While politicians and security experts are constantly warning about the risk of cyber-attacks, they rarely, if ever, mention the risks associated with the Internet of Things (IoT). This is especially relevant for medical devices, which are part of the IoT ecosystem and have become a lucrative target for hackers. Due to a general lack of cybersecurity hygiene in healthcare and the growing number of electronic health record exfiltration incidents, the U.S. Drug and Food Administration (FDA) issued a Draft Cybersecurity Guidance (Post-Market Management of Cybersecurity in Medical Devices) in January 2016. It outlines more concrete requirements for assessing the security of connected medical devices. The big question that remains is whether the proposed guidelines can truly improve cyber resilience.
A growing number of medical devices are designed to be networked to facilitate patient care. These devices, like other networked IT systems, incorporate software that may be vulnerable to cybersecurity threats. While the increased use of Internet technology and software in medical devices increases the risks of potential exploitation, these same features also improve healthcare and increase the ability of healthcare providers to treat patients. Obviously, protecting patient safety and promoting the development of innovative technologies has become a delicate balancing act in today’s dynamic threat landscape.
This holds especially true in light of an advisory that the U.S. Department of Homeland Security issued in March 2016. It warned of more than 1,400 cybersecurity vulnerabilities in third-party software used in CareFusion's Pyxis SupplyStation, an automated, networked, supply cabinet used to store and dispense items ranging from disposable gloves to artificial implants. This is just one of many examples that illustrates the risks posed by vulnerabilities in medical devices. If exploited, these vulnerabilities could lead to physical harm through a cyber-attack. Thus, a scenario whereby a high ranking politician’s health can be attacked without even drawing a gun is no longer the plot of a science-fiction thriller, but rather has become reality.
The FDA’s Draft Cybersecurity Guidance was created to encourage medical device manufacturers to implement a Cyber Security Risk Management Program to help identify and remediate vulnerabilities in their devices. The guidance applies to all medical devices that contain software (including firmware) or programmable logic, and software-based medical devices.
As a result of this guidance, medical device manufacturers must rethink their current product development practices and embed not only automated vulnerability testing into their processes but also invest in running manual penetration tests to mimic potential cyber-attacks. Offloading these tasks to the end user community, as was commonly done in the past, is no longer acceptable. While this adds cost to the manufacturing process, it is a necessary evil and a potential product differentiator among the medical device vendors.
While manufacturers should incorporate controls in the design of a product to help prevent cyber risks, it is essential that they also consider improvements during device maintenance, since new threats may arise at any point in a device’s lifecycle. There have been numerous cyber-attacks that injected malware during the firmware update process, and not as part of the original software load. Once medical devices have been deployed in the field, manufacturers should follow the following best practices:
- Apply the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, which covers the core principles of “Identify, Protect, Detect, Respond, and Recover;”
- Leverage external threat information sources to identify cybersecurity vulnerabilities and imminent risks;
- Participate in industry-specific Information Sharing and Analysis Organizations such as the National Health Information and Sharing and Analysis Center (NH-ISAC) to gain access to early warning indicators;
- Continuously assess and detect the presence and impact of vulnerabilities;
- Adopt a coordinated vulnerability disclosure policy and practice; and
- Define playbooks and mitigation actions that address cyber risk early and prior to exploitation.
While the FDA Draft Cybersecurity Guidance is tailored towards medical device manufacturers, the end user community, namely hospitals and other healthcare facilities should share the responsibility for identifying, prioritizing, and remediating cyber risks that threaten interconnected medical devices. They should follow the same best practices to mitigate any threats to patient safety and public health.
While the FDA guidance provides some valuable building blocks for implementing better cybersecurity practices, it is not a silver bullet for preventing cyber-attacks and data breaches. In this context, some security experts have criticized the FDA for issuing public statements that call attention to the severity of device security, yet doing little to enforce safety practices among manufacturers. That’s because the guidance is not a regulation that provides incentives or imposes penalties for failure to follow the proposed best practices.
Furthermore, it’s important to recognize that guidelines and regulations are static by nature and therefore must evolve to adapt to morphing threats. In practice, regulatory compliance moves far too slowly to keep up with cyber-attackers. Guidelines can also expose holes in proposed measures, which attackers can use as a blueprint to formulate their attack strategy.
Ultimately, proper security measures and best practices are just one part of the solution. One of the biggest challenges facing organizations is making sense of the sheer volume, velocity, and complexity of security data to detect a cyber-attack. The Target breach was a good example, where an IoT device was the originating attack vector. Although best-of-breed technology was in place and able to detect the intrusion early on, the alerts were buried in a sea of intelligence feeds. This prevented the security team from connecting the dots and responding in a timely fashion. Instead, a third-party reported the stolen data had been posted on the Internet and exposed the breach.
Without automation, it can take weeks, months and even years to perform risk analysis and piece together an actionable security assessment in big data environments. Finding ways to use technology to overcome the lack of human resources needed to extract intelligence from security feeds and respond in a timely fashion should remain a focal point for organizations. In this context, the FDA Draft Cybersecurity Guidance is an important building block, but still just the first step towards implementing operationalized defenses against cybersecurity risks.
About the Author:
Torsten George is Vice President of Marketing and Products at pro-active cyber risk management software vendor RiskSense. Torsten has more than 20 years of global information security experience. He is a frequent speaker on cybersecurity and risk management strategies worldwide and regularly provides commentary and byline articles for media outlets, covering topics such as data breaches, incident response best practices, and cybersecurity strategies. Torsten has held executive level positions with RiskVision (formerly Agiliance), ActivIdentity (now part of HID® Global, an ASSA ABLOY Group brand), Digital Link, and Everdream Corporation (now part of Dell). He holds a Doctorate in Economics and a Diplom-Kaufmann degree, which is comparable to an MBA.
