Attacks against software vulnerabilities seem to be occurring on a regular basis. Although the concern is top of mind with IT experts across all industries, tackling cybersecurity issues can be a challenging task for smaller organizations, especially in the device industry. In a Q&A with MedTech Intelligence, Stephanie Domas, vice president of research at MedSec, LLC, a cybersecurity research firm specifically focused on the healthcare industry, discusses the hurdles that device companies face, the progress made, and areas of improvement, including the need for more collaboration between hospitals and manufacturers.
MedTech Intelligence: Let’s start by talking about the cybersecurity landscape—what are the biggest areas of vulnerability on the device side?
Stephanie Domas: On the positive side, we’re seeing a big increase in the amount of transparency from medical device manufacturers with regards to cybersecurity sharing. About a week after details about Spectre [a cybersecurity flaw uncovered in January] came out, 12 of the large medical manufacturers published information about whether or not their devices were affected. We didn’t see that speed to transparency during the last big cybersecurity breach.
MTI: How educated are manufacturers with regards to areas of vulnerability and actions they should take?
Domas: It’s tough because the larger manufacturers have the resources and are taking security seriously and building up those resources. But the truth is that most medical device manufacturers are small. When people think of medical manufacturers, you’re thinking of the big home names that everyone knows, but that’s actually the tip of the iceberg. It’s not to say that the smaller manufacturers don’t understand the problem, it’s that they don’t have the resources to tackle it the way the big manufacturers do. I would say most manufacturers I interact with and you see at conferences or participating in information sharing, most of them are absolutely tackling cybersecurity appropriately, but that’s really a small subset of the medical manufacturers that are actually out there.
“When people think of medical manufacturers, you’re thinking of the big home names that everyone knows, but that’s actually the tip of the iceberg. It’s not to say that the smaller manufacturers don’t understand the problem, it’s that they don’t have the resources to tackle it the way the big manufacturers do.”MTI: Where should manufacturers be going if they don’t have the in-house resources to address cybersecurity?
Domas: The key is to find third-party partners. There’s a very good reason that a large bench of cybersecurity experts aren’t in-house, because you don’t need them all the time. Find third-party organizations you can partner with that live and breathe cybersecurity so when you do need the cybersecurity expertise, you know the right people to call.
MTI: On the hospital side, what’s the relationship between device manufacturers and hospitals in addressing cybersecurity?
Domas: That’s one of the biggest areas where I think we need to see growth. For the past couple of years, the medical manufacturers and the hospital systems have been tackling cybersecurity to the best of their abilities, but it’s been in isolation. Hospitals have been trying to lock down their networks and isolate the medical devices on their networks, and the medical device manufacturers have been trying to independently lock down their devices—that partnership still needs to grow.
Stephanie Domas will be speaking during the Medical Cybersecurity & Patch Management conference | May 1 – 2, 2018 | Learn moreThe medical device manufacturers are trying to build devices that have secure configurations and feature sets, but when they get to hospital systems, the hospitals are overrun with how many unique devices they have. In a hospital setting, if I have 30,000 different medical devices and 10,000 types of devices, I don’t have the staff and the time to figure out how to set up each one in a secure manner and monitor each one for security and keep it up to date. Even though both sides have good intentions and are trying to do the right thing, it’s a scalability issue where hospitals can’t keep up with the number of unique medical devices. There needs to be more partnership moving forward. I’m not sure what that looks like; it might mean more uniformity with medical device manufacturers choosing similar setups where maybe all medical devices update in the same way or they offer similar feature sets so it’s not quite so daunting for hospital systems, or the hospital systems band together and come up with collective asks, because that’s another area where manufacturers struggle. Some hospitals say they would like a device to behave a certain way and have certain configurations, and then next hospital wants it to behave another way. You have a lot of conflicting requests on both sides, and that makes it really hard to have a uniform solution. So I think the hospital systems need to collaborate more to decide if there is some set of security requirements; even if just 10% of hospitals could just agree, that would go a tremendous way for industry, because it would give manufacturers who want to do the right thing something to aim for. And increased partnership between the hospitals and the manufacturers to help ease the burden of maintaining the medical devices once they’re in the hospital.
