Cybersecurity Challenges Leave Medical Device Makers Insecure

Never once did Janet Martin’s doctors concede her cancer treatment to the global pandemic.

Martin, 62, underwent her first chemotherapy session last spring (April 30, specifically) as COVID-19 cases climbed mercilessly in her rural Canadian town. Over the next few months, Martin regularly ingested a special pharmaceutical cocktail she hoped would eventually destroy the malignant breast cells that were threatening her very existence.

Martin’s treatment regime progressed like a “well-oiled machine” last summer and fall, advancing uninterrupted through chemotherapy, surgery, and preventive treatment. But that machine suddenly conked out near Halloween after a ransomware attack struck the Newfoundland-Labrador healthcare system.

The attack disrupted patient care, delaying or cancelling necessary treatment for Martin and scores of other cancer victims in Canada’s easternmost province. In the first week after the hack, Martin missed half a dozen follow-up appointments with her surgeon to resolve post-procedure complications.

“In order for me to move forward with my radiation, those complications need to be settled. So I’ve been seeing my surgeon every week,” the powerlifting competitor told CBC/Radio Canada in early November. “This week I didn’t see him. I was supposed to have a scan of my heart as well; that didn’t go ahead. That’s just me, so how many other people have missed at least that many appointments and delays with treatments and whatnot? There are people who are still getting their full chemo treatments, and need them on a regular basis to save their lives basically. That’s going to take a while for the health care to catch up.”

Indeed, the Newfoundland-Labrador healthcare system played catch-up for a while following the attack, though a precise recovery timetable remained a mystery. Local government officials revealed little about the breach, including its nature and remedy. “Our advice from world-class experts is to say nothing,” Newfoundland Health Minister John Haggied told the press.

The New York Times, however, deemed the cyberattack to be the largest disruption to any healthcare system in Canada, and confirmed the country’s cryptologic agency was providing Newfoundland authorities with general guidance, data recovery, and digital forensic services.

The Canadian Broadcasting Corporation—without revealing its source—identified the Newfoundland-Labrador healthcare breach as ransomware, a type of malware (malicious software) attack that encrypts computer files. The digital delinquents behind these attacks usually demand a “ransom” payment for the decryption key, though not all offenders play by the rules (some are now exfiltrating data before issuing a ransom note).

Ransomware attacks are increasingly targeting the healthcare sector as cybercriminals become wiser to its various vulnerabilities—namely, its data accessibility, big payouts, antiquated device connectivity, and (overall) lax security. Medical applications and patient data have become invaluable bargaining chips, wielded by hackers to extort millions of dollars from anxious healthcare organizations (the average ransom demand was $6.1 million last year, a 36 percent spike from 2020, according to CrowdStrike statistics).

“Back in the day, five or 10 years ago when we started seeing attacks on healthcare systems—WannaCry, for example—they were statistical attacks. They were exposing the vulnerability of Windows and other operating systems. Healthcare was hit harder than other industries because healthcare information is more exposed, but the incidents, for the most part, were still statistical attacks,” said Jonathan Langer, COO of Claroty and co-founder of Medigate, a medical device security and asset management platform developer that was acquired by Claroty earlier this year. “But then attackers began to realize they could sell patient information on the dark net and they started to understand that not only is it easy to attack healthcare systems, but the prize at the end—personal health information on medical devices and things of that nature—is a high-value target. So they started targeting healthcare systems more than they did in the past and we’ve been seeing a lot of that over the last two to three years. There’s definitely been an uptick.”

Quite a significant uptick, at that: More than 500 healthcare breaches were reported last year, with ransomware attacks on hospitals, specifically, skyrocketing 123 percent, U.S. government and health IT statistics indicate. The FBI fielded 148 complaints about healthcare ransomware attacks in 2021, many of which disrupted hospital services and/or compromised confidential patient data.

