Security optimize

Vulnerable medical devices: A clear and present danger

Technology is helping to save lives, but vulnerable medical devices and computers are a real risk. Michael P. Kassner asks the experts about the state of healthcare security.

TechRepublic's Editor in Chief, Jason Hiner, has designated the "Internet of Things" otherwise known as "Machine to Machine" technology as TechRepublic's global topic for January:

The Internet of Things is all about sensors that can connect lots of formerly-mundane objects to the Internet and automatically send their data to IT systems for analysis. The objects can be everything from health care monitors to traffic lights to thermostats to trains.

As the guy who covers IT security, you may be wondering why I'm even interested. Well, as Jason pointed out; health care uses many "things," several of which are near and dear to my heart.

Since my heart surgery in 2007, I've been interested in medical-computing technology and how patient treatment has improved due to the advances. I even wrote an article about my experience just days after my release from the hospital, "Wireless technology played a big role in my surgery." My son questioned my judgment releasing an article that soon -- something about OxyContin.

So last summer, when a colleague told me about "Attack Surface: Healthcare and Public Health Sector," a report released by the Department of Homeland Security; I immediately read it, wondering what "Attack Surface" meant. Here's what I found:

[A] major concern to the Healthcare and Public Health (HPH) Sector is exploitation of potential vulnerabilities of medical devices on Medical IT networks (public, private and domestic).

It gets worse:

These vulnerabilities may result in possible risks to patient safety and theft or loss of medical information due to the inadequate incorporation of IT products, patient management products, and medical devices onto Medical IT Networks. Misconfigured networks or poor security practices may increase the risk of compromised medical devices.

The report then proceeds to explain why:

  • There are legacy medical devices deployed prior to enactment of the Medical Device Law in 1976, that are still in use today.
  • Many newer devices have undergone rigorous Food and Drug Administration (FDA) testing procedures and come equipped with design features which facilitate their safe incorporation onto Medical IT networks. However, these secure design features may not be implemented during the deployment phase due to complexity of the technology or the lack of knowledge about the capabilities.
  • In an era of budgetary restraints, healthcare facilities frequently prioritize more traditional programs and operational considerations over network security.
  • Because these medical devices may contain sensitive or privacy information, system owners may be reluctant to allow manufacturers access for upgrades or updates. Failure to install updates lays a foundation for increasingly ineffective threat mitigation as time passes.

I made a mental note to get back to this and see if there was a story that needed telling. Since then, I've compiled quite a file about the subject. But I must confess, I wasn't planning to write an article just yet. Then, on Christmas Day, Google Alerts informed me of a Washington Post article by Robert O'Harrow Jr., "Health-care sector vulnerable to hackers, researchers say."

In the article, O'Harrow quotes Avi Rubin, a computer scientist and director of Information Security Institute at John Hopkins University as saying:

I have never seen an industry with more gaping security holes. If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress.

It just so happens

Just before Christmas, I emailed Denis Foo Kune. He was my expert source on "Locating cell-phone owners the non-GPS way." I wanted to congratulate Denis on receiving his doctorate, and ask for his help on this article. It is also when I found out that Denis now works for Professor Kevin Fu. And...

Dr. Fu is a leading authority on the vulnerability of medical devices and computers used by health-care providers. Dr. Fu, a member of NIST's Information Security & Privacy Advisory Board, is quoted in just about every document I have accumulated on this issue.

I also learned Dr. Fu and his entire research group, including Denis, just moved to the University of Michigan where Dr. Fu has been instrumental in creating the first graduate course dedicated to medical-device security. Even amid all the turmoil of moving, Denis and Shane Clark (one of Dr. Fu's PhD students) agreed to answer a few questions.

Kassner: There appears to be three distinct areas of concern: medical devices (implantable or otherwise), computers used by health care providers, and electronic medical record management systems. Would you explain what the concerns are for each? Foo Kune and Clark: The main concerns as we see it for the 3 types of devices you mentioned are as follows:
  • For devices that have an actuation directly affecting the patient (think infusion pump or defibrillator), we are worried about safety and security.
  • For computers used by clinicians in hospitals, some of the main concerns are the lack of updates and standard computer security measures, which leave the systems vulnerable to garden variety malware.
  • For machines that handle the electronic medical records, the main concern would be privacy.
Kassner: O'Harrow quoted Dr. Rubin in his article as flat out stating many of these issues no longer exist in other professional venues -- the financial industry, for example. Why is the health-care field so far behind? Foo Kune and Clark: From our understanding, Professor Rubin was saying that other fields have progressed faster in terms of security, than the health-care industry. We only have limited visibility into the industry and, beyond the misconception about the FDA requirements regarding patches (Dr. Fu has a blog post about this issue). Industry manufacturers may perceive little benefit, and possibly serious implications in issuing security updates.

