A survey conducted earlier this year assessed whether senior leaders involved in the Internet of Medical Things (IoMT) thought they were prepared to prevent a cyberattack: 88% of the U.S. medtech leaders surveyed said they didn’t think their company was prepared, and only 13% of IoMT leaders stated that they believed their business was positioned to mitigate future risks. The increasing use of connected devices in the healthcare space, along with the escalating threats of cyberattacks across all industries, is putting more pressure on medtech companies and healthcare organizations to improve their cybersecurity hygiene and work together to address threats.
In a Q&A with MedTech Intelligence, Vidya Murthy, vice president of operations at MedCrypt, and
Baksheesh Singh Ghuman, global senior director of product marketing and strategy at Finite State, share their thoughts on the current hurdles that both medical device manufacturers and healthcare organizations are up against in the area of cybersecurity, and how they can move forward.
MedTech Intelligence: What are the biggest challenges that medical device manufacturers face in the area of cybersecurity? Where/What are the most significant vulnerabilities?
Vidya Murthy: While the last several years have demonstrated traction and movement in enhancing medical device cybersecurity, there are unique challenges that make progress especially difficult in this industry.
- Patient centricity: Healthcare knows healthcare. It’s difficult for medical device manufacturers (MDMs) that have built a clinical specialization for more than 100 years to prioritize cybersecurity the same way. Focusing on patient outcomes is, correctly, at the forefront and must drive all behaviors. Weighing the risk of updating a device against clinical outcome is a real challenge that must be managed.
- Connectivity: Devices that operate inside a healthcare delivery organization (HDO) can often be limited in their connectivity/ability to ‘phone home’. This can limit the ability for MDMs to have insight into how a device is operating, identifying anomalous behavior, troubleshooting or even resolving incidents. This is further highlighted by more and more devices going home with patients, which can mean connectivity becomes entirely unpredictable.
- Tooling: Most security solutions are either targeting enterprise or IoT use cases. These don’t work when a patient is attached to the device (example). Understanding the complicated relationship between device buyer, user, and maintainer requires cybersecurity to support the way care is delivered.
- Impact: Many have said device based exploits ‘aren’t a thing.’ And while most headlines relate to a HDO exposing sensitive data (whether PHI or PII or other), we are starting to see devices identified in the attack chain (example).
- Other factors to consider: Equipment age, lack of historic security priority, complexity, technical and administrative dependencies, to name a few.
In an attempt to identify what is the most significant vulnerability, we reviewed every MDM vulnerability disclosure by ICS-CERT since 2013. As noted in the whitepaper, user authentication is a recurring theme in vulnerabilities. It doesn’t feel like we’re facing customized, highly sophisticated attacks, but instead are struggling with foundational security best practices.
The greatest risk to a sufficient security posture is waiting for perfection in light of making continuous progress. I applaud those MDMs that have been vocal about developing security programs, committed budget and resources to standing up product security teams, and engaging with experts to find tools that meet their needs. The industry’s biggest challenge is to make security de facto in product development lifecycles, and not a reactionary Band-Aid after an incident or customer mandate.
Baksheesh Singh: The biggest challenges for medical device manufacturers is the use of IoT technology, which is insecure by design to develop connected medical equipment. These connected devices, without proper cybersecurity controls, can lead to catastrophic security breaches, as the majority of connected devices use multiparty code including open source without actually analyzing them for vulnerabilities. The most common type of cyber attacks that stem from device vulnerabilities include:
- Denial of service attacks
- Theft of patient information
- Device malfunction leading to patient death in some cases
- Lateral access to other parts of the organization’s network
MTI: Do you see a need for heightened cybersecurity regulations for MedTech manufacturers?
Murthy: Regulations serve the purpose of trying to protect the end-user from predictable threats. The challenge in security is that there are always unknown unknowns. Anywhere in tech, by the time software hits the market, it is already out of date. The components used in supporting medical devices are no exception to this norm.
Between the recent executive order emphasizing cybersecurity in critical infrastructure, the FDA pre– and postmarket cybersecurity guidance, and a plethora of international guidance documents for MDMs, the burden for demonstrating sufficient consideration of cybersecurity risks seems to be well outlined and expectations managed.
Medical device regulations have made it easier for cybersecurity concerns to be mandated into devices and clarify the value of vulnerability sharing within the community. Regulators are walking a fine line; too much enforcement too soon would drive life saving devices and potentially even entire companies out of the market, yet, too soft of an approach will mean that relatively insecure devices will remain in the market longer. With concrete goals and expectations for each community participant outlined in guidance documents, and the mandate for 510(k) submissions to demonstrate specific technical security functions, it feels like the healthcare community can move away from FUD.
