Cyber Expert Shares Wisdom on Medical Devices

Feb. 20, 2024
Richard Staynings of Cylera and the University of Denver says medical devices were not designed with security in mind

Healthcare is a frequently targeted field for nation-state hackers across the world. The profusion of protected information that healthcare entities hold makes it a hot target for hackers who want to disrupt societies at large and specific individuals within them, or even just to bilk money out of hospitals or patients by holding their information ransom.

Hospital staff are often unaware of just how many vendors’ services they are employing in the day-to-day running of their organizations. Cybersecurity expert Richard Staynings recalls a situation where, when assessing a large hospital, he found an enormous discrepancy between the number of vendors a hospital thought they were working with and how many they were actually working with. The procurement department believed they had sought the services of about 500 vendors, but in reality, they had contracts with over 10,000 different vendors, thanks to purchase authority being delegated many years prior to each professor and head of department. Today, however, this introduces an enormous security risk to a hospital if the security team is not aware of connected devices and contracts with third parties. When procurement and contracts departments don’t have any record of who they are working with, this can lead to the possibility that vendors and devices will not be monitored or managed -- much less patched -- to fit the ever-changing needs in the space. Healthcare Purchasing News had the pleasure of speaking with Staynings, a healthcare technology and cybersecurity strategist, affiliated with both cybersecurity firm Cylera and with the University of Denver, about cybersecurity, specifically as it pertains to medical and surgical devices. 

What constitutes a medical device?

A simple medical device is any device that aids in the treatment of a patient, like a tongue depressor. However, from a cybersecurity perspective, ‘connected medical devices’ are usually what we’re most concerned about – O2 saturation / blood oxygenation systems, patient telemetry systems, blood pressure cuffs and nurse call systems. The large room-sized diagnostic systems of X-Ray, CT, PET and ultrasound. A growing number of pharmacy and surgical robotic systems, all the way to Pyxis cabinets all of which are connected to the medical network. This list also includes a growing number of other systems such as patient wearables. This is all generally referred to as the “internet of medical things” or IoMT for short. It’s the direct medial IoT of a healthcare provider. We use the term ‘HIoT’ or ‘Healthcare Internet of Things’ to refer to the complete number of connected IoT devices and systems found in a typical hospital, many of which like HVAC and elevators are critical to hospital workflow and all of which are now most likely ‘connected’.

How do these ecosystems need to be refined to fit cybersecurity standards?

A lot of HIoT building management systems, such as elevators, HVAC, CCTV, cameras, proximity door locks to keep patients out of the OR, are all owned by different groups within a typical hospital. They’re run by facilities, physical security guards, and building management companies. Sometimes, they may be managed by a third party from hundreds of miles away because it’s cheaper to have your elevators managed 24 by 7 by someone off-site than on-site. All these different systems need to communicate, which is really where the risks lie since they are all now ‘connected’ – connected to the medical network and connected to, or across, the Internet. 

Most medical devices were not designed with security in mind, but rather for clinical functionality. They were tested by FDA for clinical safety and functionality, and if they passed that test, they were approved for use. Voluntary pre-market and post-market guidance about cybersecurity, updates, and patching began some years ago under the auspices of patient safety as increasing cyberattacks led to concerns about patient safety risk. A cyberattack that causes, say, an infusion pump to be hacked and rendered inoperable could be devastating to a patient, causing the drug flow to be interrupted or accelerated in a way that could become life-threatening. Even software failures can cause these devices to stop working. More than that, a lot of these devices run Windows Embedded, which is a shrunk down version of Windows, which is not very reliable even in its modern flavors given the constant need to patch. However, some of these devices are still running Windows 95, which is considered highly insecure today. 

Hackers can get into these devices to hold a patient’s life to ransom, or, alternatively, use that medical device as an ingress point, as a ‘foothold’ on the medical network to go after the EMR (electronic medical records) in order to encrypt vital data for ransomware or to exfiltrate higher value information for sale on the dark web. 

What federal regulations have been put in place to secure these devices?

The Patch Act was passed in 2022, which legislates much of the optional guidance that FDA was pushing before, plus additional recommendations from the healthcare cybersecurity community. The act largely switched the onus for cybersecurity from providers who know little about the inner working of the devices they use, to medical device manufacturers to securely design devices they manufacture, to test and disclose security vulnerabilities in their systems, and to make patches available in a timely manner to providers and third-party management companies responsible for operating them. Then, at the end of December 2022, the Appropriations Act allocated money to FDA and gave them the go ahead to write new rules. These new rules went into effect midway through 2023 and culminated in the ‘refusal to accept rule’ which went into effect as of October 1, 2023. That means FDA is now able to refuse to accept a medical device for approval for use in the United States. It’s probably 10 years later than it should have happened, but it’s a great step in the right direction. Since FDA rules and guidance is generally mirrored in other countries, these new rules will likley become more or less global this year.

The biggest concern with it, however, is that it isn’t retroactive, so it doesn’t impact the devices that anyone bought before October 1, 2023. So you have a whole load, perhaps millions of medical devices out there, which are now considered ‘legacy devices’, which are unsecure, often unpatchable, and highly vulnerable. That makes them easily compromised by cyber attackers as are the networks they are connected to. We need to adopt a different security approach to these devices, which cannot be risk remediated and cannot easily be scrapped and replaced. This includes using compensating security controls like network micro-segmentation and better zoning of systems. Hospitals already own the identity services tools to micro-segment their networks but lack of automation till now has made this task difficult until recently.

