Device Makers Take Note: Cyber Attacks Are Already Hitting Healthcare

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.mddionline.com/blog/devicetalk/device-makers-take-note-cyber-attacks-are-already-hitting-healthcare-09-29-15

Cyber attacks aren't merely a threat of the future for healthcare companies
and hospitals. In recent months, hospitals all over the country—California,
Indiana, Kansas—have reported cyber attacks on their network systems that
store patient information. The personal data of millions of patients may
have been compromised.

Stephanie Preston, cyber embedded systems engineer at *Battelle*
<http://www.battelle.org/>, says that she is aware of various instances of
ransomware attacks on hospital systems and malware being found on medical
devices. And as *MD+DI* has reported, the FBI and FDA *have issued alerts*
<http://www.mddionline.com/article/fbi-be-wary-connected-medical-devices-09-16-15>
and *safety communications*
<http://www.mddionline.com/article/medical-device-makers-have-no-more-cybersecurity-excuses-08-04-15>
about cybersecurity for medical devices.

Fortunately, there are signs that all of these headlines and alerts are
hitting home for medical device manufacturers.

*Knowing Is Half the Battle*

Preston says that she has noticed more awareness in the medical device
community about the need for cybersecurity. "I think we're still at the
beginning, but I think I'm really optimistic that we're moving in the right
direction . . . There's still a lack of knowledge, but there's a huge area
of interest, which I find a great sign," she says.

As more evidence that cybersecurity is becoming a hot topic for the device
industry, an upcoming conference being hosted by the Massachusetts Medical
Device Industry Council (MassMEDIC), *"Preventing the Unthinkable: Issues
in MedTech Cyber Security—Trends and Policies,"*
<https://www.massmedic.com/events/preventing-the-unthinkable-issues-in-medtech-cyber-security-trends-and-policies/>
is devoted to the topic. The event, taking place on October 1, was
conceived to put regulators, security experts, and medtech professionals in
one room "to come together to talk about common trends and policies and
best practices, to share with a larger audience from the medical device
community," says Tom Sommer, president of *MassMEDIC*
<https://www.massmedic.com/>.

*Where's the Talent?*

Preston, who will be speaking at the conference, says that the increasing
level of education about medical device professionals is lifting one of the
barriers to better defenses against cyber attacks. But more education isn't
enough, Preston notes. Lack of talent is another hurdle. "All industries
that need cybersecurity professionals are struggling to find enough people
who understand security to fill those roles," she says.

As someone who spends her days reverse engineering systems, Preston says
that she and most other security professionals are self-taught. "I'm hoping
that [the talent shortage] will start to be cured as more and more
universities adopt cybersecurity programs," she says.

*Long Development Cycles*

Unlike the tech and software industries, medical device companies have
years-long product development timelines. It is not uncommon for companies
to have a five to seven year horizon on commercializing a new device. And
once the device is being used by or implanted in a patient, it may have a
very long life. That can be another challenge for manufacturers looking to
prevent cyber attacks. Preston says, "That's something that's a little
unique to the medical device community. I hear people draw correlation
between the financial industry and payment processing, credit card swipe
machines, but the truth is, those machines have a much shorter life cycle
both from development and in the field . . . it really makes medical
devices that much more unique—and challenging, truthfully."

*What to Do?*

So how can a medical device maker keep up with the latest cybersecurity
defenses? It's critical to have someone who has both detailed knowledge of
hackable weaknesses and the medical device's features. Preston explains,
"Say I see a new attack that comes out for Bluetooth, or a certain mode of
Bluetooth. Well, if I'm ingrained in the design team, I know, 'Hey, these
are the three devices that could essentially be vulnerable to that new
exploit.'"

While the lack of talent may make finding that expert difficult now, it's
becoming more and more essential, not just for patient safety and company
reputation, but also for manufacturers' pocketbooks. Preston points out
that some purchasing agreements and discussions with hospitals are
beginning to *incorporate the issue of security vulnerabilities*
<http://www.startribune.com/medical-device-security-a-hot-topic-at-fda-workshop/280000232/>
and putting the onus on device manufacturers. Whether this will become a
larger trend remains to be seen.

One thing that device makers should definitely do? Stop using outdated
technology. "Everytime I hear something like "this device is running
Windows XP," it honestly—if I were hooked up to some kind of heart rate
monitor, you would see it spike—because that terrifies me," Preston says.

Preston recommends manufacturers consider investing in fuzz testing, which
automates testing of the device against hundreds of thousands of pieces of
data in order to identify problems. She says she thinks fuzz testing offers
the "best price per pound," but does point out that a security professional
is needed to help companies analyze the results of the testing.

Sommer notes that device companies are putting more focus on the software
components of device design. "We're seeing elevated interest in these
issues and sort of a new aspect of product development, which is software
development, the code writer . . . becoming that much more heightened
because of these incidents," he says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!