Security Breaches Tied to Medical Device Manufacturers
According to the FDA, when medical device vulnerabilities are not addressed and remediated, they can serve as access points for entry into hospital/healthcare facility networks. They may lead to the compromise of data confidentiality, integrity, and availability. Why is this important to security directors? Says the FDA: it is the shared responsibility between stakeholders, including healthcare facilities, patients, providers, and manufacturers of medical devices.
There has been a 400 percent increase among medical device manufacturers in “vulnerabilities” per quarter. This data was compiled since the FDA issued it in Cybersecurity Guidance in 2016.
There were just 12 advisories released between 2013 and Dec. 2016 from six manufacturers, or an average of just under one per month. Between Dec. 29, 2016 and Aug. 1, 2018, there were 35 alerts from 18 vendors or about 4.5 per month.
Mike Kijewski, CEO of MedCrypt comments that the increase in ICS-CERT disclosures is potentially a sign of growing compliance and may also reflect a maturity in security risk assessments. MedCrypt has been keeping stats on the security soundness of medical device companies.
“This may actually be a good thing, showing that medical device vendors are starting to take cybersecurity seriously,” Kijewski said.
The data also showed a decrease in Common Vulnerability Scoring System (CVSS) scores, which “may be the beginning of a trend in increased willingness to disclose non-critical vulnerabilities.”
(More info is available in the report “Using CVSS in Medical Device Security Risk Assessment” May 2017)
The problem is many medical device firms have not, until now, signed on to the security issue. What’s also notable about the data is that only seven of the top 36 medical device vendors have ever made an ICS-CERT vulnerability alert, which leaves 22 top vendors with products that use a computer or connect to a health system.
“We expect the rate of disclosure to increase by at least another 400 percent, as these other medical device companies begin participating in cybersecurity vulnerability disclosures,” he said.
According to the report, there are three valid reasons these manufacturers have not made a disclosure: the device is not computerized or network-enabled, there are no vulnerabilities or the vendor is unaware of or has not yet discovered a flaw.
“[Vendors] should continue to ensure their product development protocols include proper pre- and post-market cybersecurity testing,” the report authors wrote. “We also ask vendors in this situation to consider collaborating with a cybersecurity company, perhaps through a formal bug bounty program.”
The probability is that these device vendors that have never put out an advisory or have devices that are totally free from cybersecurity vulnerabilities, according to Kijewski,
He believes that much progress has been made in the last two to four years, and that trend is toward more secure devices in the future.
A team of McAfee researchers showed how easy it is to hack into medical devices. At DEF CON in Las Vegas, the researchers were able to modify patient vitals in real-time by mimicking data sent from medical equipment clients to central monitoring systems, noted a report in Healthcare IT News.
While hackers didn’t directly breach the monitor itself, the researchers easily altered the data transmitted to the station through the data stream that connects patient monitors to a central hub. This would let a hacker change doses and alter data on patient heart rates, blood pressure and oxygen levels.
The modified data would be undetectable to the user, meaning a provider could mistakenly give the wrong medication, test or other medical decisions based on the false data.
Observers think the industry is moving in the right direction perhaps motivated by FDA guidance on disclosures.
Kijewski suggested the FDA’s guidance could be more detailed to help direct “vendors toward security features that would mitigate more complicated vulnerabilities.”
As vendors continue improving disclosure policies, it’s important for the industry to not shame those manufacturers as having bad security, explained Kijewski. “This is not helpful, as it dissuades other device vendors from disclosing vulnerabilities voluntarily.”
What’s needed is open dialogue and supporting those vendors for taking a proactive approach to the security of their products, he said.