What issues do hospitals face in securing their medical devices?

The biggest issue in healthcare is that hospitals don’t know what connects to their networks – there are often millions of connected endpoints across a health system network. Alarmingly, only 25% of these endpoints are managed and patched by IT – the servers, and workstations, leaving 75% of endpoints connected but largely unmanaged and unpatched, often against known security vulnerabilities. Most of these endpoints are considered HIoT / IoMT.

Medical devices have a half-life similar to plutonium: they don’t go away. Your average medical device probably has a usable lifespan of eight plus years, and bigger equipment like x-ray machines will be in use for 20 years or so. It’s almost impossible to tell the CFO of a hospital that an x-ray machine they have can no longer be patched and they need to buy a new one. Say it costs $35 million for a new x-ray machine and the existing, unsupported x-ray machine has seven years left on its amortization schedule and cost $25 million in the first place. Hospitals simply don’t have the money or the will to scrap perfectly working medical equipment that has not been fully depreciated simply because it poses a cybersecurity risk. This is where micro-segmentation comes into play to minimize risks so that devices can continue to be used safely but allowed only to communicate in a zero-trust framework. This locks a device down to only communicate using authorized ports, protocols and to specified destination IP addresses, rather than to the whole internet as may have been the case before.

Another big concern is that we don’t train doctors to look for indicators of compromise of systems. We don’t train nurses either, so both groups are operating blind. We need to have better ongoing cybersecurity training, not computer-based training programs that everyone sleeps through, but a multifaceted, multimodal, educational awareness program that talks about specific threat vectors and gives specific examples of what happens when medical devices fail. For example, at one large healthcare system, they have an awareness system where they use different prompts, in this case colored dinosaur stickers in public places to remind the staff of different risks. A green dinosaur inside of an elevator indicates to staff to not talk about patients in public; meanwhile, patients just see a green dinosaur and say, “Oh, that’s cute, must be for the kids.” It serves to both make the hospital less scary to kids and sends a subliminal message to doctors and nurses to not have a conversation about a patient while you’re in the elevator. Similar prompts and reminders are found right across their hospitals to remind staff to beware of tailgaters at doors to secure areas, of reminding staff to turn over papers that could be read by patients coming up to a window, etc. These are all HIPAA concerns and all help to improve security and privacy while driving regulatory compliance.

How can we ensure medical device manufacturers are taking proper cybersecurity measures?

What we need to do with medical device manufacturers is hold them accountable. We need to do this via purchasing contracts, and we need to ensure that medical device manufacturers patch systems speedily and disclose security vulnerabilities on a regular basis per the new FDA rules. Certain manufacturers will say “unfortunately we don’t have a patch for that system” when hospitals or the security community identify vulnerabilities, and that response needs to be logged and recorded by procurement. This is so healthcare providers know which medical devices and which manufactures are the most compliant and pose the least risk to hospital security. This list can then form the basis of preferred vendor list for future procurement. It can also form the baiss of a vendor exclusion list for those who have the worst security and who repeatedly violate health system security policies.

Ongoing audits for medical device vendors and better management of third-party vendors that manage medical devices for hospitals are other important steps. We need tools that monitor our risk profile in order to tell us what assets are connected to the hospitals’ networks, and to analyze their risks to tell us where they lie so that hospitals can hold to account third party vendors responsible for managing and patching systems.

How do artificial intelligence (AI) and machine learning (ML) increase risk factors in medical devices rather than stabilize them?

AI models can be poisoned or corrupted, datasets can be mislabeled or corrupted, and AI can either be purposely manipulated into making mistakes or it can inadvertently make mistakes on its own. At this stage, it’s important that humans remain the final decision maker when it comes to AI’s recommendations. For instance, in medical radiological imaging, AI will analyze an image and it will make recommendations, but a professional radiologist should then validate or refute that diagnosis. AI can be a useful productivity tool, but just like humans its prone to mistakes.

Where it may not need to be a partnership is in fields like defensive AI for security. We need to invest in defensive AI tools in order to recognize an AI-tipped attack. Tools that can respond in a nanosecond without human intervention in order to block that attack. It needs to identify when things are behaving anomalously and kick those things off the network so that a technician can then come and validate that the AI is correct. All this of course needs to be based on agreed upon Security Run Books.

As far as fears of Skynet and Terminator-type self-awareness, that’s generations away, more than likely. We’re going to see continued evolution of various forms of AI, particularly in the healthcare space, because we drastically need to improve automation and efficiency here. Healthcare globally faces an existential crisis as demand far outpaces supply or our ability to pay for medical services. There’s a lot of things that we can do on the medical side that AI can assist with. In medical imaging for example, if we can recognize the onset of cellular mass changes that are indicative of a tumor growth months or years before a tumor starts to develop, we can treat that cellular mass change before cancer erupts in the body and spreads to lymph nodes or becomes malignant. That alone could save billions of healthcare dollars annually. That also goes for the treatment of other chronic diseases where most of our aggregate healthcare budget is spent.

The same is true with Precision Medicine which relies heavily upon AI and will be the future of healthcare in the not-too-distant future.