The Internet of Things is continuing to grow and expand, with some aspects of smart technology even entering the human body through pacemakers and other smart medical implants. However, as medical devices become smarter, they are also becoming more vulnerable to hackers and other malicious actors. The Cipher Brief asked Kurt Hagerman, the CISO for cybersecurity firm Armor, for an assessment of the potential threat to networked medical devices. According to him, the threat is real, and only changes in government regulations and consumer behavior can help to mitigate it.
The Cipher Brief: Networked medical devices appear to sit at the intersection of the recent spat of hospital cyber-attacks and the rising – but still vulnerable - Internet of Things (IoT). How would you gauge the potential threat of hackers starting to target these medical devices?
Kurt Hagerman: The threat is real as more and more medical devices are being connected into existing healthcare networks. Many of these devices were not originally designed to be connected to a network, and this functionality has been bolted on with little to no security in mind. Even newer devices lack basic network and authentication security controls.
Since there has not been a mandate to include these security controls, manufacturers don’t take the steps to include them in hopes of remaining price-competitive. This reality, in addition to the devices that run old, outdated operating systems (both software and embedded), is a recipe for disaster.
There have been many successful demonstrations of the ability to compromise medical devices. In fact, the threats were real enough that doctors disabled the wireless functionality in former Vice President Dick Cheney’s pacemaker. There was also a successful demonstration of the ability to compromise a da Vinci robot during surgery (on a cadaver) by intercepting commands in flight and altering the instruction to change the outcome.
In a recent conversation with the CISO for a major hospital organization, he shared that they had over 300 ultrasound machines, from more than 25 vendors, and many lacked the ability to install security updates. He also shared that he could not even scan many devices, as the scan itself would cause the device to stop functioning.
This is a very real problem. It needs to be addressed at all levels of the industry, starting with updates to current regulations. The device manufacturers should require a minimum level of security functionality. Healthcare organizations also need to be more selective when purchasing devices and only do so when each meets their approved security standards.
TCB: Ransomware appears to be an increasingly popular method of attacking both the healthcare industry and IoT devices. Is ransomware a concern in this area?
KH: Yes, the use of this type of attack is on the rise against healthcare. While most of the recent attacks have focused on locking up workstations and other non-critical equipment, the attackers have sent lists of devices they can access, including those used to provide care. From there, they simply used this knowledge to extort money from the healthcare organizations.
Given the concerns I expressed over the generally poor state of security for medical devices, it is clear that attackers using ransomware methods could target networked medical devices.
Of more concern is the ability of terrorists or others intent on causing deliberate harm. If left unmitigated, ransomware and other types of attacks may be leveraged to cause mass panic and a loss of faith in our healthcare system.
TCB: How do you anticipate this threat will change over the next 10 years? What factors will affect these changes and why?
KH: The threat from ransomware will likely decrease as there are significantly increased efforts to combat it. As more is understood about how these attacks work, vendors will deliver more effective methods to detect and protect networks. Organizations will better understand their risk and implement processes that will help defend against these attacks.
One such process is to perform regular backups of an organization’s critical data and maintain ready-to-deploy images of systems that may have been compromised. Another is to move to virtual desktop deployments for end-users, so there is no persistent desktop that can be as easily compromised and utilized over time.
Other factors that I believe will contribute to better security include:
- The increased awareness of network segmentation and resource-based authentication that will make it more difficult for an attacker to gain access to a large number of devices from the typically exploited end-user system;
- Separation of application access from actual system access; and
- Use of services to construct and deploy applications as opposed to server-centric approaches, including the use of containerization that more easily allows an organization to quickly redeploy affected resources.
TCB: What processes are in place to ensure that networked medical devices are secure? What more can be, or needs to be done? What is the role of the government in this area?
KH: The most common processes to help secure medical devices include:
- Full and detailed inventory of devices to allow for an understanding of the built-in security features and functionality;
- Network isolation that helps ensure devices are properly segmented, allowing connection to/from other specified networks and devices;
- Vulnerability scanning to identify new vulnerabilities and missing patches/updates; this is only effective against devices with operating systems that respond to or can withstand the scanning activity;
- Implementing granular authentication/access to limit who can logically access devices; and
- Network and authentication monitoring and alerting to enable an organization to detect anomalous activity before it becomes more serious.
Unfortunately, many devices simply do not have any built-in security features that allow an organization to effectively manage and maintain security.
In addition, humans remain the weakest link in any security program. The most successful attacks are enabled by sophisticated phishing schemes — like spear-phishing and the newer whaling techniques — that are being used to dupe executives (or their assistants) into initiating fraudulent wire transfers.
Originally published in 1997, government regulations for medical device security are badly outdated. It wasn’t until 2003 that they issued their first clarification, the Scope and Application update. The FDA announced a new version of “Part 11, Electronic Records; Electronic Signatures — Scope and Application” would be published in 2006. We are all still waiting.
We can, however, implement a few best practices today to improve the situation. Here are some of the critical items, segmented by owner.
Healthcare Organizations
- Improve the frequency and content of their security awareness training programs and provide more focus around phishing, including implementing regular phishing testing of employees.
- Implement strong network segmentation and device authentication programs to make it more difficult for attackers to move around within their organizations when they get in, which they will do.
- Influence device manufacturers by voting with their pocketbooks and only purchasing new devices from manufacturers that embrace security and include robust security features.
Device Manufacturers
- Build a plan to “sunset” older operating and embedded systems that do not support security features.
Government
- Update CFR 21 Part 11 to consider all current technology and consider consolidating the many different regulations into a single or fewer comprehensive policies that are based on current technology and security knowledge.