SAN FRANCISCO — There’s a growing consensus that the device manufacturers, provider organizations, and regulators are moving the security of medical devices in the right direction. But systemic challenges are stymying the progress.

At the RSA Conference, Marty Edwards, vice president of OT security for Tenable, Ankit Patel, business information security officer at Humana, and Errol Weiss, chief security officer of Health-ISAC, held an informative discussion on the state of medical devices and what’s truly holding the healthcare industry back.

Overall, there’s still room to grow and improve in the outreach and educational aspects of medical device security, but the industry is making great strides in building more security features into devices, explained Edwards.

The culture in the manufacturing community is getting better, as well. In the past, researchers who discovered a vulnerability would call the manufacturer and be immediately connected with the legal department.

“That was their response to vulnerability disclosures because they had no security contact information on the webpages,” said Edwards. “Now I see most manufacturers have gained a little bit of maturity, and they're starting to lean in.”

Many have added chief product security officers assigned to managing the product security, rather than the corporate business. There are obviously manufacturers that need to improve, but the “trend is moving in a positive direction,” he added.

“We may not have all the security controls that you would want in a difficult medical device, or connected IoT device … but there has been a lot more progress made over the last five years or so, than ever before,” said Patel. 

But despite progress being made to secure new devices, including improved use of authentication, the complexity of the medical device infrastructure and heavy reliance on legacy tech will keep the state of device security in flux, without a solution.

Legacy technology is the biggest security problem for healthcare

For Patel, the real problem is concentrated around legacy technologies. For example, MRI machines and ultrasound machines cost more than $1 million each, which means providers can’t replace those technologies with “the latest and greatest” product with these newly implemented features.

While it’s clear that newer devices will be vastly more secure, it won’t solve the continued use of legacy devices and those that rely on Windows XP. These devices weren’t implemented with concern that it would be connected to the internet because “ultimately, why would anybody bother with it? What's the problem?”

“In this industry, in healthcare, we see MRI systems wide open on the internet, as well,” said Weiss. “Every single one of those devices on your network could represent an entry point for the bad guy to get into your network and [malware] spreads from that.

“That's the problem. That's the biggest challenge,” he added.

In the last few years, there have been multiple, critical vulnerabilities disclosed within the underlying software packages of these medical devices, including those on the wireless connectivity modules used on millions of devices, said Weiss. “It seems like an endless supply of vulnerabilities constantly popping up.”

And as healthcare works to address these longstanding issues, the IoT trends keep moving forward.

“Home health is becoming mainstream, with a lot of health systems investing a significant amount of dollars into technologies where they can monitor patients overnight,” said Patel. There are also conversations around performing surgeries remotely using robots, and “we're moving very quickly in using innovation and technology.”

Regulations, communication will play a role in reducing medical device risks

Congress and regulators are the likely key to reducing the risks posed by medical devices, while supporting providers with the process. There are several proposed legislations that target manufacturers, software bill of materials (SOMBs), and other items that the healthcare sector has sought for years.

From a legislative perspective, Patel explained there are a lot of good foundational elements of medical device security. But within the manufacturer community, there need to be greater conversations between those vendors and security leaders to collaborate on tangible ideas and “identify more concrete practical solutions.”

To Weiss, improving communication between medical device manufacturers and providers will lead to the creation of devices that are more practical for implementation, as well as continuous upgrades on security going forward.

As it stands, the industry is well aware of the issues out there, said Patel. “But we need to find a way to move towards a solution, and analyzing it, as opposed to saying, ‘Hey, the vendor community does this,’ ‘the practitioner, they don't know what they're doing,’ and it's not logistical.” 

“Manufacturers have their own challenges, but it’s something we’re all trying to figure out and navigate through,” Patel added. “As we keep thinking about security and trying to bake security as part of the process, I think we will be moving in the right way.”