MTI: Are there any specific hospitals or medical devices being targeted by cyberattacks ?
Domas: Right now there is not a specific device type; it’s more about if the device is running commodity software, such as devices that are based on Windows. Medical devices that are running commodity software are susceptible to commodity vulnerability. I mentioned earlier reports of what medical devices are susceptible to Meltdown and Spectre. Meltdown and Spectre were not attacks against medical devices; they were attacks against common processors that a lot of medical devices happen to use. I haven’t seen attacks developed specifically to hurt a medical device, because the truth is that hackers don’t have to be that sophisticated right now. They’re able to take vulnerabilities that exist in common things like Windows and Linux and database servers and just use those. Hackers, for all the bad things they do, they’re also smart—they’re not going to sit there and invent a new attack for medical devices when all they have to do is use an attack that already exists.
Read more on what Stephanie Domas thinks about malware in her MedTech Intelligence article, “Commodity Malware: What Medical Device Manufacturers Should Know”People tend to think of [cybersecurity] as all doom and gloom. Good progress is being made. A couple of years ago when you went to a conference for cybersecurity in medical devices people didn’t understanding the basics. Now you go to those conferences and they’re so much more advanced; people understand what it means and what they need to do. They’re there trying to figure out different approaches. So, progress is being made; there’s just a long way to go.
MTI: MedSec will be launching a new tool next month to help hospitals evaluate the cybersecurity status of medical devices. What are some of the benefits of MedScan?
Domas: The goal is to meet a need I was alluding to earlier—hospital systems have so many different medical devices that they can’t even keep track of what and how many medical devices are on their system, their location, and whether their software is up to date. And, are they talking in a secure manner? Hospitals call it asset management. Even for the tech savvy, if you ask them how many infusion pumps are on their network right now, they would struggle to answer that question. It’s really hard to keep track of it all. MedScan aims to help alleviate that burden—it’s supposed to help with the asset management in the hospital network by looking at a network to show how many of the device you have and what type of information it is sharing on the network. That’s another area where hospitals struggle—they say, I have all these infusion pumps on the network—are they sending sensitive information? The hospitals don’t even know what kind of information those devices are chatting about. The tool will also show if a device is sending PHI to somewhere else on the system, and whether it is encrypted. It helps alleviate the digging hospitals have to do. The future feature set [of MedScan] is a version of the software that tells you did you which, and how many devices on your network that are running out-of-date software.
The tool is meant to alleviate the burden of asset management, software tracking, who is sending what on the network, and whether they are doing it in a secure manner. It will sit in the hospital, but it is being developed in collaboration with device manufacturers. On our side, we have partnerships with medical device manufacturers so that we can build in accurate information. So we’re doing the heavy lifting of figuring out the version of software that is running and are there new versions—that legwork is being done by the MedScan tool and doesn’t have to be duplicated by all the hospital systems.
The critical piece is that this is a passive tool. Medical devices, particularly legacy ones that weren’t developed for modern security tools—if they are scanned with a modern security tool, they may misbehave because they weren’t anticipating such communication. It’s another very common problem in hospital systems—you cannot use standard security tools to test the security of a medical device without risking an adverse behavior on the medical device. Hospitals are afraid to use “active” tools because they communicate with the medical device, and they risk altering the behavior. MedScan was specifically designed to be a passive tool, so it never reaches out and probes a medical device so there’s never a risk of altering the medical device’s behavior.
MTI: What is the cost associated with MedScan?
Domas: It’s basically the cost of hardware and labor for us to put it up. Right now we’re in a proof-of-concept phase. We’re partnering with hospitals. For the March 5 release, we haven’t released the price. It will be essentially the cost of us installing it on the hardware, because we really want to get the early partnerships and early adoptions.