What do healthcare providers want from medical device manufacturers concerning network and device security?
Martin Nappi, Green Hills Software
The advent of the Internet of Things (IoT) has created enormous opportunity and profound challenges for any business looking to take on the digital transformation. But no industry faces more of a test to make this change than healthcare.Organizations that want to embrace IoT can struggle for many years in the pursuit of “going digital” and still fail. Hospitals and other healthcare providers have all the operational complexities of other businesses with the added responsibilities of keeping their patients safe, ensuring patient health records are secure and keeping their facilities operational 24/7. Plus, the healthcare industry is a primary target of increasingly sophisticated cybercriminals looking to install ransomware to steal patient health records or harm patients with connected medical devices such as insulin pumps or pacemakers.
A healthcare facility could follow the National Institute of Standards Technology’s cybersecurity framework to the letter, but its network will only be as secure as the weakest entry point. Increasingly, unsecured medical devices are used as beachheads to gain access to a hospital network.
Every type of connected medical device has its own set of complexities that need to be secured at the time of product design. Each device has an application programming interface (API), a user interface, a URL and often interfaces for HDMI, Bluetooth or WiFi, all of which may be exploited if not properly secured by the device manufacturer. Unfortunately, the major burden of responsibility for securing these devices ultimately falls on the healthcare provider.
Cybercriminals usually focus on stealing electronic health records (EHRs) due to their black market value of $300 to $500 per record. They may also install malware or ransomware on the hospital network, encrypting and disabling the connected servers and systems and causing total disruption to the provision of care. The systems remain dysfunctional until the hospital pays the ransom, finds a way to subvert the encryption algorithm – rarely a trivial task – or restores systems from backups, which could take several days or longer.
A large hospital’s real cost of recovering from a ransomware attack generally runs in the millions of dollars. The cost to a smaller medical practice is usually less, but this does not include the disruption of care and access to patient health information. Healthcare systems might also incur heavy fines under HIPAA and General Data Protection regulations for the theft of EHRs and the breach of personal health information (PHI). Medical device manufacturers that build products to handle, store or transmit PHI may also be subject to substantial monetary penalties if proven negligent in a hospital breach in which PHI was compromised.
Healthcare organizations are bearing the brunt of these crippling attacks. In the first quarter of 2018, several hospitals were attacked and infected with ransomware and, in most cases, paid the ransom. As cybercriminals become more technically sophisticated, medical device manufacturers need to be at least equally as responsive and sophisticated in their efforts to shore up their device security.
Healthcare organizations, hospitals, clinics and other providers are the major customers and primary source of revenue for medical device manufacturers. We contacted about three dozen physicians, executives and other organizations that support, or work on behalf of, healthcare providers. Here are their thoughts about cybersecurity:
- Are you aware that unsecured medical devices on healthcare networks can be used as beachheads to infiltrate the organization’s network and servers, allowing a cybercriminal to install malware or steal Electronic Health Records (EHR)? A solid 95% of the interviewees were aware of this issue. Everyone agreed that “medical device safety and security” must be top of the priority list for all medical devices connected to healthcare networks.
- If you are a healthcare provider, does your organization have a program that specifies rigorous testing of medical device safety and security as part of the procurement process? Almost all IT executives and physicians interviewed were investing substantially in protecting their internal networks. However, only larger healthcare providers had the resources and the staff to institute official policies and procedures to ensure that procured medical devices are manufactured using industry best practices for safe coding and cybersecurity.
We also asked the following question: Do you think the FDA is doing enough to encourage manufacturers to provide safe and secure medical devices? The responses were mixed. Fifty-five percent of respondents were not satisfied with the current FDA guidance. Their reasons for this dissatisfaction included:
- The FDA guidance needs to require device manufacturers to provide detailed information to make it easier for healthcare providers to compare the levels of security and safety built into a medical device. The hope is that the requirement for a software bill of materials (SBOM) will help in this regard.
- The FDA should require medical device manufacturers to adhere to a clearly specified standard that is escalated by the criticality of the device’s application.
- Thirty percent of respondents were satisfied with the FDA guidance and the remaining 15% chose not to answer or didn’t know enough about the subject to comment.
“I think the FDA guidance has come a long way, and it is continuing to improve,” said Courtney Young, a senior risk management attorney for Medmarc, which insures and provides risk management services to medical device manufacturers. “I advise medical device manufacturers how to mitigate risk, and I try to help them understand that the FDA guidance should be looked at as a floor. It’s not a ceiling. It’s a starting point to be improved upon.”
- Should life-critical medical devices and systems be subject to mathematically proven and secured system requirements, as with the aerospace industry? The physicians and security executives we spoke with agreed that life-critical medical devices must be safer and more secure than non-life-critical medical devices. They also thought that other industries’ security measures should immediately be examined and evaluated for their applicability for medical devices.
- Finally, the respondents agreed that an independent accrediting body should certify the safety and security of life-supporting or life-saving medical systems. It should be made up of medical industry stakeholders without government oversight, they said.
- “Small organizations cannot afford to retain the in-house staff to determine the cybersecurity capabilities of the products we procure,” one physician explained. “Most often, we are forced to depend upon the word or reputation of the manufacturer or, in our case, distributor. The problem is that they are all getting hacked.”
Medical device manufacturers should ease the burden on healthcare, improve the medical device ecosystem, and provide a much higher level of patient safety. From the initial product design, they must use rigorously tested software within their devices to avoid product malfunction and vulnerabilities. Network-connected medical devices must build upon FDA guidance and employ cybersecurity techniques capable of defending against sophisticated, well-funded cybercriminals. Newly proposed SBOM guidance must clearly inform the healthcare industry of the risks and capabilities of connected medical devices. Lastly, there should be a more equitable distribution of responsibility for securing medical IoT. The medical device manufacturers that embrace safety and security as their top priority will succeed at medical IoT and most importantly, keep patients safe from cyber-harm.
Martin Nappi is VP of business development for the medical industry at Green Hills Software. He is a 30-year veteran of the embedded systems industry and is responsible for providing safe and secure software technology for medical devices and systems.
The opinions expressed in this blog post are the author’s only and do not necessarily reflect those of Medical Design and Outsourcing or its employees.