Ranica Arrowsmith, Associate Editor10.06.15
Let’s talk about medical device cybersecurity. Again.
Recently, at the Derbycon 5.0 “Unity” conference held Sept. 23-27, researchers Scott Erven and Mark Collao presented some troubling findings regarding medical device security. They are associate director and security consultant, respectively, for consulting firm Protiviti Inc. they, like others before them, set out to uncover whether medical device hacking is just a myth or unfounded fear, or a real threat. They set up “honeypots”—computers that mimicked medical systems to entice potential hackers. These honeypots reportedly attracted 55 successful logins, 24 exploits, and 299 malware attacks.
Erven and Collao’s project demonstrated what others have not before. While previously, non-malicious hackers and device companies themselves have hacked into devices and electronic medical systems to unveil vulnerabilities, this project unveiled true malicious hackers waiting in the sidelines ready and willing to exploit those vulnerabilities.
During the AdvaMed 2015 panel on cybersecurity, enticingly titled “The Hidden Life of Medical Devices,” Vice President of Government/Education Relations and Senior PKI Architect for DigiCert Inc. Scott Rea reminded attendees not to forget these threats.
“We shouldn’t lose sight of how the health industry has traditionally been slow on the best ways to serve patients because of perceptions of cybersecurity,” Rea, an expert in and an advocate for advancing healthcare IT security, said. “As healthcare begins to embrace these things, we mustn’t lose sight of the fact that there are malicious groups out there ready and waiting to take advantage.”
While it may be tempting to dismiss this opinion as fear-mongering—after all, how useful are health records to hackers, really?—studies such as Erven and Collao’s confirm that the medtech industry and the U.S. Food and Drug Administration is right to take cybersecurity concerns very seriously.
The reality, Rea told MPO, is that the lure for malicious entities is manifold. With health records, a malicious hacker has enough information to set up false financial accounts for an individual. If a patient is a person of public interest, hackers could also hold records for ransom. Rea also noted that 76 percent of malicious hacks come from “people on the inside”—employees of a tech company, for instance. They could, and do, identify people who have access to secure information that may, for example, have financial difficulties and be vulnerable to a bribe. In addition, device technology vulnerabilities open medical device manufacturers up to host of legal ramifications.
Debra Breummer, manager of clinical information security at Mayo Clinic, noted that while the Mayo staff are extremely proactive in working with medical device vendors on their expectations for device security, they are yet to see a device company be truly proactive on their end in this regard.
“We’re still waiting for the day when a medical device vendor calls us and admits, ‘we know this about our device, we want you to be aware, and this is what you can do to protect yourself,’” she Breummer said. “There is just not that collaboration and sharing from vendors. I would encourage vendors to create effective channels to deal with vulnerabilities customers communicate to you.”
Breummer recalled an incident where she and her team compiled a comprehensive report on a device’s vulnerabilities and submitted it to the medical device company in question for review.
“We shared it with vendor in what we thought were appropriate channels,” she said. “Months later while waiting for response, we met with the group in the company that deals with cybersecurity. We found that that group hadn’t even heard about the report we submitted. They had no good communication channels, which was quite embarrassing for them.”
“True collaboration is needed to really solve the cybersecurity issue,” panel moderator Melissa Masters of research and development firm Battelle said. “But every hospital, provider and entity are conducting their own testing and operating with their own rules.”
But the panelists agreed they don’t see standardization happening anytime soon. While The U.S. Food and Drug Administration (FDA) has released guidances on the issue, they have been, so far, siloed. Mobile apps, software, data systems and so on each have their own guidance document and set of standards. Bakul Patel, associate director for digital health at the FDA, acknowledged this problem on the AdvaMed panel. The agency has recently merged its disparate pages on all topics digital health into one web page under “digital health,” making it easier for device companies to find and understand requirements and expectations regarding device security.
It's a start.
Recently, at the Derbycon 5.0 “Unity” conference held Sept. 23-27, researchers Scott Erven and Mark Collao presented some troubling findings regarding medical device security. They are associate director and security consultant, respectively, for consulting firm Protiviti Inc. they, like others before them, set out to uncover whether medical device hacking is just a myth or unfounded fear, or a real threat. They set up “honeypots”—computers that mimicked medical systems to entice potential hackers. These honeypots reportedly attracted 55 successful logins, 24 exploits, and 299 malware attacks.
Erven and Collao’s project demonstrated what others have not before. While previously, non-malicious hackers and device companies themselves have hacked into devices and electronic medical systems to unveil vulnerabilities, this project unveiled true malicious hackers waiting in the sidelines ready and willing to exploit those vulnerabilities.
During the AdvaMed 2015 panel on cybersecurity, enticingly titled “The Hidden Life of Medical Devices,” Vice President of Government/Education Relations and Senior PKI Architect for DigiCert Inc. Scott Rea reminded attendees not to forget these threats.
“We shouldn’t lose sight of how the health industry has traditionally been slow on the best ways to serve patients because of perceptions of cybersecurity,” Rea, an expert in and an advocate for advancing healthcare IT security, said. “As healthcare begins to embrace these things, we mustn’t lose sight of the fact that there are malicious groups out there ready and waiting to take advantage.”
While it may be tempting to dismiss this opinion as fear-mongering—after all, how useful are health records to hackers, really?—studies such as Erven and Collao’s confirm that the medtech industry and the U.S. Food and Drug Administration is right to take cybersecurity concerns very seriously.
The reality, Rea told MPO, is that the lure for malicious entities is manifold. With health records, a malicious hacker has enough information to set up false financial accounts for an individual. If a patient is a person of public interest, hackers could also hold records for ransom. Rea also noted that 76 percent of malicious hacks come from “people on the inside”—employees of a tech company, for instance. They could, and do, identify people who have access to secure information that may, for example, have financial difficulties and be vulnerable to a bribe. In addition, device technology vulnerabilities open medical device manufacturers up to host of legal ramifications.
Debra Breummer, manager of clinical information security at Mayo Clinic, noted that while the Mayo staff are extremely proactive in working with medical device vendors on their expectations for device security, they are yet to see a device company be truly proactive on their end in this regard.
“We’re still waiting for the day when a medical device vendor calls us and admits, ‘we know this about our device, we want you to be aware, and this is what you can do to protect yourself,’” she Breummer said. “There is just not that collaboration and sharing from vendors. I would encourage vendors to create effective channels to deal with vulnerabilities customers communicate to you.”
Breummer recalled an incident where she and her team compiled a comprehensive report on a device’s vulnerabilities and submitted it to the medical device company in question for review.
“We shared it with vendor in what we thought were appropriate channels,” she said. “Months later while waiting for response, we met with the group in the company that deals with cybersecurity. We found that that group hadn’t even heard about the report we submitted. They had no good communication channels, which was quite embarrassing for them.”
“True collaboration is needed to really solve the cybersecurity issue,” panel moderator Melissa Masters of research and development firm Battelle said. “But every hospital, provider and entity are conducting their own testing and operating with their own rules.”
But the panelists agreed they don’t see standardization happening anytime soon. While The U.S. Food and Drug Administration (FDA) has released guidances on the issue, they have been, so far, siloed. Mobile apps, software, data systems and so on each have their own guidance document and set of standards. Bakul Patel, associate director for digital health at the FDA, acknowledged this problem on the AdvaMed panel. The agency has recently merged its disparate pages on all topics digital health into one web page under “digital health,” making it easier for device companies to find and understand requirements and expectations regarding device security.
It's a start.