Every healthcare organization is well-versed in compliance with HIPAA (Health Insurance Portability and Accountability Act) requirements for protecting patient health data and identifying information. However, there’s not yet an analogous HIPAA or FDA (Food and Drug Administration) requirement aimed at protecting patients from an attack on medical devices.
The FDA has been ramping up its efforts to address security of medical devices for several years. The agency published new guidance for manufacturers of medical devices in 2016, with a goal of having security “baked in” to medical devices rather than “bolted on” after market. In 2017, the FDA acknowledged progress on that front while issuing additional recommendations and incentives for comprehensive “management of medical device cybersecurity risks throughout the total product life cycle,” including “closely monitoring devices already on the market for cybersecurity issues.” The FDA is also working to encourage and enable a continued culture shift toward information sharing and analysis of vulnerabilities.
Medical device security is an issue the Department of Homeland Security is also taking very seriously. But it takes time for manufacturers to catch up.
Meanwhile, hospitals generally try to get 20 or more years of use out of devices, so there’s a huge time lag before most will purchase new devices that would have better built-in security.
Now an even scarier fact: Sensato has found an average of 6.2 vulnerabilities per medical device. In addition, 60 percent of devices are at end-of-life stage, with no patches or upgrades available.
How vulnerable are you to a cyberattack on your medical devices? Contact us to discuss what we have learned after working with a variety of hospitals and medical device manufacturers.
The possibilities for the types of havoc hackers could wreak by exploiting these vulnerabilities have made for some gripping plot lines on TV shows like Chicago Med, The Night Shift, and Grey’s Anatomy. Unfortunately, this is one time that we should truly hope that fiction is, and remains, stranger than truth.
So far, attacks on healthcare organizations have mostly fallen into the cybercrime category—hackers have infected organizations with malware and ransomware to steal patient information and/or demand ransom in exchange for returning records or for releasing systems held hostage by the attackers.
But data breaches, as distressing and expensive as they can be, are the benign tip of the iceberg compared to the worst-case scenario for medical devices.
Cyberattacks on medical devices can adversely impact patient care or even cause loss of life.
A ransomware attack in 2017 called WannaCry, for example, actually shut down 65 hospitals in the United Kingdom and infected an unreported number of medical facilities in the United States, freezing computers, storage refrigerators, and MRI machines. Forbes reported that a Bayer Medrad device used for monitoring the delivery of contrast agent for MRI scans was among the WannaCry breaches in the U.S. Confirmed by a Bayer spokesperson, the Bayer breach is thought to be the first example of a ransomware attack directly interfering with the operation of a medical device.
However, in 2016, the FDA issued a voluntary recall of Abbott pacemakers (formerly St. Jude) after it found that breaches of the firmware could drain battery life and, worse, could ultimately change the program settings to slow or speed up the beats and rhythm. That same year, Johnson & Johnson warned customers about a security issue with one of its insulin pumps.
The possibilities are terrifying and endless: tampering with scanned images, which could result in unnecessary surgeries or misdiagnoses; shutdown of equipment used in intensive care units; settings calibrated for storage of blood and other critical products altered, resulting in contamination and spoilage; complete denial-of-service, cutting off timely patient care, interfering with in-progress surgeries and other treatments, producing incomplete patient histories. The list goes on.
And yet, as Sensato Cybersecurity Solutions CEO John Gomez points out, most IT security attention is operating with a 2010 mindset and is focused solely on protecting patient information and identities. “It sounds very strange, given the severity and seriousness of the potential for damage and loss of life, but there’s just no regulatory guidance telling hospitals and other healthcare organizations what they must do to protect patients’ health and safety from attacks on medical devices and medical infrastructure.” What keeps Gomez awake at night is the threat of cyberterrorism.
Gomez notes that there are three basic types of cyberattackers: spies, criminals, and terrorists.
Spies are generally after intelligence and information that can be used for covert operations or for direct cyberattacks on high value targets.
Criminals just want to make money, so they’re interested in information that can be sold, or they use ransomware to hold systems hostage until the organization pays a ransom.
Terrorists are driven by an ideological goal, so they’re interested in, at the very least, causing disruption, which can scale from attacks that result in a loss of confidence in medical institutions and devices to attacks aimed at taking human lives.
“Cyberterrorists are the scariest of all; they’ll go after someone’s life,” says Gomez. “We hope and suspect that in any type of cyberwar not waged by a terrorist organization, cyberspies will respect the traditional rules of war. Among those rules of war is that you don’t attack hospitals. But a cyberterrorist organization doesn’t obey the rules of war.”
This sobering reality was the cornerstone on which Gomez and his team at Sensato built the cybersecurity company’s unique and comprehensive model for helping healthcare organizations safeguard people’s lives.“Having your personal data stolen in a cyberattack is an awful experience for you and for the company whose records were breached, but you’ll eventually get your identity back and the organization will recover its losses,” says Gomez.
“When someone attacks a medical device or critical infrastructure, you’re talking about people’s lives, and you can’t get a life back. That’s why our focus is on protecting people.”
With a background in design of special operations and tactics and counter-terrorism programs for military and law enforcement, Gomez saw that he could apply a command-and-control type of military approach to the problem of protecting people from cyberattacks on medical devices and infrastructure. He also borrowed from trauma center triage models and paramedic protocols.
The result is Sensato’s MD-COP (Medical Device Cybersecurity Operations Program): a holistic medical device security program designed to save time and money by allowing healthcare organizations to automate the assessment and risk scoring of a medical device.
MD-COP was created to provide a single, comprehensive security solution. It was designed using the intelligence and expertise gained by Sensato as a founding member of the Medical Device Cybersecurity Task Force, its ongoing medical device cybersecurity research, and its expertise in performing medical device cybersecurity assessments.
“Typically, you’ll find that other companies segment services like an a la carte menu. And, like items on an a la carte menu, they end up costing more,” says Gomez. “We don’t feel that’s an honorable way to do business because we know, and other cybersecurity companies know, what we will generally find in a vulnerability assessment, so we made everything part of the MD-COP package because our ultimate purpose is to protect and safeguard human lives.”
By including every key component necessary for protecting medical devices from cyberattack in MD-COP, Sensato’s goal is to help healthcare organizations protect against breaches and respond quickly to attacks by either containing the attack or fighting back as fast as possible.
“Most people don’t realize just how fast a cyberattack takes down a network and how much damage it can do,” notes Gomez. “Most of the time, by the time the IT security team or incident response team can mobilize, it’s too late.”
“So, one of the things we really stress is getting the frontline troops—helpdesk staff—and the entire incident response team trained in a drill camp style to create a sort of muscle memory so that they don’t have to think, they just act on the protocols or standing orders that they’ve been trained to execute.”
