Connected medical devices account for some of the most insecure points within a hospital’s infrastructure. They present an issue not only for the continuity and integrity of direct patient care, but they also present numerous ways into a hospital network, as well as exfiltration points for medical records data being swiped and resold for huge profits underground.
Treatment regimens, diagnoses, hospital processes, and life functions are heavily reliant on medical devices that are frequently becoming more IoT Internet of Things)-based. This list includes: drug dispensing pumps, heart monitors, x-ray machines, pacemakers, and many other types of hospital equipment and embedded devices.
The biggest problem with device migration to IoT is that like many IoT products, security is not a core focus of their development life cycle or the aftermarket. Rather, device functionality is seen as the most important aspect. While IoT allows for some truly great features to be added to devices, adding them before security is locked down is the equivalent of learning to run before you can walk.
With regulatory oversight relatively lacking, there is no major impetus for device manufacturers to strengthen device security the way they would be expected to with prescription drugs. Unless manufacturers are wise and invest in the ongoing security of their devices, it’s unlikely that device manufacturers will invest until they have to – whether by regulation, customer outrage, or a breach that threatens sales or results in fines or litigation.
Until they do, it’s a hacker’s paradise.
Currently, it’s a safe bet that many IoT-enabled devices have been compromised by hackers. Medical records are some of the juiciest data available for theft, and medical devices are a great way to access and exfiltration that information.
Additionally, a recent wave of ransomware has infected hospitals, and so it’s fair to ask, “Do these IoT-enabled devices help proliferate this problem?” Without a doubt, the answer is yes.
Hospitals are often in a terrible bargaining position when it comes to ransomware. Life-saving technologies run across their network, and the threat of disruption can literally mean the difference between life and death. So too can threats that hackers employ to alter drug doses and otherwise affect the operational aspects of how medical equipment is intended to work.
While hospitals should have proper business continuity/disaster recovery (BC/DR) procedures in place to be able to call a ransomer’s bluff, the reality is that not as many hospitals are as prepared as they need to be and must pay the ransom to restore access to files they cannot recover, for systems that cannot sustain interruption.
Of course, paying the ransom does not ensure protection against future attacks. In fact, ransoms that have been publicly acknowledged by victims only tell the hacker community that the target is vulnerable and is willing to pay to get itself out of trouble.
Over the next 5-10 years, a few things are certain. Ransomware will continue to thrive – criminals are the ones that target hospitals for ransom, and they will always desire money by targeting the vulnerable. The security of IoT devices will slowly improve as manufacturers get smarter about security, but hackers will almost always stay several steps ahead. Large manufacturers and certain devices will make bigger strides given the increasing threats to their device cash cows, but the majority of devices will not see a quantum leap forward in security until it is regulated the way prescription drugs and stents are.
The involvement of the Food and Drug Administration (FDA) in this matter is shockingly light for an entity that is so active in protecting consumers from anything that can be bought at a pharmacy or a grocery store. A quick reading of the “Cybersecurity” section on their website reveals their activity for the last three years amounts to: issuing post market draft guidance to manufacturers, issuing three safety communications, conducting a webinar, holding a public workshop, and entering into a memorandum of understanding with the National Health Information Sharing and Analysis Center. That’s it. If you are looking for a sense of how grossly inadequate that is, search for how many recalls the FDA has recently issued for food and or drugs. It’s hard not to feel that if the drug dispensary pumps were tainted with salmonella instead of a security flaw, they would be recalled already.
The FDA also wrote an odd acknowledgement on their website that “…while the increased use of wireless technology and software in medical devices also increases the risks of potential cybersecurity threats, these same features also improve health care and increase the ability of health care providers to treat patients.” Can you imagine a pharmaceutical company facing a drug recall making a successful argument to the FDA that basically says, “While many patients can realistically die from taking our pain medication, this same drug also improves health care and increases the ability of health care providers to manage patient pain levels.” I can’t either.
Device security is somehow being seen as nothing more than a side effect. But unlike nausea or muscle aches, exploitation of security flaws can theoretically result in adverse harm or death.
The bottom line for government involvement in the management of medical device security is that it is going to take more breaches, several close calls or even fatalities directly related to device security failures, before this will capture the FDA’s political will and drive change. Until that happens, device manufacturers are on their own to determine how to approach security and that only will be affected by what consumers and healthcare providers demand of them.
