Uneven Improvements for Medical Device Cybersecurity
It is one thing for cybercriminals to breach your home computer. It is another for them to breach a hospital network or, worse, a medical device your very life depends on.
The subject got a publicity boost in the past decade when white hat hackers demonstrated the relative ease with which they could breach insulin pumps, pacemakers, IV pumps and other devices.
Initially, medical device makers seemed to shrug off those attacks, often releasing statements that such exploits are extremely unlikely from happening in the real world. But while it may be unlikely for an adversary to carry out an execution via a medical device, it is also possible for medical device vulnerabilities to be unintentionally exploited.
But in the past several years, an array of factors have converged to lead to tangible, albeit incremental medical device cybersecurity progress from medtech companies, along with an improving cybersecurity posture in hospitals and clinics. “The health care industry, as much as people think it is the slowest industry in the world to adapt, is actually very well positioned to be able to react [to cybersecurity vulnerabilities] for a business and budgeting perspective,” said John Yun, head of marketing at Zingbox. For one thing, the industry must abide by regulations such as HIPAA in the United States.
The FDA has also begun increasingly stressing the importance of cybersecurity, releasing cyber-related guidance documents in 2014 and 2016 and hosting workshops dedicated to the subject.
But awareness of the threat of medical device cybersecurity, however, remains uneven.
A 2018 AAMI article titled “The Evolving State of Medical Device Cybersecurity” points out that meaningful improvement requires an ecosystem approach. Medical device companies must be committed to building cybersecurity protections into connected medical devices. Furthermore, health care delivery organizations working to procure devices that meet defined security thresholds must comply with standards and best practices related to cybersecurity. But achieving any kind of coordination across the health care landscape is often challenging.
The other fact is that cybersecurity awareness in the medical device field is relatively new. Medical device makers have traditionally designed their products to be independent devices. As many medical devices gradually made increasing use of networking technology, a troubling amount of medical devices have been released with inappropriate security controls.
The FDA continues to work to help address the problem. In November 2018, the agency announced its intent to refine the most widely used pathway for medical devices to rely on safety and performance criteria rather than their similarity to sometimes decades-old predicate devices. The current system, which relies on “substantial equivalence” to existing devices on the market as a regulatory benchmark, was put in place in 1976. “What we want to do is constantly try to push the market in the direction of incorporating better technology, better capabilities by advancing the predicates and always looking forward,” said FDA commissioner Scott Gottlieb in an interview with CNBC. A notice from the agency previewing the update to the framework briefly touches on the importance of medical device cybersecurity.
In addition to the fact that many hospitals across the world have had to contend with ransomware and commodity attacks such as Petya, Notpetya and WannaCry, the medical device company St. Jude Medical, since acquired by Abbott, helped drive attention concerning the importance of medical device cybersecurity.
In 2016, Justine Bone, chief executive officer of the penetration testing firm MedSec decided to disclose vulnerabilities her firm found related to the company’s implantable cardioverter defibrillator products to the hedge fund Muddy Waters Research.
St. Jude initially denied the problem until the FDA stepped in and the vulnerabilities were corroborated by other cybersecurity researchers. Before the merger with Abbott, the company’s stock plunged, marking the first time a cybersecurity vulnerability could exact a serious financial toll on a medical device company.
The story is an example of a manufacturer shifting its view of cybersecurity from a cost center to something that can hit their profitability, said Terry Dunlap, co-founder of ReFirm Labs.
St. Jude eventually acknowledged the problem and Abbott Laboratories, which now owns the company’s products, continues to release patches for it.
The overall saga reflects the uneven progress the industry is making with respect to cybersecurity. “The device manufacturers, I would say have improved in terms of their responsiveness, but not as much as we would like,” Yun said. Last year, Zingbox released a report detailing vulnerabilities in several medical devices used in hospitals. Months before the report was published, the company informed manufacturers of the problems. “About half said they are either creating a patch or have a workaround,” Yun said. The other half didn’t respond. “Maybe three or four years ago, none of them would have responded.”