Risk Assessments/Management, Vulnerability Management, Black Hat

‘Nothing is a standalone device’: How a complex ecosystem leaves medical security in flux

Leaders from the FDA, providers and manufactures discussed medical device security last week at Defcon in Las Vegas. (“AMD medical devices & Cisco telehealth collaboration” by CiscoANZ is licensed under CC BY 2.0)

Medical device security is one of the most pressing issues facing the health care sector due to the massive number of connected devices within the network and a heavy reliance on legacy platforms. But there’s no simple fix for risk reduction around these patient-centered devices, and it’s health care delivery organizations that are forced to bear the brunt of the burden.

A Defcon Biohacking Village Talk on July 29 brought together leaders from the Food and Drug Administration, as well as provider organizations and manufacturers. The leaders blasted some of the biggest patch management myths and addressed ongoing medical device security challenges.

Overall, the leaders were in agreement: the FDA, manufacturers, and providers themselves are all facing uphill battles in the effort to move the needle on device security. 

'We can't patch everything'

Calls for quick patching have been widely pushed by regulators and industry stakeholders, but resource constraints and a lack of security-by-design create an ecosystem that incorporates varying degrees of risk tolerance.

“The simplicity in that idea, that patching is a panacea solution from a security perspective, is just off. We can’t patch everything. We don't have any ability to monitor and say, ‘all of this stuff needs to be patched’ to reduce the risk we have,” Samantha Jacques, vice president of clinical engineering at McLaren Health Care. “We just end up balancing the risk the best we can.”

“We struggle truly on a daily basis to decide what we’re going to focus our resources on,” she added. “We need to figure out what is the risk we’re willing to accept, and I hate to tell you, everything else falls off the table.”

Jacques explained that her organization risk-ranks items, prioritizing the items to decide what needs to be tackled first. Everything sits within the ecosystem, “and even if I don’t risk-rank an item, it’s still an entry point onto my network and can completely shut down my system.”

In other industries, the IT team can remain at their workstations and simply hit a button to apply the patch to all devices on the network. In health care, nearly all patches would require the security team to physically touch every device in need of mitigation. 

At McLaren Health, there are about 15 processes the security team must follow and when a vulnerability is disclosed, they must take either a proactive or reactive stance. For proactive measures, Jacques noted that they can work with partners when a device is known to hold a flaw and work to apply the patch.

“But when? We don't necessarily know if the vulnerabilities are part of some of the devices we have,” she explained. “We might end up with a reactive stance.”

A vendor may send an email or an alert pops up on a vendor portal. And it's this type of communication that is adding to device challenges, as there’s “no standard way for manufacturers or health care organizations to communicate.” Even when a provider is aware of an issue and the need to apply mitigations, the process to actually accomplish the task is “incredibly painful,” described Jacques. 

At the end of the day, it’s infeasible for a staff member or vendor to come out and touch every device. Thus, providers are simply forced to live with the risk to the ecosystem.

Heavier burden on manufacturers

In 2016, the FDA released postmarket guidance for medical devices that truly spread awareness around the need to secure these vulnerabilities in the sector, while increasing collaboration among stakeholders. The insights aimed to reduce some of the misconceptions around medical device security and to support device manufacturers to more effectively release patches for health care delivery organizations. 

“FDA’s approach is meant to benefit public health and safety by trying to incentivize manufacturers to respond quickly to address cybersecurity concerns; doing so is in the best interest of patient safety,” said Aftin Ross, FDA senior project manager and staff fellow.

“The FDA requirements were sometimes put forward as rationale for not addressing a cybersecurity vulnerability, and we felt that we very clearly articulate that FDA requirements should not be a barrier for addressing cybersecurity concerns,” she added. “The FDA does not typically need to review changes that are being made as a result of a cybersecurity concern.”

Previous data found that since FDA clarified its stance, disclosures increased by at least 400% — a welcome change in a sector already facing overwhelming security challenges.

Erik Decker, Intermountain Healthcare assistant vice president and chief information security officer, explained that this progress in the last few years with the FDA guidance and manufacturers coming to the table has been a serious positive for the sector, but there’s still a long way to go.

From a health care delivery organization perspective, the need and desire to patch is evident, but it’s just not that simple. Decker explained it means most providers put in compensating controls as a “temporal bridge type of solution.” What’s really needed is a state where the final patch can be deployed.

