When we read the words 'security’ and 'medical’ in the same sentence, if your mind works like mine, we race immediately to the plethora of data breaches caused by carelessness, poorly configured data storage devices, malicious competitors, or malware/ransomware. Rarely does our mind travel to the security of the medical devices themselves, which are meant to keep us alive and well.
This is not a new topic for those in the cybersecurity world. This author has been proselytizing on the need and benefits of securing our medical devices and infrastructure for years. We can no longer afford to continue to bifurcate the topic of medical information and medical devices/infrastructure; we must think of securing data associated with health care in a holistic sense.
These devices contain and retain highly sensitive personal data of those to whom the device is attached, be it temporarily (Electrocardiogram - EKG) or more permanently (pacemaker). As you can imagine, your Protected Health Information (PHI) is being collected by the devices and either retained or shared in real time for interrogation and analysis.
Abbott’s (formerly St. Jude Medical) found itself the center of attention of both the Food and Drug Administration (FDA) and patient furor over their pacemakers, defibrillator, and other medical devices being vulnerable to a third party man-in-the-middle access via cybersecurity vulnerabilities, which could affect how the device operates, to include “rapid depletion of battery and/or inappropriate pacing or shocks.” In late August, the FDA approved a firmware update which addressed the cybersecurity vulnerabilities.
As did German electronics company, Siemens, who issued a customer alert in July 2017 warning of the highly critical vulnerabilities in a variety of their scanners. Pending a solution, which Siemens expects to push out soon (fall of 2017), Siemens has directed the devices be taken offline. The Department of Homeland Security (DHS) characterized the exploit as “low skill.”
They are not alone, they are only the most recent.
The health care industry has awakened to the reality that medical devices require security to be baked in from design to market, to protect the patient and their Protected Health Information. To that end, in June 2017, the Health Care Industry Cybersecurity Task Force, formed in March 2016, issued their Report on Improving Cybersecurity in the Health Care Industry.
The task force included a smorgasbord of cybersecurity risks associated with the health care industry ranging from ransomware, medical identity theft, nation-state hacking, supply chain manipulation and disruption, attacks disrupting patient care, and more.
Not surprisingly, the task force found that “with the exception of IT security personnel, many providers and other health care workers often assume that the IT network and devices they support function efficiently, and that their level of cybersecurity vulnerability is low.”
We share the six imperatives and attendant recommendations titles only, and find them to be spot-on. The task force pushes both government and industry to move forward together, now.
Imperative 1 – Define and streamline leadership, governance, and expectation for health care industry cybersecurity
Imperative 2 – Increase the security and resilience of medical devices and health IT
Imperative 3 – Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
Imperative 4 – Increase health care industry readiness through improved cybersecurity awareness and education
Imperative 5 – Identify mechanisms to protect R&D efforts and intellectual property from attacks or exposure
Imperative 6 – Improve information sharing of industry threats, risks and mitigations
These imperatives and recommendations are a tall order, and appropriately call out the vulnerability of the small and medium size health care entities due to their limited resources. If patient wellbeing wasn’t sufficient impetus, the inability to compensate for lack of security in medical devices in these small-medium entities should seal the deal.
To that end, the Cybersecurity Act of 2015, which the aforementioned task force had in hand during their efforts, called for a public/private information sharing in an automated manner and enhanced cybersecurity across all of the health care sector. What it did not do was specifically address medical device security and privacy.
Specific to medical device security, Senator Blumenthal (D-CT) introduced in July 2017, the Medical Device Cybersecurity Act of 2017, which is now in committee. While it may not be a panacea, the bill’s elegance is in its simplicity. It tasks the FDA to create a report card indicating the cybersecurity functions of connected, or cyber, medical devices.
The FDA report card will contain:
If passed, the proposed legislature is a very large step forward for medical device security and transparency, as it ensures the medical device’s cybersecurity profile is present and available for both medical providers and patient examination. Indeed, the report card will be included in “any applications for premarket approval.”
These efforts, albeit slow in coming, are welcome, as the availability of medical connected devices is only going to increase and having cybersecurity as a mainstay for accessible devices is all toward the good.
And while we would like to say, hardening the medical devices will be sufficient, the task force introduced imperatives and recommendations show the wide breadth of effort required if cybersecurity is to be attained within the health care sector.
About Christopher Burgess
Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher served 30+ years within the Central Intelligence Agency. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, Secrets Stolen, Fortunes Lost - Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008).