The lack of adequate security standards for connected devices, and vulnerabilities in these devices, pose significant risks to the country’s digital infrastructure and could result in serious consequences if cyberattacks target medical devices in particular, according to several security experts who testified during a Congressional hearing.
Two panels of the U.S. House of Representatives Energy and Commerce Committee—the subcommittee on commerce, manufacturing and trade and the communications and technology subcommittee—held a hearing Wednesday to explore issues about the cybersecurity of connected devices. The hearing focused on the role of connected devices, or Internet of Things (IoT) devices, in recent cyberattacks, with legislators specifically focused on a massive distributed denial-of-service (DDoS) attack that occurred back in October on Internet-infrastructure provider Dyn.
The hearing was intended to review the recent series of connected device-based DDoS attacks, understand current countermeasures, and consider future efforts to combat malicious actors that could target vulnerabilities in modern digital infrastructure. Several security experts testified that with the exploding proliferation of IoT devices, the lack of security on these devices poses a serious risk and the current lack of any security standards for IoT devices needs to be addressed.
There are currently billions of IoT devices in operation and Rep. Marsha Blackburn cited a report that there would be 20 to 50 billion IoT devices by 2020. In a statement to House committee members, the College of Healthcare Information Management Executives (CHIME) stated that “tens of thousands of medical devices can be used throughout large healthcare systems, many of which are connected directly to the patient or serving to provide information to inform clinical decision making.”
“The highly interconnected nature of medical devices, combined with the constraints of inconsistent patching cycles, has created an ecosystem ripe with technical vulnerabilities that cannot be managed with standard processes and procedures,” CHIME said in its statement.
CHIME emphasized the need for improved threat and information sharing across the industry. “Only by pulling together and sharing best practices can we thwart cyber criminals and protect patients.” And, to improve the cyber hygiene of networked medical devices, CHIME specifically noted that Congress should “ensure that manufacturers configure their devices according to an industry accepted security standard that accounts for the basic principles of cybersecurity controls and alleviates risks.” CHIME advocated that manufacturers should, as part of the pre-market approval process, be required to undergo a level of security validation in order to provide healthcare providers with a simple and easy to implement mechanism for managing its security.
During the hearing, legislators were particularly interested in gaining insight into what regulation, if any, was needed at the federal level and what kinds of security standards should be implemented. While none of the security experts were from the healthcare sector, the topic of medical devices, and the potential cybersecurity risks to hospitals and healthcare systems, was a frequent point of discussion.
As a researcher, Kevin Fu, CEO of Virta Labs and associate professor, department of electrical engineering and computer science at the University of Michigan, said, “We’re going to have some serious trouble if we don’t answer these questions. I fear for the day that every hospital system is down because an IoT attack brings down the entire healthcare system. We need to spend more time on the pre-market.”
Dale Drew, senior vice president, chief security officer at Level 3 Communications, said, “What we’ve seen, the Internet of Things has changed the nature of the game, as its easier to break into those devices and it goes unnoticed for longer periods of time.”
Drew also said, “I think that the average chief security officer has to manage 75 separate security vendors and to bolt on security controls for products and services that they are purchasing. You get one of those dials wrong and there are some significant consequences. So focusing on making sure that free market controls are placed on that infrastructure will be a significant adaptable win for us,” he said.
Many of the security expert witnesses emphasized the need to place more responsibility on the device manufacturers.
“Security needs to be built into IoT devices, not bolted on,” Fu said. “If cybersecurity is not part of the early design of an IoT device, it’s too late for effective risk control."
According to Fu, one issue that needs to be resolved is the economics of device security as customers, such as hospitals, don’t want to pay more for better security, and manufacturers want to upsell in order to include better security on devices.
On the topic of medical device security, Blackburn asked the security experts about mitigation strategies for hospitals and health systems to address device security.
“I can’t give you a satisfying answer. If you were to be a fly on the wall in the board room in the hospitals as they are discussing the topic of how does IoT security affect their assurance of their clinical operations being continuous, at the moment, they don’t have a plan,” Fu said. “It’s more along the lines of, ‘We need to get a plan, what can we do.” Fu said one particular problem is that chief information security officers and healthcare IT leaders typically don’t know their inventory.
