From patching to the patient safety risk, CynergisTek’s David Finn debunks some of the most common medical device myths and provides insight into how to shore up device vulnerabilities.
Medical devices pose a unique risk to the healthcare sector, from legacy systems to organizations failing to understand the number of connected devices on the network. As a result, many healthcare providers and healthcare systems struggle with determining the best way to fix these vulnerabilities.
For one, the majority of medical devices operate on legacy systems. By 2020, 70 percent of medical devices will be operating on legacy Windows platforms that will no longer be supported by Microsoft, according to Forescout.
However, organizations continue to rapidly deploy these devices and IoT at a rapid pace. Thirty percent of device deployments use more than 100 vendors on the network, and 40 percent used more than 20 different operating systems.
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
As these deployments continue to expand the threat landscape in the healthcare sector, stakeholders have sought to shed light on some of the most common vulnerabilities and ways to shore up these gaps. In the process, common themes have come to light that reveal some recurrent misconceptions around medical devices and the potential (and very real) threat medical devices pose to patients.
HealthItSecurity.com spoke with David Finn, CynergisTek executive vice president of strategic innovation, to debunk the five biggest medical device myths and help providers begin to address the incredibly serious risks posed by the vulnerable technology.
MYTH #1: PATCHING CAN RUIN THE DEVICE FUNCTION
One of the most common myths repeated throughout the industry centers around patching and concerns a device will cease to function properly after a patch is applied. As a result, many healthcare providers fail to patch even when a manufacturer provides a fix for a known vulnerability in an attempt to close a security gap.
However, Finn noted that this common viewpoint is false, explaining that device manufacturers perpetuated the myth for many years as a way to avoid costly fixes to deal with the vulnerable technology, given the belief that the Food and Drug Administration requires manufacturers to recertify the device when a vulnerability is found.
But the myth is not tested or true, Finn explained. The FDA does not require the manufacturer to obtain recertification or approval to apply a patch for a one-time only security flaw.
“Just like patches don’t change the function of a PC or computer, a medical device patch should not change the function of the device,” Finn said.
MYTH #2: MEDICAL DEVICE SECURITY CAN BE HANDLED LIKE EVERYDAY SECURITY
While awareness around the need for medical device security has grown exponentially in recent years, there’s still the common misconception that tackling device vulnerabilities can be handled in the same manner as overall enterprise security.
To Finn, this viewpoint is a slippery slope given that medical devices are very different from traditional endpoints. Several years ago, a woman was giving birth, and a push notification for a Windows update appeared on the fetal monitor with an accept or delay the update message on the screen.
The problem is that many medical devices lack a keyboard or mouse, which Finn explained means there’s no way to input an instruction into the window. As a result, the update window remained on the fetal monitor during the entire procedure, and the doctor couldn’t see what was happening during the delivery.
“How do you tell a device what to do?” Finn said. “Even then, the risks are much greater with a device. If someone’s machine doesn’t update properly or shut down, the issue could proliferate to another machine.
“If the issue has shut down an anesthesia machine, you don’t want to do pushes or update, or you could end up getting an old virus,” Finn continued. “You can deal with them as you would security on a desktop, but it’s naïve, at best: foolish, or dangerous.”
MYTH #3: MEDICAL DEVICE SECURITY DOESN’T NEED TO BE PRIORITIZED: IT’S A MINIMAL THREAT
“The first one has gotten us into the mess, while the other one is keeping us in the mess,” Finn said. “I hear it from IT and hospitals, and clinical engineering people: Medical devices don’t really present much risk, as many don’t have many security capabilities, or they’re not like a computer, or they don’t store ePHI.”
“All of those are pretty much untrue,” Finn said. “We don’t frequently know how a device is going to react when we get a virus or ransomware…. This is the issue keeping us stuck.”
To Finn, the problem is that many of these devices are connected to the internet, and the devices themselves do store and retain patient information. This means PHI is at a higher risk.
Medical devices are posed to become the next big threat vector in hospitals because of some of the cyberattack approach and strategies in the current landscape make it easy for hackers to get onto devices and propagate across the network. For example, Finn explained how one virus can morph and spread across the network by entering the remote desktop protocol.
