Communication breakdown?

FDA finally gets around to addressing the vulnerabilities of IT infrastructure and connected medical devices. Is it enough? Far from it, some say.
By Mike Miliard
12:00 AM

In mid-June, the Food and Drug Administration published what they called a "safety communication" having to do with cyber security for medical devices and hospital networks.
Aimed at device manufacturers, clinical staff and hospital IT and security departments, the notice is intended to reminded facilities to ensure that "appropriate safeguards are in place" to protect against cyber attacks, "which could be initiated by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks," wrote FDA officials.
Healthcare IT News wrote about these threats in its May 2013 cover story. It's a danger that's just starting to inch onto the radar screens for many in healthcare.
As Kevin Fu, a professor of computer science and engineering at the University of Michigan who specializes in medical device security, explained, "There's a convergence of new devices. At the same time, these devices are becoming highly connected to networks and sometimes to the Internet. These changes together have really changed the landscape."
That sort of connectivity makes for an ever more larger and interconnected playground for bad actors to play on. And those black-hat hackers are only getting more sinister.
"Twenty years ago, when you got spam or computer viruses, it might be the proverbial kid in the basement just sending it out," Fu told Healthcare IT News in May. "Nowadays it comes from well-financed adversaries, taking over massive numbers of computer systems."
The FDA has issued similar guidances on this topic from time to time over the past eight years or so, but June's communication offered clear recommendations to hospitals and vendors to help protect devices and networks.
"Many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity breaches," officials wrote. "In addition, as medical devices are increasingly interconnected, via the Internet, hospital networks, other medical device and smartphones, there is an increased risk of cybersecurity breaches, which could affect how a medical device operates."
Moving forward, FDA instructed manufacturers that it "expects" them "to take appropriate steps to limit the opportunities for unauthorized access to medical devices," recommending that manufacturers review their cybersecurity practices and policies and implement safeguards to prevent unauthorized access or modification to their medical devices or compromise hospital network security.
As for care providers, FDA recommended that they take steps to evaluate network security, including restricting unauthorized access to the network and networked medical devices; ensuring antivirus software and firewalls are up-to-date; and protecting network components through routine evaluation, including updating security patches and disabling unnecessary ports and services.
Gunter Ollmann, chief technology officer of Seattle-based information security firm IOActive say it's a start - but only a start.
As he wrote recently on IOActive's blog, "Have you ever been to view a much anticipated movie based upon an exciting book you happened to have read when you were younger, only to be sorely disappointed by what the director finally pulled together on the big screen? Well that's how I feel when I read this newest alert from the FDA."
Even though it's a "long time coming," Ollmann says, "The FDA Safety Communication is wishy-washy in its description of the threat and actions to correct the threat," tells Healthcare IT News. "It's as if it had to pass through multiple committees and each watered it down to become what it is today. It should have been a call to arms, with a clear communication of how serious the problem is."
And the problem is very serious, he says - much more so than most people suspect. As he wrote: "These medical systems are so brittle that even the slightest knock or tire-kicking can cause them to fail."
He runs down a laundry list of the threats, from vulnerable Wi-Fi connections where "anyone with an iPhone ... can make an unauthenticated connection" to "remote surgeon support and Web camera interfaces used for emergency operations brought down by everyday botnet malware because someone happened to surf the web one day and hit the wrong site."
This stuff is getting more complex, but it's been a critical threat for a long time, says Ollmann: "From my perspective the alert has been due for over a decade."
Even now, though, it falls short. "What's missing from their communication is the imperative to correct," he says. "The alert reads like a passive observer wrote it. The FDA is at a critical point in this ecosystem to correct the path of vendors, manufacturers and administrators, and yet they smooth things over. They could have instigated an action plan to drive the industry forward and make it more secure."
Even for hospitals willing and resourceful enough to take the initiative to make changes, though, "In many ways it's largely too late for the hospitals," says Ollmann.
"They've built vulnerable systems on top of each other for a decade. A malicious attacker could easily make a hospital unserviceable within a few hours - and to think that these are possible targets in a cyber conflict. The medical devices we've been investigating at IOActive clearly show how the industry is far behind all others in understanding the nature of Internet-based communications and the adversary model.
"Hospitals need to conduct comprehensive network security assessments and regular penetration testing just in order to inventory the vulnerabilities they're exposed to - but without budget to fix those vulnerabilities and rearchitect much of their infrastructure, it may be another decade lost to attackers."
At the very least, says Andrew Litt, MD, chief medical officer for Dell Healthcare and Life Sciences, the FDA communication is "a start. It's the beginning of trying to address this in a serious way. People who make these devices are going to have to pay a little more attention to these issues than they maybe would have before. And that's true of the healthcare industry more broadly."
"I don't think what's needed is another regulatory organization stepping in and saying, 'Here's a new set of regulations,'" adds Paul Christman, vice president, public sector at Dell. "I don't think at this point that we need new regulations. We've already got plenty of them; we just need to apply them."
Ultimately, safeguarding these devices and systems is "a question of political will - then leading to financial resources to implement (protections)," says Christman. "It's having the awareness that this is potentially adversely affecting patient care and organization reputation."
On the device side, "It's pretty hard for a device manufacturer to ignore these sets of issues if the FDA puts out even a notice about it, rather than a formal requirement," says Litt. "By doing it this way they give people some time to work thru the issues involved. I don't think that's a bad thing."
No question, though, the threat has been here for a while, it is here to stay and "it will change over time," says Christman. "It's not static. It's persistent; it's advanced. We need to protect against external bad actors, but we also need to take individual responsibility for data security ourselves, internally."