Patient safety and clinical effectiveness concerns are key issues, particularly considering the criticality of the patch is entirely driven by the manufacturers. If a vulnerability is found, the manufacturers will conduct a risk analysis pursuant to FDA postmarket guidance to determine if there’s an underlying critical effectiveness issue, said Decker.

The manufacturer then will deem it an uncontrolled or controlled risk. Decker noted that uncontrolled risk is defined by whether the vulnerability can cause direct harm. But as “the device is part of an ecosystem that, when it’s weak, breaks the entire ecosystem.” 

“Suddenly we're not able to care for our patients. Because that one device that’s over here in a corner was deemed as a controlled risk, but was used as a beachhead and blew through everything,” said Decker. “We’re not having the risk conversation at the ecosystem level.”

Indeed, manufacturers are talking about risks pursuant to the guidance, which may inadvertently be causing a “quagmire of vulnerabilities; the answer is: ‘Just put a firewall in front of it and you’re fine,’” he warned. At the same time, manufacturers may use remote tools and connect into these devices without telling the entity.

“How much stuff is happening in my environment that I don't even have visibility into, or control over? And what happens when it’s in the middle of an operating room and a surgery is going on and we’re not controlling for that? That’s my sort of challenging statement of reality,” Decker added.

Tara Larson, Abbott’s product security director and chief security architect, noted that the larger vendors are cognizant of the need to act with caution in the health care environment and are not looking to be a pivot point into the network due to the risk to patient safety and reputational harm.

In addition, applying firewalls to patching challenges is indeed “just a Band-Aid” and does nothing to solve the actual problem, “just pushes it down the line.” For Larson, the way to solve the issue is for device manufacturers to apply more of the critical risk assessments, while looking at all the ways the ecosystem interacts with the device.

This applies in situations where a device isn’t being used for patient care at that point in time, where manufacturers need to ensure the flaw isn’t being used to get into a device on another system. For Larson, that’s where the CSAs can get to the bottom of the challenge, particularly as more systems come on board through IoTs. 

“You can’t just say it’s a standalone device. Nothing is a standalone device anymore,” she added.

The FDA is working to support manufacturers in swiftly addressing cybersecurity with just enough regulatory oversight. Those manufacturers with known vulnerabilities and concerned with the impact of a patch can send a submission, which the FDA requires within 30 to 60 days.

However, very few of these submissions are adhering to those guidelines. Larson explained that for the manufacturer, the sheer challenge with medical device security is indeed pushing out those patches. Much like applying the update in the health care environment, it’s equally challenging to create a patch that won’t break the device function.

“It’s why timeliness is such a challenge,” she added. Manufacturers are attempting to strike a balance. Ideally, a vendor could work on the process internally to apply the simple patch, but it’s not that simple. Not only that, but devices aren’t just in the hospital environment: they’re in bodies and homes where an admin can’t simply apply the patch or require a person to connect to a system every day.

But should manufacturers have the final say?

'Hope is not a plan'

Decker noted that he previously added the timing requirement to contracts with vendors, some of which signed it and others explained they wouldn’t adhere to the timeline and would just recall the device.

The assertion proved puzzling, as the vendor was essentially saying they would take all the time they wanted to work through the issue. And what is the provider supposed to do in the meantime, “just put a firewall around it?” As a result, the industry is still in flux.

Jacques added that there’s truly a bell curve, with a lot of manufacturers stepping up and partnering with health care entities to support improvements. But there are other vendors who haven’t even started the process with security missing from the design of the device, despite awareness on the need to do just that on the manufacturing level.

Given that reality, the burden of security truly falls to the provider. It’s a serious issue when trying to address overall security on an ecosystem level, said Jacques.

The Healthcare and Public Health Sector Coordinating Council published critical guidance around product life cycle to better support the process for manufacturers and providers. Decker posed a pressing question: “Why then can’t it just be a requirement?”

“Why do we have to fight for this? For those on the bell curve, those who haven’t adopted it or rejected it, saying 'that’s a nice idea, but we’re not focused on that?' I find, in some cases you just need the rules to be set and that’s where it goes,” said Decker. “Is it possible?”

“We are all very aware that hope is not a plan. But we have no other mechanism at this point besides hope,” Jacques added. Medical device security is getting better. But the situation is still a massive challenge, “I wouldn’t even call it good at this point.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.