Medical Device Security: The Hurdles

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/medical-device-security-hurdles-a-6593

Healthcare providers, manufacturers and regulators are becoming
increasingly aware that networked medical devices face emerging
cyberthreats. So they're finally beginning to take action to address those
issues. Still, many hurdles remain.

"2014 is an inflection point for medical device security," said Dale
Nordenberg, M.D., founder of the Medical Device Innovation, Safety and
Security Consortium, during an all-day medical device security workshop he
moderated at the recent 2014 HIMSS Conference in Orlando.

"Regulators issued an important draft guidance last year, healthcare
organizations are starting to assess and demand secure devices and
manufacturers know that organizations expect that and are willing to pay
for it," Nordenberg says. "This will also drive innovation."

Regulatory Action

The Food and Drug Administration last year issued draft cybersecurity
guidance for healthcare and medical device makers. The guidance urges
manufacturers to develop cybersecurity controls in the design phase of
their product development and recommends the companies document their risk
analysis of cybersecurity threats and vulnerabilities and spell out ways to
mitigate those risks, such as through encryption.

The FDA also issued a "safety communication" to manufacturers and
healthcare organizations, listing steps they should consider taking to
mitigate cybersecurity risks to medical devices. For healthcare providers,
those steps include making sure their anti-malware software and firewalls
are updated, ensuring that access to networked devices is restricted and
making sure that medical device makers are contacted about any
cybersecurity issues.

Bakul Patel, senior policy adviser to the director of the Center for
Devices and Radiological Health at the FDA, tells Information Security
Media Group that the final version of guidance for medical device
cybersecurity will be issued in late 2014 or early 2015.

The FDA also opened a cybersecurity lab last year to begin testing medical
devices.

In the Spotlight

But it's not just regulators that are intensifying its attention to medical
device cybersecurity.

Some healthcare organizations are beginning to implement programs that
focus on assessing the risk of medical devices before making final
decisions about the procurement of the products. This also puts pressure on
the makers to improve the security of their products.

"The buck stops with vendors, but there are a lot of interdependencies,"
says Michael McNeil, global product security officer at Philips Healthcare.
He joined the organization last year after holding security leadership
posts at device maker Medtronic.

Information exchange among device manufacturers and users is critical, he
says.

Big Challenges

Medical device security is an extremely complex issue for the healthcare
sector. For instance, some medical device makers believe that they need to
seek FDA re-approval for their products if they provide software patches or
operating system updates to address security issues. But that's a fallacy,
Patel says. And even when there are patches and software updates available
from vendors, healthcare organizations often fail to apply the fixes, he
says.

Compounding those issues is the fact that many medical devices still in use
today were designed before cybersecurity became an area of major concern.
Also, many of the legacy devices still in use have old or even obsolete
operating systems. For instance, some devices run on Windows XP, a system
for which Microsoft will stop offering supporting in April. That means no
more software patches or updates from the vendor will be available to fix
newly found vulnerabilities, notes Kevin Fu, a researcher who is a
professor at the University of Michigan and director of its security and
privacy research lab, which studies the security and safety of devices.

Malware Problems

While there's been a great deal of attention in recent years on white hat
hacker demonstrations showing how wireless medical devices can be attacked
remotely, Fu says "hacking is a bit of a red herring." He stresses that
malware is a much greater threat to medical devices. His research has found
incidents where devices "were factory installed with malware by mistake,"
Fu says.

Another problem for the industry is that best practices for medical device
security aren't in place at many healthcare organizations or even
widespread at many of the medical device makers themselves, researchers say.

For instance, while healthcare organizations should conduct risk
assessments of medical devices that are linked to their networks, that's a
time-intensive chore that some entities, especially smaller ones, lack the
time, expertise or resources to carry out.

Also lacking at some organizations are solid authentication practices for
medical device users. Some organizations neglect to even change the default
settings and passwords on their devices once they're put in place.
Additionally, physicians and other clinicians often resist security
programs that require frequently changing passwords on the devices and
other health IT.

Signs of Progress

Despite the challenges, progress is being made, especially as awareness of
the threats against medical device security grows, Nordenberg says.

In addition to FDA guidance, help in risk management practices and
assessment is also being offered by others, including the Medical Device
Innovation, Safety and Security Consortium. The group is offering the
Medical Device Risk Assessment Platform, which provides guidance for
risk-based assessment of common security capabilities and control gaps in
medical devices.

The guidance is based on a tool developed at John Muir Health, a Northern
California integrated health delivery network, which uses it for evaluating
both application and device risk. The tool provides a risk score by
category and allows comparative studies across several different devices,
Nordenberg says.

More robust standards are emerging as well, including those related to
manufacturers and healthcare providers managing and evaluating the security
risks of medical devices for the entire life cycle of the products,
including pre-procurement by healthcare entities. For example, IEC 62443, a
comprehensive set of 12 standards from the International Electrotechnical
Commission, covers nearly every aspect of the security lifecycle of systems
used in industrial control systems, says Mike Ahmadi, global director of
medical security, Codenomicon Ltd., a security testing firm.

Researchers are also spending more time examining other issues that play a
role in medical device security, ranging from testing the vulnerability of
hardware components as well as firmware and other software used in the
devices, says Ryan Kastner, a professor in the Department of Computer
Science and Engineering at the University of California, San Diego.

Additional Steps

So far, mainly larger provider organizations, such as the Department of
Veterans Affairs' Veterans Health Administration, are conducting medical
device risk assessments, says Theresa Cullen, the VA's chief medical
information officer. But even smaller organizations with fewer resources
can complete such assessments, she contends.

Besides conducting risk assessments and applying software patches and
operating system updates, organizations should consider other steps to help
improve the security of medical devices. Among those is giving
bio-engineers the necessary access privileges so they can monitor the
devices for performance and anomalies, Cullen told the HIMSS workshop
audience.

Incident reporting is also vital, she adds. Not only is it important for
technology and security experts to monitor devices, but other staff also
should be trained to report problems to the appropriate security leaders.
Cullen recalls a recent incident where an unusual number of VA patients at
one facility had a blood gas analysis indicating high sodium readings. VA
clinicians helped the lab to quickly identify a problem with the testing
equipment. "It was not a security issue, but was a patient safety issue,
and that's the most important thing in delivering healthcare," Cullen says.

Separate Networks

Healthcare organizations also should consider segregating medical devices
to run on networks separate from their main IT network to reduce risk of
malware and other problems being introduced to the devices or spreading,
Cullen says.

Smaller organizations that lack the resources to set up a segregated
network for medical devices should still try to carefully assess device
risks on an ongoing basis, she stresses.

Patel calls on healthcare providers and medical device manufacturers to
consider how to improve detection and response to emerging security issues.
"Think up front, think frequently, and fix problems before something
happens," he says. "Don't wait for someone else to move the needle."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!