As if spending time in a hospital or undergoing medical testing isn’t stressful enough, the risk of cyber-attacks against medical devices such as defibrillators, MRIs, insulin pumps and pacemakers has become cause for alarm. And while, now more than ever, attention is being paid to medical device protection, the vulnerability factors persist, making healthcare security a hot topic.
This is an issue that has seen headlines recently; earlier this year security researchers pointed to 1,418 flaws in outdated medical equipment still in operation by healthcare providers, allowing hackers the ability to control systems remotely. Equally troubling was an evaluation issued by the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) that indicates cyber-attackers with even low-level hacking skills would be able “to exploit many of these vulnerabilities.”1
In response to an increasing awareness regarding vulnerabilities, the Food and Drug Administration (FDA) this year issued an addendum to its cybersecurity guidance, which defines cybersecurity risks as “continually evolving” and indicates “it is not possible to completely mitigate risks through premarket controls alone.” The FDA, therefore, is calling for manufacturers to put comprehensive risk management programs in place and provide documentation that among other issues, addresses “complaint handling, quality audit, corrective and preventive action, software validation and risk analysis and servicing.”2
Attacks against medical devices are far reaching; consider improper access to MRI equipment where reconfiguration could result in tragedy. And in terms of patient data – including diagnoses, treatments and financial information – the consequences could be devastating. The bottom line is medical equipment – particularly smaller devices – can easily fall prey to hackers in the same ways as a desktop or laptop computer. This potential tragic scenario has become an increasing threat since many medical devices, including defibrillators and MRIs, are connected to the Internet and are therefore exposed to attackers who could gain access to unencrypted data, alter settings, and even disable devices.
In fact, in 2012 a research team discovered that pacemakers from several manufacturers could be remotely controlled to deliver deadly shocks from someone on a laptop up to 50 feet away. Two years prior, a long-established international medical device firm was called out when it was discovered that a minimum four models of insulin pumps sold by the company were vulnerable to wireless hacks. As such, an attacker could remotely disable the device or manipulate settings.3
While weaknesses in connected devices are always a possibility, risk assessment conducted at various hospitals throughout the U.S. point to several areas of security vulnerability that, with the proper management, can be mitigated. Areas of most concern are: default credentials on devices; shortchanging best wireless practices; improper network segmentation; and the absence of proper updates for connected devices.
Safeguarding passwords is one step that is essential to security. In 2013, the ICS-CERT sounded the alert that an estimated 300 medical devices developed by some 40 different vendors contained hard-coded passwords that could be ascertained by unauthorized entities, allowing them to access the devices to modify critical settings.4
The imperative of manufacturers is, at minimum, twofold: to regularly review their cybersecurity practices, taking the appropriate measures to guarantee that only assigned users have access; and to be vigilant regarding user IDs and passwords.
Protection of wireless equipment is another critical security component. The first generation of wireless devices came with wired equivalent privacy (WEP). This encryption system was found to have some serious flaws, making it fairly simple to break into a wireless network; subsequently, Wi-fi-Protected Access (WPA2) was introduced to provide much stronger wireless data encryption. Unfortunately, WEP remains the sole encryption scheme for many healthcare networks and medical devices.
Network segmentation – or splitting a computer network into subnetworks – can act as a weapon against hacking, as it boosts performance and improves security. When a cyber-attacker gains unauthorized access to a network, segmentation (which is also known as micro-segmentation) can offer controls to limit continued advancement across the network. The best security protocol encompasses segmenting the network into multiple zones that have variable security requirements coupled with mandated policy on allowable lateral movement.
For the protection of their patients and their institutions, hospitals and other healthcare facilities must properly update antivirus software and limit their network to authorized users. Should a security problem arise, these organizations should work in concert with the device manufacturers to find a solution immediately.
Andrew Ostashen is co-founder of Vulsec, a Boston-based firm established to provide clients with the highest methodologies in data protection by delivering versatile tactics to safeguard information technology departments from hackers. Andrew can be reached at 617-648-9815.
1SC Magazine, March 31, 2016
2Healthcare Info Security, January 18, 2016
3Computerworld, October 17, 2012
4Threatpost, June 14, 2013