At the 2011 Black Hat security conference, a diabetic man named Jerome Radcliffe showed how someone could hack into a wireless insulin pump.
Medical devices are just the latest in a growing list of Internet of Things that are at risk for potential hacks. On the surface, it may seem almost foolish to worry that some stranger will want to control a person’s insulin dosage or shut off a pacemaker or manipulate health data, but we also wondered why anyone would want to hack into cloud storage to steal compromising photos of actresses or someone would stage a major attack on an entertainment company in retaliation for a movie. If something can be hacked, it will be hacked. If for no other reason, this puts medical devices and the patients who rely on them at great risk.
Like virtually every device connected to a network, medical equipment was never designed with cybersecurity in mind. However, thanks to the Food and Drug Administration’s new guidelines, that will change. Manufacturers are now instructed to build cybersecurity functionality into new medical devices. How these cybersecurity functions will be addressed will depend on the device itself – its intended use, overall vulnerability concerns, and risks to the patient, for instance. The guidelines go on to list the types of cybersecurity functions that should be included, such as layered authentication levels and timed usage sessions that ensure the device isn’t connected to the network any longer than necessary.
The regulations are in response to the findings of researchers like Radcliffe who have shown just how easy it is for someone to take control of a wireless medical device. In addition, the Department of Homeland Security has been investigating reports of vulnerable medical equipment. “These security measures ensure that companies which are developing these products are adhering to a certain set of standards to keep users safe,” said Benjamin Caudill, Principal Consultant with Rhino Security Labs.
Of course, the standards won’t make the medical devices 100 percent secure from potential hackers. “There is no such thing as a threat-proof medical device,” Suzanne Schwartz, director of emergency preparedness at the FDA's Center for Devices and Radiological Health, was quoted by USA Today shortly after the guidelines were released.
The new cybersecurity standards also don’t address a serious security threat: older devices currently in use. The guidelines only cover the design of new devices. Also, the software used for many of these older devices isn’t designed for patches and fixes when vulnerabilities are found. Finally, many of the Internet-connected devices in use today were never properly tested for security flaws, Caudill pointed out. We really don’t have any idea just how insecure these devices may be, while at the same time, patients depend on them to stay healthy or alive.
Unfortunately, there is no easy security fix for the devices already in use. Older medical devices are a very tricky subject, explained Don Weber, Senior Security Analyst with InGuardians. “To clarify, there are two types of medical devices: those that are deployed on networks and those that are implanted in patients,” he stated. “Medical IT professionals need to treat older technologies like all other businesses. That is they need to understand there will be limited to no support or updates and plan the security of these devices and networks appropriately. This requires network segmentation and monitoring network activity to get a baseline of good activity and thus identify anomalous behavior.”
Considerations for medical devices are slightly different than other categories in the Internet of Things, Weber added. “Many of these medical devices are implanted in their owners. Sometimes it takes life threatening surgery to implant and replace them. Thus, replacing older devices (whether secure or not) is a choice that will be made by the person and their physician. Are insecure devices a concern? Yes. However, if security vulnerabilities of a device or solution have been identified and disclosed, the owner and their physician can make educated decisions about these risks and determine how best to move forward with future care.”
However, Caudill thinks that eventually those choices will be dictated by recalls on medical devices that pose a security threat. “While many everyday products – from toys to automobiles – are recalled for safety hazards, recalls for cybersecurity vulnerabilities have not yet been seen,” he said. “I suspect as the issues become more well-known (and even cause physical harm to victims), this trend will change, with both manufacturers and government officials seeing cybersecurity as another category of safety to consider in internet-connected products.”
Building in security at the design stage is still a relatively new concept, so no one is quite sure how it will work within the medical manufacturing community. However, it is an important step in ensuring security and allowing patients to focus on getting well.