In addition, there seems to be little reward from the marketplace for securing devices. In fact, one medical device manufacturer even has statements that could discourage additional security measures. See this blog post.

Kassner: When I had my heart surgery, I bugged the nurses and technicians incessantly, asking about the monitors and wireless systems they used. One key point I discovered -- equipment directly involved with patient care was isolated from other hospital networks and the Internet.

From what I have read in several of the research papers listed on the Security and Privacy Research Group's website, newer medical devices have the ability to communicate with the medical staff directly or via a third-party provider. What implications do you see resulting from that capability?

Foo Kune and Clark: First, non-networked systems are not necessarily secure. Worms spreading via USB sticks can easily infect those devices.

The ability for a medical device to communicate directly with legitimate remote stations has to be balanced with the increased attack surface offered by network connectivity. If properly implemented using appropriate security measures, the connected capability of devices can bring great benefits to patients.

Kassner: You mentioned the FDA -- the government body that regulates medical devices -- in an earlier answer. You also mentioned there was a misconception about FDA requirements regarding updates. Would you please explain what you meant? Foo Kune and Clark: The FDA making clear that updates are a good thing is very helpful. We just have to get the word out to more folks. The misconception is that updates on medical devices will require a re-certification. The truth is that most updates will fall below the FDA review threshold.  In fact, the FDA encourages manufacturers to issue regular updates. There is another issue creeping in: the lack of an effective mechanism to report post-market security events. The current method using the FDA's MAUDE database, while helpful, is not focused on security.

The next version database does not focus on security either, making it harder for security researchers to get good data. Part of the reason might be clinicians are not trained to recognize security events, and even if the database did focus on security, the data collection process could be challenging.

Kassner: I'm just starting to see the complexity of this challenge. Devices and computers are saving lives -- I know up close and personal -- so they can' be shut off or not used. What do you see as the answer? Foo Kune and Clark: Increased complexity is a problem. The resulting improved functionality needs to be balanced with designs that take security into consideration. In this case, starting the security development as early in the design process as possible -- when the system is still conceptual, less complex, and easier to reason about -- can improve the security of that system. Kassner: I have faith that this will be sorted out. But until then, I wondered if there is anything we personally can do to reduce the risk. If someone close to you required major surgery, what would you do to assure yourself that every possible precaution was taken? Foo Kune and Clark: Right now patients requiring therapy delivery from medical devices are much better off with the current devices than without. With that said, there is still a huge amount of work in improving the security design of medical devices.

Final thoughts

I have been known to go on about security being at odds with convenience. I must admit I've been remiss in not extolling the same concern about security being at odds with complexity. For everyone's sake, what's happening with medical devices, health-care computing devices, and the movement towards "machine to machine" technology needs to be a wake-up call.

I want to extend a special thanks to Dr. Fu, Dr. Foo Kune, and Mr. Clark for helping me with this article.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

7 comments
jeff
jeff

With or without security, they all have a wireless protocol and I'm sure there are more than a few people on software development teams who know everything they need to so one can be hacked.. I'm completely dependent on mine and it's a bit worrisome that someone could effectively 'turn it off' as they walk by. Many have a sleep mode allowing the changes to take effect so changes won't take effect until the culprit is long gone. That leaves a lot of opportunity to make a lot of people pretty much just fall over dead at bed time.