“For the security officers, they don’t know what devices they have. There is a lot of contraband, or shadow IT, that comes in. Typically it’s a clinician who accidentally connects a device to an important network, maybe a music player that is simply providing comfort to a patient during surgery, but the clinician doesn’t realize they are introducing a new safety and security risk because they don’t have the security baked into these devices. So the IoT risk is more about unvetted assets into a very safety-critical arena. They can’t have a good answer right now because it’s not built in,” he said.
The security experts also said device and technology solution manufacturers need to be held responsible for security software updates for technology being used in critical infrastructure industries such as utilities and healthcare. “It’s about economics,” Fu said. “On the high-end devices, such as radiation therapy devices in hospitals, these are multi-million dollar machines. When hospitals buy one, they get a new operating system, but most hospitals have capital equipment costs and they don’t want to buy a new MRI machine every 10 years. So I’m still seeing Window 98 machines in hospitals. When they go to manufacturers and say, ‘I want my operating system to be kept secure,’ the manufacturer say, “Buy a new machine.' It’s an unwritten assumption that the software will be maintained and secured, but from the manufacturer standpoint, it’s ‘We provided you this device.’"
Rep. Gus Bilirakis voice concerns about ransomware attacks targeting hospitals and asked the security experts how hospitals could best protect their systems and operations using current technology.
“In the short term, hospitals are in a sticky place. There’s not a whole lot of mitigating solutions. My best advice is for hospitals to know their inventory of medical devices. I saw some discussion in a report that hospitals don’t even know the software running in their facilities and they said if we only knew what was on the medical devices, then we could better understand the risks that we’re taking,” Fu said.
"So what mechanism should we have so hospital systems are fully aware of what’s in their hospitals?” Rep. Susan Brooks asked.
“Hospitals want to make sure they have continuity of operations in their clinical workflow so they don’t have to shut down like MedStar health system shut down in this area for several days. So the problem is, when you don’t know what your assets are, how are you going to protect that? If you don’t know what ports are open? Manufacturers aren’t willfully causing harm, but they are not providing enough information so that the hospital staff can do their jobs to assure the continuity of their clinical facilities,” Fu said. He suggested that device manufacturers should provide customers, such as hospitals, a bill of materials of what software comes on a device when it enters a hospital. “It won’t completely solve a problem, but it will help. We can’t do step two until we do step one. You have to know your assets and inventory before effectively doing security mitigation controls.”
U.S. Rep Frank Pallone suggested that federal regulation, such as on the part of the Federal Communications Commission (FCC), could be part of the solution, yet voiced concerns that regulation would constrain innovation. Bruce Schneier, adjunct lecturer, Kennedy School of Government, Harvard University, and fellow at Berkman Klein Center, Harvard University, said that whiile regulations would constrain innovation, to a certain degree, he believes regulation is the only solution and compared it to how the government regulates automobile safety by requiring airbags.
“The government could impose minimum security standards on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing companies like Dyn to sue them if their devices are used in DDoS attacks. The details would need to be carefully scoped, but either of these options would raise the cost of insecurity and give companies incentives to spend money making their devices secure,” Schneier said.
When asked by legislators if he believed a government mandate would be necessary, Fu said, “I do believe, long-term, it will require a governmental mandate. In my experience, even though they mean well, they [the manufacturers] don’t have the economic drivers. With IoT, we know the risk is there and we know it can cause harm. There are millions of unsecure devices, but it’s a small fraction of what the market will look like by 2020. On a positive side, if we take action now, we could win this and we could have secure ecosystem,” Fu said.
Fu recommended that the government needs to incentivize built-in, basic cybersecurity hygiene for IoT devices by establishing meaningful security milestones and encouraging use of strong cryptography. He also emphasized the need to support agencies such as the National Institute of Standards and Technology (NIST) and NSF to advance understanding of how to protect IoT devices and to establish a cybersecurity workforce that meets industry needs.
Additionally, he suggested that legislators study the feasibility of standing up an independent national embedded cybersecurity testing facility modeled after the National Transportation Safety Board (NTSB), automotive crash safety testing, or the Nevada National Security Site.
Fu also suggested that Congressional leaders investigate the barriers to enhanced cybersecurity with IoT devices. “I think likely after seeing the same problems I’ve seen, you’re going to think about the need to have incentive systems built in. Economically, I don’t know what these will resemble, could they be regulations? Maybe. More financial incentives or financial penalties? Is it more about corporate liability? Perhaps,” he said.