Networked medical devices are becoming steadily more common, and they are making things easier for both patients and healthcare providers. However, there is an accompanying risk of attack from malicious hackers – especially since most of these devices are not designed with security aforethought. The Cipher Brief asked Kurt Roemer, Chief Security Strategist for Citrix Systems, about the nature of the threat to networked medical devices. According to Roemer, better standards and instruction need to be developed in order to protect both patients and their data.
The Cipher Brief: A 2015 report from Forrester indicated that insecure, networked medical devices would be a major threat in the near term, with ransomware forming a key aspect of the threat itself. How do you assess the cyber-vulnerability of networked medical devices?
Kurt Roemer: Many networked medical devices were designed only for internal or personal networks – not for the rigors of security necessary to be exposed to the internet. The criticality of these devices in indicating health parameters and medical conditions, their use to control or direct therapies, and the sensitivity of private health data, indicates medical devices must be configured as secured internet citizens. The use of simple security measures such as passwords, the inability to update key embedded security components (i.e. OpenSSL), and poorly documented security controls cause risk to the confidentiality, integrity, and availability of medical data – and are potentially a direct risk to the patient. Ransomware can keep critical lifesaving data from being available when needed and keep facilities from being able to correctly account for and bill for services performed.
For assessment of networked medical devices, practices similar to those on PC networks should be performed (vulnerability assessment, penetration testing, interoperability testing). The one main difference with medical devices is the focus on the patient – what sensitive patient data does the attack disclose? What is the impact to the patient if data is manipulated?
TCB: Why might a hacker target medical devices, as opposed to other potential targets in other sectors? What factors are likely to affect the desirability of targeting a medical device, and how do you expect those factors will change in the next 10 years?
KR: Hacking medical devices yields power to the attacker that ranges from obtaining data that can be used for identity theft and extortion to directly attacking the physical world – recording false readings, increasing dosages, disabling therapies – and therefore directly affecting the health (and life) of the patient. Factors affecting the targeting of medical devices are the richness and value of the data that can be obtained. There are many parallels here to the financial world, where basic credit card terminals enable theft of cardholder data, and more advanced terminals have authentication built in via chip-and-PIN, along with end-to-end encryption of data. As the value of protecting medical data receives the attention, as it should, regulations, standards, and products will evolve to meet requirements for protection, as cardholder environments have with the PCI DSS.
TCB: How has the healthcare industry responded to the growing cyber-threat in this area? What more still needs to be done?
KR: Medical institutions have struggled to further isolate vulnerable devices and are also pushing vendors to increase the security of devices and services to acceptable levels. Consumers are rating products lower that expose their data and cannot be securely patched and updated. Standards need to be developed, instituted, and adopted to secure these devices and services while providing clear indication to medical professionals and consumers that protections are enabled. Devices that are beyond their end-of-support date for security review and updates must be taken out of service, and applications that can no longer appropriately secure healthcare data must securely dispose of that data. Easier said than done, but there are many innovators working on the problems of adaptive healthcare security.
TCB: What is the role of the government in combating this type of threat? How can government and industry better work together to make medical devices more secure?
KR: For a great example of the government’s role in securing healthcare, visit https://healthcare.nist.gov. NIST (National Institute of Standards and Technology) is addressing many complex issues in healthcare security, including medical devices and data quality.
