Digital transformation has thrived in the healthcare industry, as technological advancements enable providers to better serve patients every day. However, as connected medical devices continue to proliferate, so do the cybersecurity risks surrounding them.
In fact, just this past month, vendor GE revealed that flaws in security in its hospital anesthesia and respiratory machines could lead to patient harm.
“In general, biohacking has been a steadily growing issue within the security industry,” said Jonathan Tanner, senior security researcher at Barracuda Networks, a cybersecurity technology and services firm.
“Researchers first discovered vulnerabilities in the Medtronic Maximo over a decade ago, in 2008. Years later, in 2012, the Showtime TV series Homeland depicted terrorists remotely tampering with a pacemaker, resulting in a character’s demise.”
An entirely plausible attack
While the specifics of this Hollywood example were somewhat far-fetched, the concept and vulnerability in such devices was not, and a few articles were written, concluding that while the specifics may have been exaggerated a bit, the susceptibility of such devices was entirely plausible given the shift from requiring direct contact to reprogram devices to a full integration of wireless calibration for convenience.
“Thanks to the increase and proliferation of these wirelessly calibrated devices, the ‘Internet of Humans’ is fast becoming a reality as medical device manufacturers look to improve the convenience and ease with which their devices are used and configured,” Tanner explained. “This is just one small group of medical devices that was researched.”
“Thanks to the increase and proliferation of these wirelessly calibrated devices, the ‘Internet of Humans’ is fast becoming a reality as medical device manufacturers look to improve the convenience and ease with which their devices are used and configured.”
Jonathan Tanner, Barracuda Networks
However, as more potentially vulnerable devices are developed along with a growing concern for the security of the healthcare industry in general, research will only continue to increase in this field.
“For example, the DefCon security conference will host the Biohacking village for the fourth consecutive year to explore and discuss, among many things, these devices and issues,” Tanner noted.
“This further sparks research as awareness grows within the security industry,” he said. “While there have not yet been attacks against these devices in the wild, criminals simply need to find ways to monetize such attacks with an equal or greater return than current cyberattacks for this to become a reality.”
What can CIOs and CISOs do?
So what can healthcare provider organization CIOs and CISOs do to protect their organizations against this threat?
“There are two main things,” Tanner advised. “The first step is to ensure that there is proper research and investigation into the security and safety ramifications of medical devices that are being considered for use at their organizations. This may require significant research given how new the sector is and a possible lack of security information on the exact devices being evaluated. However, breaking down candidate devices into their various functions and possible security concerns can pay off.”
For example, determine what sort of wireless access and authentication mechanisms exist within a device, he explained. These can then be correlated with existing research that may not be for the same device, but to implementation patterns, he said. If a device uses Bluetooth for configuration, any past research and exploits regarding Bluetooth may be applicable to the device, he added.
“In-depth research like this could help reduce the reliance on device-specific research by filling in potential risks based on preexisting information,” he said. “Additionally, if the budget allows, organizations should consider hiring a security professional adept at researching such devices.”
Regardless, research can help focus on concerns and expose the attack surfaces of a device. If the device uses only wired communication through a special port, wireless attacks are not a concern and research effort can be used elsewhere. It may prove difficult, but leveraging the device manufacturers for information that will help enumerate potential vulnerabilities is useful.
This information will not likely come from a sales representative, so fostering relationships with contacts who have a handle on technical knowledge of the devices is key.
Hold companies accountable
“The second and perhaps most important thing that executives can do is to hold companies accountable for security flaws,” Tanner stated. “These may come up during initial research of a device, when independent research is released, or in a worst case scenario, when a device is exploited.”
Regardless of when these flaws are uncovered, putting pressure on manufacturers to fix current flaws as well as put out future devices free of said flaws is crucial, he added.
“Security is a hit to manufacturers’ bottom lines; creating a situation where manufacturers understand that a lack of investment in proper security is unacceptable is crucial,” he said. “Unfortunately, this is much easier said than done, as it requires awareness and diligence from the entire healthcare industry to be truly effective. However, early adoption of such practices is not without its benefits, especially when an incident occurs elsewhere that your organization has already mitigated.”
To go with a more current example, being the healthcare organization unaffected by the latest ransomware attack because the organization’s data was properly backed up and had the necessary defenses in place is much better than ending up in the headlines for falling victim to such an attack.
“Potentially, PR departments for those who mitigate such attacks could even leverage such headlines to spread the word of what was done right in the organization, both elevating its image, and informing the rest of the industry on best practices to prevent attacks,” Tanner suggested.
Problems are detached from CIOs and CISOs
In general, security vulnerabilities and incidents arise from breakdowns far down the chain from healthcare executives, and in the case of medical devices, even the organization, he said. From programmers and designers who didn’t care or receive proper training on how to properly implement security in devices being manufactured, to the companies that either blindly allow these implementations or encourage them to cut costs, the true root problems are detached from healthcare provider CIOs and CISOs, he said.
