Every healthcare facility has been quickly adding large numbers of connected medical devices to their networks. These devices, despite misconceptions, are endpoints just like any other computer. They process sensitive data, connect to the internal network and sometimes the internet, and are often significantly more vulnerable than standard endpoints like servers and desktops. Many cyber threats exist because of medical devices, yet they are not typically considered endpoints and are rarely managed, or even vetted, by IT or Information Security teams.
This article will cover some of the most crucial threats that medical devices represent—the reality of biomed. We’ll start with a brief look at the poor decisions that have led to the overall broken biomed world. Finally, this article will include a few tips on how to better secure connected medical devices.
Reality Versus Security
One thing that many people don’t associate with security is that there is always some level of frustration. By no means does this feeling of frustration mean that good security practices and hygiene are not the key to a secure network.
Consider a related issue: No city, large building, or ship in the world is completely free of pests. There are always rats, roaches, and mice, and while it may have taken a lot of human history for us to come to terms with this fact, the sheer cost of eliminating and ensuring no rodents get in is massively prohibitive.
Similar to cities and ships, modern networks are going to have pests (i.e. attackers and malicious insiders). No system is “pest free.” Breaches will happen as evidenced in the brief outlines of a few real-world incidents below, but the more that’s done to plan for and thwart an attack, the more secure the organization can be.
1. Insulin pumps are one of the most common connected medical devices. These machines are designed to provide insulin to patients ensuring they don’t have further complications related to their disease. As with anything that protects a patient’s health and safety, any mistakes or complications can and will affect the safety of the patient. In July of 2019, Medtronic, the manufacturer of many medical devices on the market, recalled at least 4,000 flawed devices after being pressured by the FDA.
While the specific vulnerability was not disclosed publicly, the FDA said, “an unauthorized person could potentially connect wirelessly to a nearby MiniMed insulin pump with cybersecurity vulnerabilities. This person could change the pump’s settings to either over-deliver insulin to a patient, leading to low blood sugar (hypoglycemia), or stop insulin delivery, leading to high blood sugar and diabetic ketoacidosis.”
2. Implanted defibrillators have also been a concern since 2007 for the potential life-threatening, remote (wireless) vulnerabilities. The first time the subject of implanted medical device security came up was when former Vice President Dick Cheney was implanted with a defibrillator. His physicians, in conjunction with the United States Secret Service, decided the risk of someone attempting to compromise his implanted device was too great and therefore was the first public case of this feature being disabled for security reasons. This previous tidbit goes to show just how long it has been well-known that these devices are vulnerable to life-threatening attack.
3. Medtronic was in the spotlight again in March 2019 when it disclosed that 19 variations of their popular cardiac implantable cardioverter defibrillators (ICDs) were vulnerable to a remote attack that could allow an unauthorized attacker to send signals to stop or fail to restart the patient’s heart. Despite this being an obviously life-threatening attack, Medtronic is not being fined or forced by the FDA to do anything. Their official response essentially told patients and physicians to “be careful” of who has access to the device, as no patches are planned for release.
Why Are Things So Broken?
All devices, whether it be a $20 WiFi camera, or a $100,000 fMRI machine, are designed to work immediately with little-to-no setup, meaning that often they function using the default settings. Being so easy to use means they often are minimally secured. In addition to this, manufacturers cite FDA regulations (21 CFR 807.81(a)(3)) that say the function of the device cannot be changed without their approval to claim systems can’t be patched. In the same regulation’s revisions, the FDA has stated that security patching, anti-virus, and even changing network communication ports do not change the device’s function. Despite this, many systems are not patched or protected as they need to be even though all connected systems are endpoints and should be treated as such.
In addition to default settings plaguing medical devices, the devices also frequently run flawed and outdated operating systems and software. For example, a large portion of medical devices run on the “embedded” version of Windows 7 (which is on the verge of no support) or even older Microsoft operating systems such as XP.
Devices also frequently run on highly customized (read, much less secure) versions of the Linux operating system. Unfortunately, the majority of these devices either are incapable of being updated or the manufacturers never release the updates, leaving tens of thousands of crucial devices highly susceptible to attack.
Misconceptions Create a Weaknesses
Mismanagement is another major weakness in the security of connected medical devices. There is a pervasive misconception that medical devices are different from other endpoints and, because of this, they receive different treatment than “normal” endpoints. There is absolutely no difference to an attacker if the device is a Domain Controller, heart monitor, or a printer—if it is connected to the network and vulnerable to attack, it is their entry point.
Physical access is the “Holy Grail” for an attacker. Any device a hacker (good or bad) can get their hands on can be compromised within a few minutes at most. Hospitals are filled with as many non-staff as employees at any given time. This non-staff population includes visitors, patients, and vendors and it is difficult to keep them under the same kind of controls as employees (EULAs, Acceptable Use policies, and physical access).
Each patient in a hospital room in 2019 likely has multiple devices assigned to them. Ask yourself:
- How much data are these devices collecting?
- How are they secured from theft of both data and the physical devices?
- Does the organization know where each device on their network sits physically?
These and many other questions need to be considered with much greater frequency than they are today.
Securing Medical Devices
Finally, you can take these three steps to implement now to improve device security:
- Most importantly, medical devices are as big a risk as any other endpoint—and the stakes are higher if patient care or safety is at risk. Whatever measures are in place to lock down and ensure the security of desktops and servers should also be translated to protect organizational medical devices.
- Clinical Engineering (i.e., the team that traditionally handles medical devices), IT, and Information Security teams need to work together to secure devices.
- Educate, educate, educate. Understanding that medical devices pose high risks to security and patient safety and often contain very sensitive data can help make headway towards better security.