
Ukraine’s Drone Boom – and What It Might Teach the World
EXPERT INTERVIEWS – Ukrainian President Volodymyr Zelensky announced this week that Ukraine plans to take an already-booming domestic drone industry and boost it to “the […] More
Networked medical devices are becoming steadily more common, and they are making things easier for both patients and healthcare providers. However, there is an accompanying risk of attack from malicious hackers – especially since most of these devices are not designed with security aforethought. The Cipher Brief asked Kurt Roemer, Chief Security Strategist for Citrix Systems, about the nature of the threat to networked medical devices. According to Roemer, better standards and instruction need to be developed in order to protect both patients and their data.
The Cipher Brief: A 2015 report from Forrester indicated that insecure, networked medical devices would be a major threat in the near term, with ransomware forming a key aspect of the threat itself. How do you assess the cyber-vulnerability of networked medical devices?
Kurt Roemer: Many networked medical devices were designed only for internal or personal networks – not for the rigors of security necessary to be exposed to the internet. The criticality of these devices in indicating health parameters and medical conditions, their use to control or direct therapies, and the sensitivity of private health data, indicates medical devices must be configured as secured internet citizens. The use of simple security measures such as passwords, the inability to update key embedded security components (i.e. OpenSSL), and poorly documented security controls cause risk to the confidentiality, integrity, and availability of medical data – and are potentially a direct risk to the patient. Ransomware can keep critical lifesaving data from being available when needed and keep facilities from being able to correctly account for and bill for services performed.
For assessment of networked medical devices, practices similar to those on PC networks should be performed (vulnerability assessment, penetration testing, interoperability testing). The one main difference with medical devices is the focus on the patient – what sensitive patient data does the attack disclose? What is the impact to the patient if data is manipulated?
TCB: Why might a hacker target medical devices, as opposed to other potential targets in other sectors? What factors are likely to affect the desirability of targeting a medical device, and how do you expect those factors will change in the next 10 years?
KR: Hacking medical devices yields power to the attacker that ranges from obtaining data that can be used for identity theft and extortion to directly attacking the physical world – recording false readings, increasing dosages, disabling therapies – and therefore directly affecting the health (and life) of the patient. Factors affecting the targeting of medical devices are the richness and value of the data that can be obtained. There are many parallels here to the financial world, where basic credit card terminals enable theft of cardholder data, and more advanced terminals have authentication built in via chip-and-PIN, along with end-to-end encryption of data. As the value of protecting medical data receives the attention, as it should, regulations, standards, and products will evolve to meet requirements for protection, as cardholder environments have with the PCI DSS.
TCB: How has the healthcare industry responded to the growing cyber-threat in this area? What more still needs to be done?
KR: Medical institutions have struggled to further isolate vulnerable devices and are also pushing vendors to increase the security of devices and services to acceptable levels. Consumers are rating products lower that expose their data and cannot be securely patched and updated. Standards need to be developed, instituted, and adopted to secure these devices and services while providing clear indication to medical professionals and consumers that protections are enabled. Devices that are beyond their end-of-support date for security review and updates must be taken out of service, and applications that can no longer appropriately secure healthcare data must securely dispose of that data. Easier said than done, but there are many innovators working on the problems of adaptive healthcare security.
TCB: What is the role of the government in combating this type of threat? How can government and industry better work together to make medical devices more secure?
KR: For a great example of the government’s role in securing healthcare, visit http://healthcare.nist.gov. NIST (National Institute of Standards and Technology) is addressing many complex issues in healthcare security, including medical devices and data quality.
Related Articles
EXPERT INTERVIEWS – Ukrainian President Volodymyr Zelensky announced this week that Ukraine plans to take an already-booming domestic drone industry and boost it to “the […] More
EXCLUSIVE CIPHER BRIEF REPORTING — The Cipher Brief was the first to report on Thursday in the weekly Dead Drop column that Director of the […] More
EXCLUSIVE INTERVIEW — One of the most profound impacts of the war in Ukraine has less to do with the frontlines and diplomatic negotiations, and […] More
DEEP DIVE — Over the past week, the Trump administration took two steps involving the pursuit of critical and rare earth minerals: it issued an executive […] More
DEEP DIVE — President Donald Trump’s foreign aid freeze will kneecap U.S. efforts to build alliances around cybersecurity issues and help Russia and China seize the […] More
DEEP DIVE — The “Salt Typhoon,” “Volt Typhoon” and “Silk Typhoon” cyber espionage campaigns have become symbols of China’s efforts to hack U.S. infrastructure – and […] More
Search