“However, putting pressure on manufacturers and seeking those who are making secure devices, even if they cost more, are critical to remedying these problems and preventing future attacks that may have more dire consequences to patients than the security of their medical data,” he said.
While IT leaders have things they can do to mitigate biohacking risk, manufacturers can do more than they traditionally have.
“Medical device manufacturers need to reconcile a faster go-to-market strategy with security,” Tanner said. “Unfortunately, despite increased discussion of medical device vulnerabilities, awareness seems to fall on deaf ears as manufacturers seek to bring products to market as quickly and inexpensively as possible at the cost of security.”
For manufacturers, security should be a prerequisite
Investing in security is crucial and should be seen not as an additional feature, but a prerequisite of developing such devices, Tanner stated.
“Reacting to and working with independent researchers when they report vulnerabilities is another important step for manufacturers,” he added. “It’s important to realize that researchers aren’t attacking your company, but they are offering free labor to enable better product design and manufacture. Bug bounties, where money is offered for finding and disclosing security vulnerabilities directly to a company so that they can be fixed before attackers learn and exploit them, can even be offered to incentivize independent research.”
Even without such programs, just being known for being a pleasant organization to work with for independent researchers can be quite helpful, as well, Tanner noted. Many researchers are mainly looking for recognition for their work, so instead of trying to cover up their findings, work quickly to address and fix the vulnerabilities, he advised.
“This will not only make security researchers want to do more research on a company’s products, but it will also create a much more interesting narrative when they deliver talks about their findings at the myriad of security conferences available today,” he said.
“It’s highly likely that regardless of a manufacturer’s interactions with a researcher, a talk about the vulnerabilities will be given; being the manufacturer that was a pleasure to work with and has already started fixing those vulnerabilities is much better than being the one that was unreachable or hostile, whose devices are still vulnerable,” he added.
Learning from other industries
When it comes to protecting medical devices from biohackers, the medical device industry can learn from the IoT and router industries.
“Currently, in the latter, it would be unthinkable for companies to implement unauthenticated, unencrypted communications in their devices as Medtronic did with their defibrillators,” Tanner stated. “Incidents like this should spur greater accountability across all three markets, but only if people choose to start taking such security flaws more seriously and hold the manufacturers accountable as well as pay any price increases associated with purchasing a more secure product.”
IoT and medical devices in particular are both somewhat niche markets as they specialize in making products that either haven’t been made before or are limited in manufacturers. This hinders standardization since each device is so unique, yet security is largely about general paradigms that could easily be applied to multiple unrelated products.
“Preventing wireless attacks or intrusion is a fairly universal concept, whether you’re making a defibrillator or a thermostat, so making secure devices should not be difficult with the right investment of time and resources to learn the various risk factors potentially affecting a new device,” Tanner said.
What is known?
Companies need to learn to break down their overall device security into separate concerns based on the features and operation of a specific device, he added. Once these concerns are known, they can be researched more easily and information from unrelated fields can be incorporated to reduce duplication of effort, he said.
“In general, vulnerabilities often fall into a specific and smaller group of specific techniques,” Tanner explained. “For example, the overall effect and scope may differ on a case-by-case basis, but a buffer overflow is essentially the same thing regardless of vulnerability, and the ways to fix or prevent a buffer overflow are relatively universal.”
Ensuring that common vulnerabilities are not present through secure coding and implementation practices is the basis for creating secure devices, Tanner said. When it comes to prevention, focusing on the cause of the vulnerability (for example, a buffer overflow) rather than the result – which may range anywhere from crashing the program to permitting the execution of malicious code – is an important and effective step to creating more secure devices, he said.
“Industrial control systems are a good parallel industry to medical devices, given both have much greater consequences when incidents happen than IoT and routers,” Tanner advised. “Both industries are on the fringe of public attention, deal largely in non-standard electronics devices, and are in dire need of greater security practices, so they could potentially look to each other for help.”
Overlapping security concerns
It also is likely that there will be overlap between security concerns, especially those pertaining to the devices themselves as well as building communication schemes with the devices that may not be completely standard or common, he added. Both also may have some opportunities to use hardware fail-safes in the event software doesn’t act as expected, when compromised by an attacker, he said.
“On a different end of the spectrum, tech giants and social media sites are also great places to learn lessons, given that many tend to have some of the better security practices being used these days,” Tanner said. “While they may sell your data to any number of sites themselves, companies like Facebook and Google put a lot of manpower and money into making sure that attackers can’t breach their systems to obtain such data.”
The same is true with many other top tech companies, perhaps since the multitude of options out there makes any breakdown in security more critical to their profitability, he said. Many offer bug bounty programs that aid in the discovery of vulnerabilities by those trying to help mitigate them rather than exploit them, he added.
“Ultimately, learning lessons from other industries in general would go a long way to increasing the security posture of many sectors,” he suggested. “While different industries have varied products and practices, belonging to the category of ‘technology’ means that the potential security risks are likely shared with other industries that may seem entirely unrelated. Realizing this and learning lessons from other industries may even prevent future issues that have never affected a particular industry before.”