How we can climb out of this mess

Healthcare security experts argue that hospitals must ensure high availability of medical devices and IT systems with practices that resemble preventing and treating disease. Because ransomware is a symptom rather than the problem.
By Kevin Fu and Harold Thimbleby
07:04 AM

Computer malware seriously disrupted the continuity of clinical operations when WannaCry struck. The Department of Homeland Security began issuing warnings of ransomware vulnerabilities affecting dozens of medical products ranging from radiation oncology and mobile x­rays to ultrasound and anesthesia. Saved by a curious 22­year­old who spent $11 to register a domain name that accidentally disabled the spread of the buggy malware (not a joke), the world can rest briefly until the next attack — which could happen again without warning.

Ransomware itself is not the cause of our problems. Ransomware is symptomatic of design flaws baked into the fabric of our healthcare infrastructure. The root cause is a fragile infrastructure filled with legacy medical device software.

When we know about a disease, do we read about it and hope never to get it? No, we vaccinate, avoid risky areas, wash our hands, and seek immediate help after coming in contact with a carrier. In short, we plan ahead for risk management.

So, what's an effective strategy to mitigate the medical device security risks that can disrupt clinical operations?

Simply deploying new technology is not the answer. Replacing old unmaintainable computers with new unmaintainable computers is not the answer either. An effective approach must address five core parts of the healthcare delivery supply chain: manufacturing, procurement, regulation, training and governance.

First, medical device manufacturers must design medical devices to remain safe and effective despite cybersecurity risks. The U.S. Food and Drug Administration already recognizes community standards and best practices such as the AAMI TIR57 for building security into the design of medical devices. Microsoft warned manufacturers from day one of the scheduled obsolescence of Windows XP. The operating system “end of road” hazard signs were unambiguous and forewarned years before reaching the cliff. While manufacturers may have sold the unmaintainable products, hospitals made the mistake of buying them. Hospitals accumulate legacy devices for decades without a financial model to sunset unsecurable products.

With procurement practices such as the cybersecurity “vendor book” from the Mayo Clinic, hospitals should factor meaningful cybersecurity into purchasing decisions. Medical devices should come with a bill of software materials to enable risk­based purchasing decisions. Hospitals need to buy and maintain better equipment with better service contracts — and they need to keep track of their inventory down to the port numbers, ethernet MAC addresses, and software versions so they can better manage risk. Manufacturers should give providers a database that maps medical device serial numbers to MAC addresses to make network-based inventory tracking feasible.

Governments should consider construction of a test hospital for national cyber crashworthiness trials of healthcare infrastructure. The automotive manufacturing community performs crashworthiness testing so consumers can know the risk. Although patients prescribed a medical device are far safer with the device than without, patients and hospitals deserve to know what risks they are accepting when receiving or purchasing a medical device.

Regulators must take into account the geographic problem that malware does not respect international boundaries. The same core cybersecurity problems exist everywhere, and healthcare IT cultures in different countries suffer from surprisingly similar computing problems. Medical device regulators such as FDA, MHRA in the UK, and CFDA in China need informed authority and legislative remit to ensure that medical devices remain safe and effective despite cybersecurity threats.

Who is liable for problems? Who feels any economic incentive to fix things? Unfortunately, not the entities with the most capability to address the causes, as the recent ransomware fiasco illustrates. Governments could mandate a phasing out of unsecurable devices and operating systems with penalties assessed by the HHS Office for Civil Rights, for the case of the U.S.

Fighting international criminals with considerable economic incentive will remain a continually losing battle without a coherent and fair regulatory strategy. For instance, the Criminal Justice Act in the UK assumes that information technology makes no security mistakes. Such poorly designed laws open the door to misguided prosecution of well­intentioned doctors and nurses for shortcomings in the medical systems and devices themselves. Legislation ought to incentivize cybersecurity and safety for manufacturing medical devices rather than penalize innocent healthcare delivery professionals and patients who make fair and reasonable attempts to report problems to manufacturers or regulators.

Workforce shortfalls remain a great barrier to cybersecurity. Few of our computer science students choose to work in healthcare. We need to focus attention on the great opportunity for computer science students to help improve healthcare. Double major in biomedical engineering! Manufacturers and governments should offer prestigious graduate fellowships to attract the best students to the field so that manufacturers, hospitals, and regulators can fill their open cybersecurity positions.

Finally, hospitals need effective governance structure for controlling software safety risks in medical device. A hospital should designate a top­level executive with the authority, responsibility, accountability, and budget for cybersecurity in the pursuit of healthcare safety that covers both the biomedical engineering and IT departments.

No medical device is perfectly secure, but a hospital should gracefully recover from cyberattacks rather than suffer system­wide outages for days. Patients should never be forced to doubt in the availability and integrity of healthcare delivery. Security is a means to an end, and that end goal is safe and effective delivery of healthcare.

The recent global outbreak of ransomware is just the symptom du jour, and it’s time to act on recommendations to improve cybersecurity in manufacturing, procurement, regulation, training, and governance. Until cybersecurity becomes as second nature as hand washing, we should expect the cybersecurity problems to increase in frequency and consequence.

If there’s any silver lining, perhaps manufacturers, healthcare delivery organizations, and governments will begin to think more strategically rather than reactively to improving healthcare cybersecurity.

Kevin Fu, PhD, is CEO and chief scientist of healthcare cybersecurity company Virta Laboratories and directs the Archimedes Center for Medical Device Security at the University of Michigan. Harold Thimbleby, PhD, is Professor of Computer Science at Swansea University, Wales. He is an honorary Fellow of the Royal College of Physicians and analyses hospital IT problems.