Digital Health Exposes Medical Device Information Security Risks-The HSB Blog 10/25/21
Given the dramatic rise in connected medical devices (the so-called “Internet of Things”) and remote care, especially since the COVID pandemic, increases in digital health have exposed heightened risks in medical device information security. Consequently, investments in healthcare cybersecurity need to be focused more significantly on medical devices. Accompanying the growing demand for data analytics, remote patient monitoring, and remote diagnostics is a notable rise in threats and risks posed by unsecured medical devices. Medical devices require connection to both external and internal networks, exposing them to unauthorized access and many forms of malicious attacks that lead to device failure.
There are over 500K different types of medical devices and growing according to Deloitte’s report, “Medtech and the Internet of Medical Things”.
Connected medical devices using the public Internet are more vulnerable to unauthorized access and data breaches if not properly protected.
Many legacy medical devices are used and have hard-coded administrative login information and are infrequently provided software updates
More recently, there are regulation guidelines in the US and the EU for medical device manufacturers to provide security design of medical devices.
Medical devices, such as heart monitors and lab equipment, collect and store sensitive data in healthcare organization systems vulnerable to hacking. Cybersecurity risks such as exposure to hacking open up healthcare organizations to legal and regulatory consequences from breach of data privacy and could potentially expose patients to harm. For instance, unauthorized access to medical devices could lead to the modification of Bluetooth-enabled insulin pumps and defibrillators, both of which could result in severe harm to patients.
Notwithstanding the gravity of cybersecurity risk, it is challenging to manage because of the many legacy systems within the healthcare system that still have security vulnerabilities, some of which are so old that they are built on unsecure protocols such as Telnet which uses unencrypted logins and thus are less secure (more modern protocols such as SSH use encrypted logins and are thus more secure). For example, when users login to devices using Telnet, the user’s login information, including authentication data can get picked up through wireless sniffers or so-called man-in-the-middle attacks (where an attacker listens in to gain access to your data or injects malicious code into the stream to gain access to sensitive data and systems). As a result, connecting legacy medical devices to the public Internet increases its vulnerability to cybersecurity risks. According to security research using Shodan, a search engine that allows users to search devices linked to the Internet, case studies show that glucose monitors, fetal monitors, and PACS accessible on the public Internet are particularly vulnerable to numerous security threats.
According to research from MarketsandMarkets, the connected medical devices market segment that helps to diagnose, monitor, and treat patients is expected to rise from $14.9 billion in 2017 to $52.2 billion by 2022. The increased adoption of connected medical devices is driven by increased amounts of care moving outside of hospitals and doctors’ offices, a shift towards data-driven value-based care, and increased demand for remote patient monitoring devices, wearable technology, and at-home diagnostics which can improve the quality of care while lowering costs.
There are currently over 500,000 different types of medical devices. These include: 1) wearable external medical devices (skin patches, insulin pumps, and blood glucose monitors), 2) implanted medical devices (pacemakers and implantable cardioverter-defibrillator devices), and 3) stationary medical devices (home monitoring devices, connected imaging devices, and scanning machines). These types of devices can be connected to health systems in different ways and can transfer health data to healthcare systems both internally and externally. Increasingly as devices become more sophisticated and patients connect to hospitals and providers with an increasing number of devices, connected medical devices dramatically increase the number of vulnerabilities/endpoints for providers and increase the risk of cybersecurity issues.
In 2016, the FDA released guidance recommending timely software updates to patch security vulnerabilities and documentation for security assessments of existing and new products. However, currently in the US, medical device manufacturers have no legal obligation to address cybersecurity risks, either before or after releasing the medical device into the market. By contrast, in May 2017, European Union instituted Regulation 2017/745 on Medical Devices (MDR) that went into effect this year that provided specific cybersecurity guidelines for medical devices. Among other things, the rule created the position of "Person Responsible for Regulatory Compliance" (PRRC) and increased certain requirements for post-market surveillance activities. This is particularly important as a large number of medical devices run on legacy software that is no longer supported. For example, according to a study by VDC reports, there are approximately 1 billion medical devices worldwide that continue to run on unsupported software.
Investment in infrastructure and the traditional security paradigm needs expansion and adaptations to include security vulnerability assessment for medical devices. In particular, prior to the Pandemic, many healthcare providers’ security frameworks were designed on the concept of the “walled garden” when firewalls and other intrusion protection devices were instituted to keep malicious parties off the providers’ network which was conceptually behind several layers of security. However, the pandemic flipped that model on its head as many of the providers’ employees, patients, and contractors were now operating outside of an organization’s physical facilities to keep exposure to a minimum which effectively placed them beyond most institutions’ “walled garden”. Instead, this exposed many institutions to a world where clinicians and patients were now accessing an organization’s network remotely, thereby opening up holes in that organization’s security and exposing it to many more threat vectors.
In addition, while next-generation medical devices may be more secure and regulated through new security guidelines, many legacy systems remain vulnerable. These legacy systems require collaboration between the purchaser and manufacturer to implement appropriate security design as security updates may not have been implemented for some time or done on a haphazard basis.
Connected medical devices and sensors hold the potential for improving operational efficiency for providers and outcomes for patients. However, as device manufacturers look to make legacy devices more secure they also face the dilemma of destabilizing devices on the market as well as exposing themselves to (or potentially admitting liability for) devices already on the market. This may account for device manufacturers' hesitancy to install new patches on stable legacy systems, notwithstanding the risk of potential device issues and interruption in workflows.
While balancing risk and productivity is a challenge for healthcare technology management teams, incorporating medical devices in existing security design for risk mitigation should be prioritized.
To this end, the actionable steps recommended by the National Institute of Standards and Technology (NIST) and security researchers for implementing better security practices for medical devices are worth considering. These include:
Identifying vulnerable connected medical devices and processes that can lead to unauthorized access and device failure. Incorporating security testing and design before choosing a specific product and/or vendor.
Protecting existing medical devices by updating the firmware (software that contains operational instructions for hardware devices) and limiting administrative privileges, when possible with support from the vendor. This is necessary to mitigate against potential risks for device issues and workflow interruption caused by software updates.
Reporting and monitoring systems are needed to develop audit trails for detecting unauthorized access and configuration changes. Having reporting and monitoring systems is needed for implementing appropriate security compliance for medical devices.
Conducting internal and external security audits to allow thorough vulnerability assessments. Audits should include medical devices as a focus requiring collaboration with medical device specialists and researchers.