Medical Device Cybersecurity: Risk, Patching & Plutonium
March 19, 2019
This February I was at HIMMS Global Conference and Exhibition, one of the largest healthcare IT conferences in the US. My focus there was to see the latest on cyber in healthcare, particularly around how hospitals have been managing and securing their medical devices. While it seems hospitals and manufacturers still have some way to go to improve medical device cybersecurity, recent guidelines and some vendors I met with at HIMSS are improving the situation.
Here to stay
Medical devices are tempting targets for cyberattacks for a number of reasons. First and foremost, they generate and contain some of the most sensitive information about people of any devices on earth. They also have the half-life of plutonium, says Richard Staynings from the HIMSS Cybersecurity Committee, in one of his talks at HIMSS. That is, medical devices are kept in daily use for a very long time and are rarely terminated if they are in working order.
This longevity means the devices end up lasting longer than the lifetime of the operating systems that they run on (often the no-longer-supported Windows XP), their operational software, and sometimes even the OEM itself. This makes it difficult or impossible to get patches when new exploits are discovered, causing an increase in cybersecurity risk (not to mention operational risk) the longer they stay in use.
Lack of support
Medical device asset management is usually performed by understaffed teams that are ill-equipped to keep equipment security up to date, or unincentivized third party vendors that may not even have regular access to the equipment. This lack of attention means many devices aren’t patched when they should be, carry default credentials throughout their lives, or are simply neglected or forgotten entirely from a security perspective – especially in larger organizations with thousands (or tens of thousands) of devices. Medical devices that are managed by a third-party software vendor or medical device vendor, especially the “big iron” of CT and MRI machines, mean hospitals have even less control of these medical devices, further complicating proper cybersecurity best practices.
Know your network
Both the FDA and the HHS have come out with cybersecurity guidelines highlighting the cyberattack risks of medical devices and medical device networks. Echoing those guidelines, every discussion or seminar at HIMSS on hospital cybersecurity emphasized best practices around keeping medical devices patched and updated, and segmenting networks to avoid penetration and any lateral movement across networks, should a device be breached.
We met a few vendors with software that can identify medical devices on a network, monitor device activity, and provide help in managing devices. These vendors help hospitals know who and what’s on their networks and identify risks.
The importance of network segmentation
Some vendors are also trying to help hospitals understand the importance of segmenting their networks and how to do so effectively. Network segmentation is highlighted in DHS, HHS, FDA, and NIST guidelines (and pretty much everywhere else) as a cybersecurity best practice.
Segmenting networks, the practice of dividing them up into smaller, divided sections with multiple security levels, makes it harder for a threat actor to go “east-west” across your entire network. This divided architecture reduces the risk that a single compromised point of ingress or medical device breach can take down your whole network (hospital, laboratory, etc.).
Network segmentation also allows you to separate your business and public patient networks from your mission-critical medical networks. This ensures your medical networks aren’t affected by some patient streaming Netflix or your billing department sending a large batch of claims to a payer.
Network segments can be as large as an entire facility or as small as a single device, allowing you to isolate legacy devices that can’t be patched, but still need to be used.
Data diodes for medical devices
As one-way data transfer devices, data diodes are well-suited to help you segment your medical device networks. They allow you to securely stream medical device data, including vulnerable legacy medical devices, from the mission-critical near-patient network segment to a data repository, say your EMR or a medical device data aggregator. More importantly, data diodes provide hardware-enforced security to prevent any intrusion to the network segment. This reduces the attack surface area of unpatched or legacy medical devices on your network, and can completely eliminate the chances of an external threat gaining unauthorized access.
What you need to know
It’s important to keep an eye on your medical devices – even if they remain functional for a long time, they may no longer be secure. Segmenting your network can help to improve the security of your organization and medical devices, especially unpatched or legacy medical devices. Data diodes are an effective tool to segment your network and reduce the chance of network intrusions.
Are you segmenting your medical device networks? How? Let us know.