“Unlike inconvenient security problems for your tablet or notebook computer, ‘Internet of Things’ insecurity puts human safety at risk,” said one security expert.
Thanks to the technological advances of recent decades, there are now literally billions of items on the market that are embedded with computer software and electronics: from your home thermostat, sound system, and smart phone to driverless cars, mass transit systems, and life-saving medical devices. Taken together, the myriad computerized products we now deal with—many of which are connected in cyberspace—are referred to as the “Internet of Things” (IoT).
The IoT reduces human effort, improves efficiency, and increases wealth, and it is expected to grow to 30 billion items by 2020. But virtually every step of human progress comes with unintended, even perverse, consequences. In the case of the IoT, these come in the form of concerns about cybersecurity. And aside from issues related to national security, these concerns are felt perhaps most acutely in healthcare where breaches are not only disruptive, embarrassing, and expensive but can lead to serious medical complications for patients.
As one security expert put it in testimony before Congress in 2016, “Unlike inconvenient security problems for your tablet or notebook computer, IoT insecurity puts human safety at risk.” But, he added, “Security is a solution, not a problem.” (Prof. Kevin Fu, Nov. 16, 2016.)
Medical Device Risks
Worries about IoT security in healthcare were underscored recently when the National Institute of Standards and Technology (NIST) published a special report, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations . Although it focused only on infusion pumps, the report (one of a series of such reports) serves as a practical guide to help healthcare organizations reduce cybersecurity risk, improve patient safety, and prevent loss of patient information due to failure of or interference with a medical device.
The report was developed by the National Cybersecurity Center of Excellence (NCCoE), which is a part of NIST and a “collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity issues.”
NCCoE analyzed risk factors related to Internet-connected infusion pumps by using a questionnaire-based risk assessment. It then developed an example implementation that demonstrates how healthcare organizations can use standards-based, commercially available cybersecurity technologies to better protect an infusion pump “ecosystem,” including patient information and drug library dosing limits. The report is meant to help healthcare facilities “implement current cybersecurity standards and best practices to reduce their cybersecurity risk, while maintaining the performance and usability of wireless infusion pumps.”
Threats and Vulnerabilities
With infusion pumps as the example, the NIST/NCCoE report lists various known threats and vulnerabilities due to network-connected medical devices. Typical threats include such things as:
- Targeted attacks on specific devices meant to cause harm or disrupt operations
- Persistent attempts to place malicious software on the device or the larger hospital network
- Malware infection or disruption-of-service attacks intended to cause the unavailability of the device or system components, thus causing a disruption to patient care
- Theft or loss of physical assets leading to possible breach of patient information
- Misuse by staff leading to poor quality of care and possible damage to other devices or systems
Causes of medical device vulnerability include the following:
- Lack of a complete asset inventory
- Failure to update software patches and security controls
- Outdated operating systems
- Lack of encryption
- Unauthorized changes to device calibration or configuration
- Insufficient data backup
- Hard-coded or factory-default passcodes
- Lack of malware protections
- Use of infected removable devices such as USB drives
None of these threats and vulnerabilities will seem new to IT experts, as an online search readily demonstrates. For example, a year ago the Food and Drug Administration (FDA) recalled 465,000 Abbott Laboratories pacemakers because they required firmware updates to correct vulnerabilities that left the devices open to hackers.
In August of this year, HIPAA Journal reported that a remotely exploitable flaw had been detected in BD Alaris Plus medical syringe pumps sold in Europe. It also reported that a weakness had been discovered in Qualcomm Life’s Capsule Datacaptor Terminal Server (DTS), which is used by many U.S. hospitals to network their medical devices. The DTS problem could have allowed a hacker to obtain administrator-level privileges and execute code remotely.
And in its August 2018 Cyber Security Newsletter , the Department of Health and Human Services’ Office for Civil Rights reminded healthcare organizations of the importance of implementing physical, technical, and administrative safeguards to ensure the confidentiality, integrity, and availability of electronic media and devices. Implementing proper controls will help an organization comply with various provisions of HIPAA regulations.
Recommendations and Best Practices
Although cybersecurity is not a new topic, what is new is the scale and ease of attack today due to the number of networked devices in the IoT. The NIST/NCCoE report has numerous suggestions worthy of consideration. Some of the more salient recommendations include the following:
- Consider forming a medical device security committee consisting of staff members from biomedical services, information technology, and information security departments to manage the security of all networked devices; the committee should report to C-suite governance and the governing board.
- Evaluate the physical security of mobile devices, designate a secure and lockable space for storing these devices when they are not in use, and ensure that only personnel with a valid need have access.
- Create a comprehensive inventory of all medical devices and consider using radio-frequency identification (RFID) or real-time locating systems (RTLS) technologies to help locate devices that have been moved without documentation.
- Ensure that any cybersecurity incident response plan includes medical devices.
- Establish an information security department that is separate from the IT department to ensure that operational IT personnel are not responsible for security measures, which may otherwise lead to a “fox guarding the hen house” situation.
- Ensure that vendor management includes the evaluation of information security during the due diligence phase of the procurement process. Too often, the information security team is not brought in until after contracts have been signed.
- When purchasing medical devices, ensure that the devices incorporate the latest cybersecurity controls and capabilities, and understand roles and responsibilities related to upgrades, patching, password management, and remote access.
- Develop or update all policies and procedures regarding deployment, sanitization, and reuse of medical devices.
If applied, these recommendations should help reduce the risks posed by the IoT. But remember, there is no “fire and forget” for IoT security. As the NIST report states, “Threats and vulnerabilities constantly change. Software effectively ages because of shifting threats, and there will always be a need for vigilance, updates, and maintenance.”
- NCCoE website
- NIST website
- “Protecting Against Cybersecurity Threats” by David Lee and Jenna Jackson, hfm, September 2018, HFMA
J. Stuart Showalter, JD, MFS, is a contributing editor for HFMA.