Despite years of evidence from researchers that some medical devices in homes and in healthcare facilities may contain serious vulnerabilities, such has the ability to manipulate insulin pumps and pacemakers wirelessly, there has been little acknowledgement from the industry. Unlike the automotive industry, which addressed a wide variety of cybersecurity issues soon after the infamous Cherokee Jeep Hack in the summer of 2015, medical devices have remained rife with potentially life-threatening vulnerabilities. That is about to change.
There are proposals in the U.S. Congress and the European Union that would begin to catalog and characterize both devices and common flaws. With this would come best practices and standards, which are perhaps more common with automotive. Key differences between the two industries shed light on why vulnerabilities are more difficult to define in medical devices.
First, the automotive industry is hierarchical. There are a limited number of original equipment manufacturers (OEMs) that are dependent upon Tier 1 and Tier 2 suppliers to produce the individual components of the vehicle. These relatively few OEMs can dictate from on high an increasing expectation of security and quality testing across the supply chain. This structure has also allowed the industry in the past to identify and fix specific faults since each part is traceable to its source.
That is not the case with medical devices. In contrast, the medical device world is not hierarchical and much more of a free for all, largely comprising startups with an average of 40 employees each, few of whom are versed in cybersecurity. True, there are already regulatory bodies in the United States and in Europe regarding medical device standards although these at times have proven to be bottlenecks rather than enablers of change.
For example, there remains within healthcare industry general confusion around the use of software patches and updates. A recent and very serious example is the WannaCry ransomware attack last May which affected the National Health Services in the United Kingdom. The crisis could have been mitigated with the timely application of a Microsoft Windows update issued the month before. Many of the infected computers at NHS were also running outdated OS software such as Windows XP.
“WannaCry affects more than just Windows XP,” said Kevin Fu, associate professor of electrical engineering and computer science at the University of Michigan’s Archimedes Research Center for Medical Device Security and founder of cybersecurity vendor Virta Laboratories. He told BankInfoSecurity in June that “The root cause [for medical devices being vulnerable to cyberattack] is that too many medical devices depend on unmaintainable or unpatched operating systems. Medical device software ages more like milk than like wine, and it’s getting older and chunkier every day.”
“These are the unintended consequences of emerging technology,” Dale Nordenberg, executive director of the Medical Device Innovation, Safety, and Security Consortium (MDISS), told SecurityLedger also in June. “We didn’t anticipate the interface between cyber and human risk…or at least not with significant cognition to take action…. We’re starting from the point where we already have a lot of work to do,” he said.
These quotes coincided with a final report by the Health Care Industry Cybersecurity Task Force PDF that found cybersecurity in healthcare to be lacking. Specifically, it identified a lack of security-trained talent, legacy equipment, and over-connectivity. Among its recommendations was one for the creation of a cybersecurity leader position within the Department of Health and Human Services (HHS). Six months later, that position still has not been created.
A second important difference between automotive and healthcare industries is that automotive is just now adding digital to a largely mechanical process whereas healthcare has had digital devices in place for several decades. This would be the legacy equipment cited above. Often medical devices were originally designed to work in closed network environments, say a hospital. Increasingly these devices are being added to the internet – and therefore the world – hence the over-connectivity. While there will be advantages to having everything online one day, the transition process is fraught with missteps.
Regulations in healthcare today sometimes provide an excuse for keeping systems static (e.g. continuing to use older or unsupported OSs) in a dynamic if not chaotic internet-connected world. Getting a device classified by the U.S. FDA, for example, is a months-long process. Updating the software can sometimes require the vendor to go through the classification process again. Other times, not. The ambiguity is the problem.
Josh Corman, director of the Cyber Statecraft Initiative at The Atlantic Council and a founder of the group I Am The Cavalry, agreed. “Healthcare is target rich and resource poor,” he also told SecurityLedger. Corman added that internet-connected healthcare equipment can’t be used irrespective of security and privacy concerns. “If you can’t afford to protect it, you can’t afford to connect it,” he said.
This isn’t to say nothing is being done. This past May, Europe consolidated two existing legal provisions and replaced both the current Medical Device Directive (93/42/EEC) and the Active Implantable Medical Device Directive (90/385/EEC) with Regulation (EU) 2017/745 of the European Parliament and the Council.
And in Washington D.C., Representatives Dave Trott, D-Michigan, and Susan Brooks, R-Indiana, have introduced a House bill, the Medical Things Resilience Partnership Act, that would require the FDA to establish a working group of cybersecurity experts. These experts would recommend voluntary frameworks and guidelines for medical device security. If passed, the legislation would have a transition period of three years for the frameworks to be implemented, such as better traceability of devices through the supply chain.