contact us

Guidance is Not Enough for Medical System Security

by Aug 28, 2018

Guidance is Not Enough for Medical System Security

Hospitals and healthcare networks have a big problem. While they were focused on protecting data to be in compliance with HIPAA, they have been steadily deploying more and more technology. Aside from all the personal devices for remote monitoring of patients and even administering drugs, within the hospitals and clinics they have steadily invested in more and more machines.

From the simple bedside intravenous drip to the EKG monitor to the huge CAT scan and NMR machines, an unfortunately large number run a version of Windows. You know what that means. They have to be patched. Often. Probably more than 14 times a year if you are optimistic.

The FDA has published guidance on medical device security and the EU is getting ready to implement a massive medical device regulation in three years.

The FDA’s guidance document, Postmarket Management of Cybersecurity in Medical Devices, mixes the responsibilities of manufacturers and health care providers. Here are some of my thoughts on the overall guidance:

Monitoring cybersecurity information sources for identification and detection of cybersecurity vulnerabilities and risk.
While it has become normal for large enterprises to have threat intelligence teams whose job it is to monitor “cybersecurity information sources,” I have yet to see this inside large hospital systems, let alone the doctor’s office or emergency clinic we all visit from time to time. It is a full-time job just keeping up with the latest vulnerabilities in servers and desktops associated with IT operations. Add in all the medical devices and you are talking specialists for each area. Even with the flood of money that passes through the US healthcare industry, few, if any, organizations are prepared for the level of spending needed to stay on top of all the cybersecurity information sources for every device.

Maintaining robust software life cycle processes that include mechanisms for: monitoring third-party software components for new vulnerabilities throughout the device’s total product life cycle design verification and validation for software updates and patches that are used to remediate vulnerabilities, including those related to off-the-shelf software.
Not going to happen. Most medical device manufacturers do not even tell their customers what software runs on their machines. A “robust software life cycle process” usually entails maintaining a standard image of your Microsoft licenses and any third-party or off-the-shelf products. It is 100% likely that your NMR machine does not run your standard image, and you do not control the license or have any way to patch it yourself. This is definitely something the manufactures have to take on. The best you can do is review the contract terms when you are purchasing the machine and satisfy yourself that the supplier knows what they are doing and have a process for fast updating/patching.

Understanding, assessing, and detecting the presence and impact of a vulnerability.
Back to my previous comment. You don’t know what is running on all those machines, so how can you know what vulnerabilities are on it? Port scanning? Probably not a good idea on devices that could cause significant problems if they fail due to an overly aggressive port scan.

Establishing and communicating processes for vulnerability intake and handling per ISO/IEC 30111:2013: Information Technology–Security Techniques Vulnerability Handling Processes.
This one is doable. But you should probably have a vulnerability management system in place first.

Using threat modeling to clearly define how to maintain safety and essential performance of a device by developing mitigations that protect, respond and recover from the cybersecurity risk.
A nice thought, but I doubt many health care providers are set up for threat modeling. Not to say they shouldn’t do it. But this is an about face from the risk modeling they have been building systems around thanks to so much other guidance from the government, particularly NIST’s Cybersecurity Framework. Threats against health systems fall primarily into the generic threats, those posed by rapidly spreading malware and DDoS attacks against network infrastructure.

To sum up, health providers have a long way to go to catch up with banks and defense contractors that have been responding to real threats for 17 years. Like any organization, they have not invested in defending against hypothetical threats. But they are way behind the curve. Threat actors have also been evolving over the last 17 years. If they ever have cause to turn their sights on hospital systems or medical devices, either for financial gains or to cause mayhem, watch out. It is going to be messy.