HAL 9000
HAL 9000

More not fully researched alarmist reporting of what is a perfectly safe industry who's sole aim to to look after people. :^0 Sorry but unfortunately that's not even close to being true. While most of the Medical Profession isn't interested in doing the wrong thing they also have built in problem with their structure. In Hospitals the Consultant Surgeon is God and can do no wrong which is perfectly OK at one level as they are highly experienced in at least one field and very good at what they do generally speaking. The down side is that while they may be excellent at fitting devices to those who need them they are not expert at choosing which device to fit. That's not saying that they'll fit a Pacemaker to a person who requires a replacement hip though things like that can and do happen they are however the exception. Recently a good example of this where shown with Hip Replacement products which though highly technical do not rely on Technology for their function while in place and being used. The Metal to Metal Hip Joint was a perfect example of this it was passed and then each surgeon got to chose who made and supplied the Hip Replacements that they chose to fit. Some of the Metal to Metal Varieties contaminated the recipients where as others worked as designed without problems. Often because something is new there is a mistaken belief that it's better and conversely some surgeons believe that any new product should be avoided and you should stick with the tried and true. When it comes to the WiFi used in Hospitals and the actual devices that are used to administer and monitor as well as wearable devices the entire process gets way more complex that a mere mortal can ever comprehend. However the main problem is the staff themselves. They simply believe that the Surgeons can do no wrong and know it all so they can not be questioned and heaven help you if you make the mistake of showing up the Surgeon as the remainder of the staff will treat you like the plague to educate you to the error of your ways. Hospital Medical WiFi could very well be a great example of what Domestic IoT will end up looking like. So instead of what was once a relatively secure domestic Network that was all wired we will end up with a Hodge Podge of things trying to communicate and do whatever it is that they where put in place for. Maybe the way to look at this is the Hospitals are how our homes will end up being. Or maybe a Massive development in Domestic WiFi Security on the IoT will help improve the current Medical WiFi Networks. You can hope for the second while believing the first will be the actual end point. ;) Col

TNT
TNT

I don't understand why many of the same practices found in the financial sector and other high-security networks would not apply here. For devices that have an actuation directly affecting the patient, put them on a separate VLAN (like you do phones) and encrypt the communications channel. Most of these devices do not use a standard OS or the OS is baked in so viruses are less a concern here anyway. For computers used by clinicians, enforce updates via group policy. For machines that handle the electronic medical records, remove all drives and ports (including USB) not only to protect from viruses (as mentioned in the article) but to protect patient data from being stolen. I know this is rather simplistic, but its a start. And while we're at it, can we mandate that medical devices be shielded so cell phones wont negatively impact them? I'd hate for my cell phone to cause grandma's respirator to pump to the beat of my ringtone.

Michael Kassner
Michael Kassner

I almost thought I messed up. Good one. Thanks for the comments. It certainly is a complex and confusing subject.

Michael Kassner
Michael Kassner

The big disconnect, and Denis was all over me to make sure of this, is that there is confusion between what the FDA wants and what the manufacturers think the FDA wants. I hope I have that right. What ever it is, devices and computers are not getting updated and are vulnerable.

HAL 9000
HAL 9000

Though I have to admit that this one is a very complex topic that I can not see could be adequately covered in a place like this. When I first worked Medical we used Paper for everything and even though we are more secure now as the chances of a Security breach are less likely when they do happen instead of just being the one persons File that can be got it's thousands so the breaches are far more intense when they do accrue. Personally i can understand why they have WiFi Networks in Hospitals as it's far easier to set up Coronary Care Units without the need to pull lots of Cable so that patients can be easily monitored. Of course the down side is that it's also easy to break in and do what you like to those same devices. What I have always found amusing is how members of the General Public are asked to turn off Mobile Devices as they may interfere with the Wireless Medical Devices but that same person can be sitting in a Examination Room with a Doctor who takes Phone Calls on their Mobile while in the process of talking to them. Here there are 2 distinct problems you are facing the ease of rolling out new devices in any part of the Hospital at virtually no expense and Security of those Devices. Even if they follow Basic Security Measures used in other industries there still is no security as the Devices themselves where never designed to have this. They where conceived to be open and easily interfaced with for speed and better Patient Outcomes but because of their current Widespread use the potential for Adverse Medical Outcomes is far higher now days. Then there is the Administration who asks why they should have Hard Wired Devices in use in the Hospitals when it's far cheaper and easy to use WiFi Devices which means that they are not as restricted when they have the need when something breaks out. Talk about being between a [b]Rock and a Hard Place.[/b] But I wish you Luck with this. ;) Col

Michael Kassner
Michael Kassner

I had one of the Wi-Fi monitors on me at all times for four of the five days I was in the hospital for my bypass surgery. Then they used a similar device when I went to therapy to monitor me while on the treadmill.