$55,000: that’s what Hancock Health, a health system based in Greenfield, Indiana had to pay. At approximately 9:30 p.m. on Thursday, January 11, an attack on the information systems of Hancock Health was initiated by an “as-yet unidentified criminal group,” struck. According to local news sources, approximately 1,400 patient names were replaced with the expression “I’m Sorry.”
In order to get the encryption key to get back their data, the healthcare system had to fork over Bitcoin worth approximately $55,000.
This incident illustrates the risk that healthcare networks are subject to in today's ever-expanding cybersecurity threat landscape. In particular, securing networked medical devices in this environment can be challenging.
"Any networked medical devices will have a computer embedded in or attached to it, and we need to take the same steps to secure those computers as we would any other device on the network," says Chuck Kesler, an IT security specialist and former Chief Information Security Officer for Duke University Health System. In a modern healthcare setting, networked medical devices are pervasive, including everything from MRI machines, X-ray systems, infusion pumps, and patient monitors. "Most of these devices have operating systems that are based on Windows or Linux, and like any other software, those systems have vulnerabilities."
Kesler notes that while patching computers, including your own personal computer, has generally gotten easier and more automatic in recent years, patching medical devices “can be incredibly difficult because, for example, manufacturers may need to do additional testing before allowing the latest Microsoft Windows patches to be installed. The patches may also need to be installed manually by the vendor, which requires scheduling a maintenance call that might add extra days, weeks, or even months of delay.”
Because of this lag time in patching medical devices, there have been numerous illustrations of how easy it would be for something to occur, he adds.
"There have certainly been incidents where biomedical devices have been taken offline by a cyber attack, but to my knowledge, we haven’t yet seen a confirmed case where this has had a direct impact on patient safety. But I also think most of us in the information security industry view it more as a matter of not if it will happen, but when it's going to happen. That is our worst nightmare."
Kesler says that manufacturers are aware of security risks for the medical devices they produce, and many are working with their customers and government agencies to improve the situation.
"My sense is that they are now taking the issue seriously," explains Kesler. But unfortunately, there are no quick fixes.
“The problem for them comes back to the lead time on developing these products. Security isn’t something that easy to bolt on to a product. It really needs to be baked into the design, and it may be five plus years between the time the device is conceived to when it goes out the door due to the extensive testing and validation that is required. So, the system that they build might be based on an operating system and other software that is already nearing the end of its supported lifespan."
Many medical device manufacturers Kesler’s worked with recently are now including security as part of their product development process, but it may take several more years before these newer products with security baked into the design are in the market.
Within some healthcare environments, medical devices can get added to a network without appropriate oversight and may not be treating medical devices with the same degree of information security hygiene as other devices throughout their enterprises.
Kesler says that “while many larger healthcare systems pay adequate attention to medical devices and their security, smaller organizations may lack the resources to do so.”
One challenge is that IT and information security may be in different parts of the organization from the clinical engineering teams, which can create some communication and skill set gap issues.
Not knowing what devices are on the network is often one of the issues. Having a comprehensive inventory of medical devices and the security of such devices may not be a top concern until a problem occurs, such as the WannaCry ransomware attack that occurred in May 2017.
“This is why you need to be proactive in how you’re managing the devices and ensuring that security policies are being followed," says Kesler.
According to the U.S. Department of Health and Human Services, Office of Inspector General (OIG), the U.S. Food and Drug Administration, under the Federal Food, Drug, and Cosmetic Act (FD&C Act) has a mission to ensure there is a reasonable assurance that medical devices legally marketed in the United States are safe and effective for their intended uses. The FDA’s Center for Devices and Radiological Health (CDRH) develops and carries out a national program to ensure that patients and providers have access to safe and effective medical devices. CDRH is responsible for regulating firms that design, manufacture, repackage, relabel, or import medical devices sold in the United States.
But when the OIG audited the FDA's oversight, they found inadequacies. In an October 2018 report, they summarized their investigation by stating:
"FDA had plans and processes for addressing certain medical device problems in the post-market phase, but its plans and processes were deficient for addressing medical device cybersecurity compromises. Specifically, FDA's policies and procedures were insufficient for handling post-market medical device cybersecurity events; FDA had not adequately tested its ability to respond to emergencies resulting from cybersecurity events in medical devices; and, in 2 of 19 district offices, FDA had not established written standard operating procedures to address recalls of medical devices vulnerable to cyber threats. These weaknesses existed because, at the time of our fieldwork, FDA had not sufficiently assessed medical device cybersecurity, an emerging risk to public health and to FDA's mission, as part of an enterprise risk management process."
Despite all of this dire news, Kesler is optimistic that things are improving due to a number of collaborative efforts that are ongoing between healthcare providers, information security experts, medical device manufacturers, standards bodies, and government agencies.
“The topic of medical device security is top of mind for many healthcare information security professionals, and that has led to a variety of cross-functional working groups being formed at the regional and national levels to tackle these problems,” he says. “People are sharing ideas and practices that are working for them, and we are learning from each other in the process.”
Kesler highlighted work being done by the Medical Device Innovation Safety and Security (MDISS) Consortium, which has developed a tool called MDRAP (Medical Device Risk Assessment Platform) to help crowdsource information about medical device vulnerabilities, and other programs that provide members with access to medical device security testing labs and vulnerability information that can be incorporated into procurement processes. He also mentioned a playbook on medical device security that MITRE recently released.
Although Hancock Health’s experience and the OIG’s report illustrate there is much work to be done, these partnerships appear to be charting a course towards a better future for medical device security.
Interested in learning more about this topic? One of the upcoming keynote presentations at InfoSec World will give you that opportunity!