“Why even put RDP on a device? Some medical devices may have it,” Finn said. “It’s a huge mistake keeping IT security and engineers from doing what they need to do.”
MYTH #4: STATIONARY IMAGING MACHINES DON’T PRESENT MUCH RISK
Finn explained he’s heard many in the industry express that imaging machines like MRIs and CT scans don’t truly pose a great deal of risk as they are stationary within a network. These devices are typically tucked away into private areas, which reduces the amount of access.
As a result, many healthcare providers feel that these don’t need to be worried about these devices as much. But that’s a massive myth.
Speaking on his experience as a CIO, Finn explained that many of these devices are connected to the internet for valid reasons, such as manufacturers’ updates or to provide information on active status.
“When walking around with the clinical engineer underneath me, we walked into an unused MRI room,” Finn said. “We walked in and there was a RAD tech on the MRI machine, using the MRI to access his personal email.”
“It was a learning opportunity. And that’s when I started thinking about it differently,” he added. “But organizations need to make sure the device is only talking to what it’s supposed to.”
In his current work, Finn said he’s found through security scans of clients and surveys, medical devices show as a high vulnerability. Not just the device, but the browser that has not been updated.
“The risk is not just what you’re getting from the manufacturer, it’s what’s put onto the device and what no one thinks about updating,” Finn explained. “Just because it’s locked behind a wall doesn’t make it safe. What makes it unsafe is the connection to the internet.”
MYTH #5: DEFAULT PASSWORDS, SAFETY RAILS ARE ADEQUATE
One myth that has resonated with Finn that he’s heard more and more is that guardrails, passwords, and safety rails are enough to protect medical devices.
A syringe pump has guardrails installed to ensure certain specifications are typically never changed and are hardcoded with a username and password, Finn explained. But for multi-facilities that server adults and children, those guardrails can change depending on where the device is located within the enterprise.
The mobility of the device poses yet another risk: the device has now moved from the adult ward to the children’s ward, which can pose a whole new set of issues, Finn stressed.
Several years ago, Finn said there were two patients recovering from a car accident that looked at the Shodan search engine (which finds internet-connected devices) to hack into their IV drip to increase the dosage of their morphine. The patients needed to be weaned off of the morphine before they were discharged.
“We think those passwords will just be used by clinicians, nurses, and doctors, but we still have to treat them as devices that people can get into,” Finn said. “We need to do password changes and maintain unique accounts, or we need to manage or control them, at least. Certainly, we need to change the password from its manufacturer’s default.”
“It absolutely is a patient safety risk,” Finn continued. “I won’t say [a hack] hasn’t happened. I just think it hasn’t been proven.”
In one instance, a telemetry server was taken down and critical patients lost their telemetry monitoring during the process, Finn explained. The case was resolved between the patient and organization, with the records sealed. But there was a death during that outage.
Another example comes from a hospital in Russia, where every device in the organization was shut down. A doctor performing brain surgery had to operate without being able to see the respiration and heart rate of the patient.
MOVING BEYOND MISPERCEPTIONS
Medical device vulnerabilities need to be remediated, which starts with an inventory of those system to understand what software is on them, how they connect, and who the devices talk to on the network. Finn explained that in his current work, when his team goes in to perform an inventory, it’s shocking to see how many organizations don’t know how many devices are on the network.
“We always ask how many devices are attached to the network, but that number is typically 20 to 50 percent off of what we actually find,” Finn said. “No one knows what’s actually on the network.”
“One organization said 6,000 devices. When we were done with the proof of concept assessment, we found 16,000 networked devices, 10,000 more than they initially thought,” he added. “A lot of mitigation can happen by controlling and managing network. But if you don’t know what’s out there and how it’s being used, you can’t even do that.”
After the inventory, organizations can move into a vulnerability and risk assessments on every device connected to the internet.
As CHIME recently told Congress, “If health systems are forced to trust a conglomeration of open commercial networks to manage their endpoints, we will continue to have an issue securing our medical devices and other critical systems. Unless we have a separate secure system, where trusted parties are vetted securely, as is done with military or other government networks, our medical devices and other end points will still be at risk.”
Date: September 04, 2019
Source: HealthITSecurity