Medical device security continues to be casualty of hospital-medtech divide


Editor’s note: This is the second in an ongoing series on the growing cybersecurity risks of medical devices

Medical device manufacturers and hospitals are both responsible for protecting devices from cybersecurity threats and working together to manage the risks to patient safety.

However, while there is recognition of shared cyber responsibility on both sides, device security continues to be a casualty of a hospital-medtech divide that often results in finger pointing between these two stakeholders and at times a lack of coordination. The effect is that patients’ lives can be in danger from outdated and unprotected medical devices.

If cybersecurity risk is not effectively minimized or managed throughout the life of a device, it could potentially result in patient harm such as illness, injury or death as a result of delayed treatment or other impacts to device availability and functionality. The stakes are high as the FDA seeks to achieve more transparency when it comes to device vulnerabilities.    

Nowhere is the blame game and division between hospitals and medtechs more prominent than when it comes to the challenge of defending older legacy medical devices against the growing threats of hacker attacks.

Hospitals contend that many legacy devices were not built with security in mind and as the end users, in the final analysis, they bear a much heavier burden for trying to secure them than medtechs do. The American Hospital Association wants to see the FDA mandate lifetime support of medical devices by manufacturers.

John Riggi, AHA’s senior advisor for cybersecurity and risk, claims that the majority of medical devices used by hospitals are legacy devices that rely on operating systems such as Windows 7 that Microsoft no longer supports with security patches and updates. 

Compounding the problem is that a health system can have tens of thousands of devices from hundreds of manufacturers connected to its network, creating an overwhelming cybersecurity management challenge for healthcare facilities already burdened with safeguarding their traditional IT assets.

According to cybersecurity firm Sensato, there is an average of 6.2 vulnerabilities per medical device, and the FDA has issued recalls for such critical devices as pacemakers and insulin pumps with known security issues, while more than 40% of medical devices are at the end-of-life stage, with no security patches or upgrades available.

Earlier this month, the Cybersecurity and Infrastructure Security Agency issued an alert about critical vulnerabilities in Siemens software, originally released in 1993, that could potentially impact millions of medical devices from multiple manufacturers. Siemens released updates for several of the affected products and the company advised users of unpatched devices to take countermeasures but did not identify any additional specific workarounds or mitigations, according to CISA. 

While there are no known attacks that have specifically targeted the vulnerabilities, CISA said there is the potential for hackers to disrupt the operation of critical medical devices such as anesthesia machines and bedside monitors. FDA asked all manufacturers to assess their exposure to the vulnerabilities in the Siemens software. 

Nick Yuran, CEO of security consultancy Harbor Labs, said some of the affected medical devices could have been in clinical use with these vulnerabilities for nearly 30 years, adding it’s “another wake-up call” for the medtech industry about the hidden risks in legacy devices.   

At the same time, a lot of hospitals don’t have an accurate view of their inventories of medical devices, which makes it impossible to protect them from hackers.

A recent survey from the Ponemon Institute found only 36% of healthcare delivery organizations surveyed consider themselves effective in knowing where all medical devices are, while just 35% indicated they know when a device vendor’s operating system is end-of-life or out-of-date.

When technology goes end of life, that “means end of security,” according to Rob Suárez, Becton Dickinson’s chief information security officer, who added it’s very expensive to upgrade a large inventory of legacy devices.

“It’s very important for medical device manufacturers and healthcare providers to work closely together to plan as part of procurement cycles for these necessary upgrades,” Suárez said.     

However, it is a massive challenge — especially for larger health systems that are dealing with a high percentage of legacy devices that are physically moved constantly within hospitals, AHA’s Riggi argues. Clinicians often move these devices to different patient locations in facilities, placing them on the network and taking them off, which is far from optimal when trying to keep track of them, Riggi said.

“Sometimes a vendor will say, ‘Well, the solution to that is you just need to buy a new device.’ That’s just not possible financially, especially given we have many hospitals and health systems that are under this crushing burden of COVID-19 and the financial pressure,” Riggi said. “We have these devices that we cannot in many instances afford to replace.” 

While FDA has issued post-market guidance to medtechs on their requirements to secure medical devices, AHA contends that too often manufacturer support is lacking and hospitals must create their own custom device security controls, many of which are expensive, inefficient and do not scale.

Hospitals have “historically had these devices thrown over the fence” by manufacturers and “been told it’s on you” once they are in operation on healthcare networks and behind firewalls, according to Vidya Murthy, COO of medical device cyber firm MedCrypt

Murthy, who used to work for BD as senior manager of cybersecurity, contends that the device security demands on hospitals have built up to the point where healthcare organizations are “crumbling under the pressure” of trying to keep track of devices, let alone patching them.

“I think about the breadth of what a hospital has to manage,” Murthy said. “It’s not just a variety of devices but sheer volume. Some manufacturers are focused on just making a singular device and having cybersecurity dedicated just to that device and there’s still vulnerabilities. It’s an unrealistic expectation for hospitals to develop such an expertise per device.”  

Product lifecycle challenges

To start to help hospitals, FDA in July issued a discussion paper, following a 2018 report, in which it set a goal of strengthening and improving cybersecurity processes tied to the servicing of legacy devices used in healthcare settings beyond their intended lifecycles. 

FDA noted that the original equipment manufacturers (OEMs) “have regulatory obligations regarding safety issues beyond security supportability, the individual components, such as operating systems and other third-party software components, may no longer be supported in advance of the healthcare establishment procurement cycles — or there may be financial reasons why a healthcare establishment elects to continue the use of a device past its end of life.”

FDA warned that these unpatched medical devices will become increasingly vulnerable to cyberattacks over time and has called for more communication from OEMs when they can no longer support software upgrades and patches needed to address their devices’ cybersecurity risks.



Source link