Managing Security of Networked Medical Devices: Ideas from Mayo Clinic
A private security firm called TrapX Labs, recently set up a sting operation to gauge the impact of hackers on hospital security systems.
It documented how financially motivated computer hackers attacking a decoy hospital network can make changes in networked devices like CT scanners in ways that can compromise patient safety. The hospital network was fake, but attackers were real, TrapX said.
“They obviously understand that medical devices have less security. We saw them fairly immediately go after those medical devices,” TrapX marketing executive Ori Bach said.
While hospital security personnel are preoccupied with hackers breaking into patient medical records and disrupting systems, they increasingly have focused on very vulnerable medical devices, new and existing.Recently a group of 100 security officials from medical device companies, hospitals and security firms met at Medtronic’s Mounds View complex. Their aim: pool intelligence and discuss ways to manage the security of networked medical devices in hospitals, as part of the annual Cyber Security Summit series.
Much on the minds of attendees was the publication of the Food and Drug Administration’s medical device safety action plan. The report revealed that the agency is considering plans to require that vendors ensure that software in medical devices can be updated and provide hospitals with a “software bill of materials” that discloses all of the native software contained in device.
One example that highlighted what needs to be done came from cybersecurity experts at Minnesota’s Mayo Clinic. They described their strategy relevant to device security during presentations at the meeting. Before they buy a new medical device, they require vendors to fill out detailed questionnaire. The purpose: make sure products meet minimum cybersecurity standards.
Mayo seeks to determine if the product conforms to industry best practices, for example, removing software development tools used during the device’s design process, since those tools can be helpful to attackers.
In some instances, a Mayo employee communicates directly with device makers to ensure they take basic security steps. This might include closing off access to unused ports in a device’s configuration file, like a keyboard port for a device that has no keyboard.
“I’m going to be honest — we haven’t found one yet that doesn’t need any attention,” noted Debra Bruemmer, a senior manager in clinical information security at Mayo. This was reported by the Minneapolis Star Tribune.
The Mayo health system presents a tempting target for hackers. It has 32,000 network-connected devices from 321 different vendors at hospitals and clinics in five states. That diversity complicates the response to urgent concerns, as happened a year ago with the outbreak of the WannaCry ransomware worm.
“Organizational priorities differ. Mayo’s priority is to fix the issue right away. For the medical device manufacturer, maybe it’s at the top of the priority list, maybe it’s not,” said Keith Whitby, Mayo Healthcare technology management section head. “So, for instance, WannaCry — Mayo viewed that as an extremely high-priority issue. And I can tell you today that there are vendors we still haven’t heard from, in terms of remediation tactics for that particular event.”