Hospital survival guide for a world overflowing with unsecured medical devices
Medical device security is an utter mess.
Consider this: The machines themselves often have 10, 15 or even 20-year lifespans and replacing those legacy devices with more secure ones en masse is simply not a realistic option.
Take the Mayo Clinic, for instance. The organization has what Clinical Information Security Director Kevin McDonald described as a boatload of medical devices anchored down by legacy products.
“Until all of our devices turnover, until manufacturers start churning out devices with security built-in, I have to deal with them,” said Kevin McDonald, Director of Clinical Information Security at the Mayo Clinic. “Security should not be the sole responsibility of healthcare providers.”
Yet accountability for testing and securing medical devices is terribly difficult to come by. Nearly one-third of hospitals and the same percentage of device manufacturers, in fact, said no one person or job function is primarily responsible for device security, according to new research conducted by the Ponemon Institute.
So just how bad could device security threats actually become in the meantime? And what are forward-looking hospitals doing to prepare?
Worst-case scenarios for medical devices
With only $390 million of the $5.5 billion that HelpNet Security estimated providers and manufacturers have spent on security in 2016 going toward medical devices, it’s no wonder many experts see devices as a potential nightmare.
“You’re always going to be able to misconfigure a medical device to do something bad,” said Kevin Fu, CEO Virta Laboratories and director of the Archimedes Center for Medical Device Security at the University of Michigan.
CynergisTek CEO Mac McMillan said that in four or five minutes by using the Shodan search engine his team was able to look at all the devices across the U.S., narrow that down by state, then city, and ultimately identify specific facilities to determine whether or not they could crack into a vulnerable system.
“When devices are used for wrong purposes they can become powerful weapons for attacking systems, gaining access to systems, disrupting services across a broad spectrum,” McMillan said. “We’re seeing more and more IoT attacks.”
Kaiser Permanente Chief Technology Risk Officer George DeCesare added that he expects to see more and more IoT attacks.
He added that Kaiser already fights off more than 3 billion events, including 36 million unauthorized network attacks and, in a ransomware attempt, the system fended off 270,000 emails within an hour.
And Kaiser is aware that things could get more complicated.
“If we end up in a war, medical devices will become weapons because they’re wide open and can have some serious effects — let’s hope that doesn’t ever happen,” DeCesare said.
Simple steps go a long way
While hospital executives and information security teams cannot control everything that could happen, they can take steps to fortify their medical devices.
The U.S. Food and Drug Administration offers some guidance, but hospitals are mostly on their own when it comes to testing devices, according to Christiana Care Health System CISO Anahi Santiago.
“We do our own testing and network segmentation,” Santiago said. “We practice minimum necessary functionality to hold devices to only what they are intended to do.”
Read more Innovation Pulse columns from Healthcare IT News.
Mayo’s McDonald said that a few simple steps can go a long way toward securing devices, including creating an inventory of hardware and software, installing anti-virus programs and local firewalls, whitelisting and prohibiting default or non-expiring passwords. He also recommended standardizing patching, testing and vulnerability assessments. But even those will only get make devices 60-70 percent safer most of the time.
“There’s a dizzying array of uniqueness and variation that makes medical device security hard,” McDonald added. “You need to hand craft individual solutions for each. That takes a huge knowledge base.”
And it’s not a future-proofing answer to today’s medical device security problems.
To bolster its security posture, Mayo is working to nail down an onboarding process wherein its threat vulnerability management experts scan new devices, McDonald said. For legacy machines they are looking to find a way to identify and monitor those.
Healthcare needs a path forward
It’s been said countless times before that security requires fresh tactics and technological approaches — whether by harnessing existing tools, turning to cloud providers or implementing visionary ideas such as applying analytics or evidence-based security — as well a new mindset.
Indeed, security for security’s sake is at the very least not the whole story and perhaps even missing the point entirely.
“Information security is a patient safety issue,” Santiago said. Virta’s Fu agreed with Santiago’s assertion that patient safety is the top priority, even more so than security itself.
Kaiser’s DeCesare added that hospitals and the healthcare industry must move security forward.
That cultural shift will not only take years but also touch on everything hospitals and networks do as organizations.
“If you think we’ll just solve medical device security in 10 years, you are kidding yourself,” Fu said. “What we need is a gradient to slowly improve, to know where we need to be in 1 year and 5 years and then in 10 years.”