Singh: Like most organizations, MedTech device manufacturers should follow proper cyber hygiene. However, manufacturers should understand that the risks posed from IoT/IoMT devices are much more complicated to identify than traditional IT devices, and should ensure that they follow the strict cybersecurity controls to identify and manage such devices. Finally, these connected devices use firmware that can have multiparty code and it is important that the cybersecurity controls cover device firmware and software supply chain cybersecurity.
MTI: What challenges are healthcare organizations facing regarding cybersecurity?
Murthy: In the midst of a global health pandemic, most HDOs are facing a shortage of resources across the board, including in defending their cybersecurity posture. A study by Deloitte found an average of 10.9% of IT budgets were slated for cybersecurity in the sector. Hospitals and healthcare providers, on the other hand, per a survey by HIMSS found that 75% of HDOs spend less than 6% of their IT budgets on cybersecurity.
Acknowledging that all spend is not equal—it is insufficient to simply double cybersecurity spend in healthcare to reach a more secure state. Instead we need to be strategic and shift security up the supply chain.
Singh: These days, virtually every industry that you can think of struggles with defending IoT/IIoT connected devices against cyberattacks, and the healthcare industry is no exception. In the last year alone, cyberattacks against healthcare organizations rose by an alarming 55%, a statistic that calls out a lack of sufficient cybersecurity controls and a serious need for revaluation.
To improve cybersecurity hygiene, organizations must first gain a greater understanding of the devices they are working with. Connected devices, as mentioned before, are insecure by design and make attractive targets for hackers. This is especially true for medtech devices, not only because they offer valuable, sensitive data that can be stolen, but also due to potential threats to patient safety that can arise during an attack. This can occur when access to patient records and critical devices are lost during a ransomware attack.
Furthermore, these attacks can cause financial and reputational loss, not to mention fines and potential lawsuits. From a hacker’s perspective, all of these combined factors will make an organization much more likely to give in to demands and pay the ransom.
MTI: How can healthcare organizations efficiently prepare for cyberattacks? What steps should they take in responding to a cyberattack?
Murthy: Unfortunately, blame is pervasive in healthcare and cybersecurity. It should therefore be unsurprising that a common retort in healthcare cybersecurity is that ‘people are the weakest link’. It’s true in one sense—healthcare leads against other industries with 31% of cybersecurity related breaches being attributed to human error. However, the question must be asked: If we blame patients for not adhering to treatment plans, and we blame people for cybersecurity problems, maybe we’ve built systems that don’t work properly?
Healthcare cannot remain reactive to dealing with cybersecurity threats. Instead we need to design our new systems with the intentionality of proactively protecting our users from them. Our systems must grow to prioritize reducing the extent of reliance on users against unknown threats. Note the nuance: I’m not saying the user doesn’t know how to use the device. I’m saying with tech, there will always be unknowns and there will always be weaknesses. The best systems are those that do not rely on the user as the detection, and more importantly in patient care, the efficacy of a device. We must be intentional and prioritize designing security into devices if we are to ever change the landscape of cyber threats in healthcare.
The role of the healthcare organization in this is to exercise their ability to influence procurement decisions, advocate for proactive security built into devices, and collaborate with MDMs to build a path out of reliance on insecure legacy devices.
A good security approach requires good governance and executive leadership. Only an organization that recognizes that security risks are a business risk will be able to succeed with implementing a security strategy consisting of people, process and technology. Any shortcoming in one of these areas cannot be compensated for in the others. A modern security architecture requires a layered ‘defense-in-depth’ approach that not only provides protection but also assures resilience and recovery.
Singh: Although the process to secure medtech devices starts with the device manufacturers, it is uncertain how long it will take for the necessary regulation that will make this mandatory to come into full effect. Until that time comes, healthcare organizations must ensure that the IoT devices within their network are secure by gaining a deeper understanding into the firmware components and potential vulnerabilities that are embedded within them.
Fortunately, there are cybersecurity controls now available that can do just that—analyze your entire device & embedded systems for misconfigurations and vulnerabilities. This way, potential threats can be identified and patched quickly.
Using said controls, such as firmware analysis tools and solutions, will not only educate organizations of the vulnerabilities present in their networks, but can also be used to assess device risk before putting expensive (and insecure) devices online. A step-by-step process that organizations should practice following is included here:
- Make sure that your firmware is free of vulnerabilities both when buying and updating
- Make sure that data stored in these devices are secure
- Make sure that proper communication and authentication mechanisms are in place to achieve secure communication
- Make sure that all devices are part of the overall IT/OT network cybersecurity—in other words, the devices should be discoverable and manageable
- Make sure that there are continuous controls in place that monitor these devices for changes
While it is not possible to completely eliminate the threat of cyberattacks entirely, healthcare organizations have the means to effectively mitigate and respond to attacks of this nature. To achieve this, educating healthcare and security teams with awareness and proper cybersecurity hygiene is critical. After all, there are more important factors than just data and money at stake in healthcare.