Exploiting Implanted Medical Devices.” demonstrated that some devices they tested, including infusion pumps, pacemakers and patient monitoring systems, had vulnerabilities that were relatively easy to exploit remotely, which means an attacker could get control of those devices from anywhere on the planet.
Stories like that, while not frequent, keep coming up. In June 2019 came multiple reports of two security vulnerabilities, one ranked critical, in Becton Dickson (BD) infusion pumps.
Those devices deliver intravenous fluids, including painkillers and medications.
An advisory from the Department of Homeland Security (DHS) said BD’s Alaris Gateway Workstation, which allows the monitoring and control of multiple pumps at the same time within a hospital, could be remotely exploited by an attacker with a low skill level.
And BD is not an outlier. SF Gate reported a year ago that DHS had issued 29 medical device vulnerability advisories in the previous year — more than the 23 issued during the previous five years.
Physician hackers Christian Dameff, an ER doctor, and Jeff Tully, a pediatrician and anesthesiologist, have for a couple of years now been doing demonstrations at the RSA Conference in San Francisco of what could happen to patients if hospital monitoring systems were taken down by a cyberattack.
Privacy is only good if you’re alive
One reason for presenting those demonstrations, Dameff has said, is because he and Tully believe there is still too much emphasis on the protection of patient data, and not enough on patient care. “We joke around that we like our patients’ privacy, but we’d like them to be alive to use it,” he said.
More recently, the FDA and DHS issued an advisory on URGENT/11, a group of vulnerabilities in IPnet, a third-party software component that supports network communications between computers.
Those vulnerabilities “may allow anyone to remotely take control of the medical device and change its function, cause denial of service, or cause information leaks or logical flaws, which may prevent device function,” the advisory said, adding that “though the IPnet software may no longer be supported by the original software vendor, some manufacturers have a license that allows them to continue to use it without support.”
And MedTech Dive, citing an alert from the international security agency Interpol this past April about a rise in ransomware attacks against hospitals during the COVID-19 pandemic, noted that multiple security experts said connected medical devices are “easy targets for hackers who use them as entry points into hospital networks.”
All those security weaknesses, while serious, are not reason enough to stop using the devices, according to both medical and cybersecurity experts.
One of the slides Rios and Butts used in their presentation read, “The benefits of implanted medical devices outweigh the risks (for most people).”
Still, the reasonable expectation is that the benefits ought to outweigh the risks for everybody.
And the good news is that while reaching that goal is expected to be, as Trowell said, a long journey, the ancient Chinese proverb applies: A journey of a thousand miles begins with a single step. In recent years, the industry has taken multiple steps.
The FDA announced about a year ago that it was adopting UL 2900–2–1 as a new consensus standard for premarket certification.
While it is officially guidance, it might as well be law, since it will essentially require any new device to undergo rigorous security testing and analysis before it will be certified. That is expected to have a major impact on both the industry and patients — over time.
Trowell said he has participated in a number of “initial design review” sessions with manufacturers of medical devices that are “attempting to take security into consideration.
Uneven progress
Kevin Fu, co-founder and chief scientist at Virta Labs, who has researched medical device security for years, said there is progress, but it is uneven. “The state of medical device security is lumpy,” he said. “Some manufacturers are putting in huge efforts and hiring to ramp up cybersecurity, but others are like deer in headlights. We will continue to see vulnerabilities and recalls for decades because of the legacy systems in the marketplace.”
He said the FDA guidelines are useful because they “give clarity to manufacturers on how to improve cybersecurity and we’re safer by following best practices. But there’s no crashproof car. Things can still go wrong.”
Corman said improvements generated by FDA guidance are real and substantive, which means the long-term future is promising — just not the immediate future. He said the “last mile” is to get hospitals and physicians to use newer, improved technologies. He said some physicians even ignore notifications to install updates in devices, arguing that it would be more of a risk than not doing it.
“It’s not that they’re dumb,” he said, “but they argue that so far there has been no evidence of harm. That’s like arguing that if you haven’t seen any cases of Ebola in your hospital, you don’t need to prepare, when you know the velocity at which those things can spread.”
Cyberattacks, he notes, can take place in seconds.
