While ransomware is still the most significant healthcare security risk, medical device hacking is a concern that continues to grow. Just last week, the Department of Homeland Security issued a detailed warning about vulnerabilities in Medfusion's Syringe Infusion Pump.
At the HIMSS Media Healthcare Security Forum in Boston today, speakers described the many problems inherent in defending older legacy medical devices against new security threats.
"In the medical device area, many of the devices, half if not more, are what we would consider legacy," Jeff Livingstone, vice president at Unisys Enterprise Solutions, said at the forum. "It takes about 5 to 7 years or so for class 1 or class 2 devices to go from concept to market. It can take another year to clear FDA guidance. So there’s a substantial delay between when protections are built in and when they make it to market."
And within the hospital, too often the focus is on building protections into new devices, rather than making sure the older devices that are currently implanted in patients are secure.
"In my mind, right now, implantable devices are in a very precarious position," said Bruce James, director of security architecture and engineering at Intermountain Healthcare. "We had a situation where we had executives who inquired about the security of devices and what their status is. So when we talked with our medical group, one person told us ‘Don’t worry, we’ve got this handled, all the devices are patched.’ It ends up when we got into the conversation a little bit, what they’re talking about is ‘All the devices in their supply chain warehouse that are ready to implant are fine’. It’s not even in their purview to think about the devices that are already implanted in patients."
Those older devices are often the most at-risk because some of them weren't even designed to be connected devices, according to Heather Roszkowski, network chief information security officer at The University Of Vermont Health Network.
"There are any number of reasons why these devices have become connected and over the years and, for the most, part the risks associated with using the devices have been transferred to the organization using them," she said. "So it becomes the healthcare organization’s responsibility to do it securely. If you can’t use an antivirus solution or you can’t do logging on them, you have to look at 'How can I remove them from our production environment or firewall them off?' There are a lot of ways we’re being forced to mitigate the risks associated with these devices, until some better security tools can be put in place on them, if that’s even possible. I appreciate the fact that the new devices have more security, but I still think there’s a cultural change that needs to happen."
Ryan Witt, managing director for healthcare industry practice at Proofpoint, suggested that the industry needs to come together and put pressure on device companies to address the problem. But in the meantime, healthcare providers should embrace robust security as a selling point for their system.
"The most effective hospitals I see use security as a competitive advantage," Witt said. "They recognize that over time they’re moving from brick and mortar care to home-based care and they use security to convey that ability. They say 'I’m going to safeguard this patient-doctor experience remotely'. And how do you do that without a robust security architecture?"
Healthcare providers can often patch old devices to make them more secure. If they can't, as Roszowski said, they have to find ways to seperate the devices from the network or hide them. As for newer devices, the best thing a hospital can do is apply a lot of scrutiny -- but even that isn't always enough.
"One of the things we’ve tried to do is we have a process to onboarding new devices or software or hardware in our environment," she said. "I can tell you a number of times we’ve rejected medical devices because of security concerns and we’ve gone to other vendors. It’s pretty sad when you’ve reviewed three vendors in the same space and the briefing you get is 'This is the best of the worst. The other two are much worse than this.' And that’s not a conversation you want to be having when you’re talking about a medical device for your patients."