On Sept. 12, the FBI issued an industry alert regarding unpatched and outdated medical devices that provide opportunities for cyberattacks. According to the alert, a growing number of vulnerabilities are caused by unpatched medical devices that run on outdated software and devices are missing sufficient security features.
We reported on Sept. 14 that “The alert says that ‘Cyber threat actors exploiting medical device vulnerabilities adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity. Medical device vulnerabilities predominantly stem from device hardware design and device software management. Routine challenges include the use of standardized configurations, specialized configurations, including a substantial number of managed devices on the network, lack of device embedded security features, and the inability to upgrade those features.’
The alert added that “Medical device hardware often remains active for 10-30 years, however, underlying software life cycles are specified by the manufacturer, ranging from a couple months to maximum life expectancy per device allowing cyber threat actors time to discover and exploit vulnerabilities. Legacy medical devices contain outdated software because they do not receive manufacturer support for patches or updates, making them especially vulnerable to cyberattacks.”
Do you have any comments on the announcement?
Anytime an organization like the FBI makes an alert or an announcement, there's merit around the reason why they are bringing the information forward. In this case, I think it's because a lot of organizations do have a hard time managing the problem of medical device security—it's a complex problem. There's lots of different reasons why, but ultimately, it creates a lot of risk in those healthcare entities that have medical devices and aren't able to accurately secure them or even really understand what the risks are or in a lot of cases or understand fully what assets are available within the organization.
Generally, you think of medical device as a provider problem. It's an enterprise problem—devices that are plugged into the network and into the healthcare organizations. But really, you have all of these medical IoT [internet of things] devices of sorts, whether they are in support of patient safety or devices that are being leveraged within patients that require administration updates, like pacemakers. On the extreme side these devices [like pacemakers] have a lot of potential impact of something going wrong if compromised. So, it's more than just enterprise networks that are concerned it's the patients that are attached to the devices that rely on supporting infrastructure that support said devices, it becomes a very complex problem very quickly.
Where can organizations get started in regard to securing medical devices?
Having done this most of my career, I would do what was provided in the alert—basic blocking and tackling, as it relates to the fundamentals of a security or privacy program. What an organization needs to do to is ultimately reduce risk. I would say if you're unaware of where the organization is, then you first need to be able to assess where you're at and identify a baseline of sorts. And so that's generally where we would recommend understanding what the current risks are with the organization, what is the organization that's doing well, as relates to threats, and where areas of improvement are—whether that's people, process, or technology, that they need to either make investment in or change the way things happen. You're going to have organizations that are in various stages of maturity, here at Cynergistek specifically, we have organizations that all over the spectrum. It’s hard to really know where you're at though, if you don't take a take a look at what a risk assessment identifies as what to fix first.
Do you have any recommendations on how IT professionals can talk to senior leaders or the board about investing in better security practices for medical devices?
I think at the end of the day, everyone in healthcare has the same goal of making sure that the patient is safe. If you can highlight that these devices are in extreme risk of being compromised, and those being compromised directly will relate to potentially patient safety issues, whether that is directly or a lot of times indirectly—meaning you have supporting infrastructure that those devices run off of more traditional IT assets. What happens if that organization is compromised from ransomware? Well, if you have medical devices that rely on that supporting infrastructure, guess what? You're not going to be able to service your customers, which is going to put them at risk. We've seen documented cases where that has directly led to loss of life. Organizations who are compromised with ransomware have had to move patients and during that time as those patients were transitioned time was of a critical nature. That’s an extreme example but that's a conversation that I think a lot of people can understand and really the job of the CISO or, in this case, whoever might be responsible for security, has to articulate in a manner that's going to resonate with their audience.
Do you have any other advice for that’s working in a hospital or health system right now in these uncertain times?
I think taking an active approach and adopting the mindset that risk is not a static view, it's dynamic. You have to start thinking about this approach from a continuous perspective, as opposed to one point in time. Anytime that you're doing assessments, you need to ask yourself, “How can I do this on a continuous basis so that I'm constantly identifying risk and making micro adjustments as it relates to priorities to best service the needs of my patients and our customers?” To me, if you can get people to look at risk differently, as opposed to just focusing on an annual assessment, it will have a large impact.