Among the attackers’ targets was San Diego-based Scripps Health, which sacrificed sensitive patient data like Social Security and drivers license numbers during a four-week computer network blackout; University Medical Center of Southern Nevada, which ceded data for 1.3 million patients; and Memorial Health System, which lost basic services at three Marietta-Parkersburg area hospitals (Ohio and West Virginia) from an IT systems breach.

“Ransomware attacks are increasing rather than going away,” noted Benjamin Stock, director of healthcare and product development for Ordr, a Santa Clara, Calif.-based IoT security and risk management software provider. “So many ransomware attacks begin from an intruder who has been in the network for a very long time. Attackers typically wait until operations slow down—say a Friday evening—before beginning an attack. Additionally, because the attacker has spent so much time in the system, they usually encrypt the backups as well, slowing down the recovery time.”

Such was the case at Savannah, Ga.-headquartered St. Joseph’s/Candler Health System Inc., where an IT network meltdown compromised 1.4 million patient records. The breach gave hackers access to sensitive information like names, addresses, dates of birth, Social Security and driver license numbers, patient and billing account codes, health insurance plan member IDs, medical record numbers, and treatment data.

The attack disabled the organization’s computer systems for two weeks, forcing staff to manually record patient data. St. Joseph’s/Candler first detected the ransomware on June 17, 2021, but a subsequent investigation determined the saboteurs had been accessing the network for six months, having initially gained entry on Dec. 18, 2020 (a Friday).

The organization faces two class action lawsuits over the ransomware attack. One charges St. Joseph’s/Candler with violating its own privacy policy by failing to secure patient information and enact safeguards to prevent the breach.

The other accuses the hospital system of jeopardizing patient safety with its improvised attack response. “All of St. Joseph’s/Candler usual patient encounter protocols were immediately rendered ineffective. The hospital system was, in essence, flying blind,” the (second) suit states. “For the system’s 4,200 employees, 714-plus beds between the two hospitals, and more than 500 doctors, the crisis forced an unexpected, on-the-fly adaptation which increased the risk of error—and, potentially, of adverse patient outcomes.”

Some of those same allegations have been levied against Elekta, a radiation treatment software provider whose cloud-based storage system came under attack last spring. The Swedish firm took its storage system offline to contain the April 2, 2021, breach, but the move disrupted radiation therapy services at 42 facilities throughout the United States, delaying or preventing treatments for thousands of cancer patients. One hospital—Yale New Haven Health in Connecticut—took its radiation equipment offline for an entire week.

Like the St. Joseph’s/Candler cyberattack, Elekta’s radiology software breach compromised sensitive patient data—exposing names, birth dates, Social Security numbers, and diagnosis and treatment information. It even spawned a class-action lawsuit, just like the Savannah case.

The July 2021 suit against Elekta claims the company failed to adequately secure protected health information and implement proper security measures to prevent the cyberattack. The complaint also charges the firm with untimely (victim) notification of the data theft, and violating federal, state, and industry data privacy standards. The lawsuit demands Elekta address inadequacies in its security policies and procedures, as well as its protocol for determining the breach’s extent.

“Any interface that connects a medical device to the outside is a possible entry point for an attack, be it wired or wireless networks or even USB ports that could receive a malware-infected thumb drive,” explained Axel Wirth, chief security strategist at MedCrypt, a San Diego-based provider of proactive security for healthcare technology. “Any compromise of a [medical] device has the potential to impact patient health and safety, compromise the ability of a healthcare organization to deliver timely and quality care, or can expose sensitive data stored on or transmitted by devices and health IT systems. The most common scenario we have seen to date is that of a medical device caught up in a broader attack, as a result impacting the device’s functionality and impacting the delivery of the clinical service that was associated with the device, leading to cancellations or ambulance diversions. The potential patient risk is more likely along the lines of delays in care rather than direct harm due to device malfunction. The latter is, of course, possible but not what we have observed so far.”

So far.

But such prospects are becoming more likely with healthcare’s digital transformation. Connectivity is fueling personalized patient-clinician interactions, disrupting conventional business models, and begetting new revenue sources for both providers and medtech innovators. In addition, technological advancements are altering care delivery and allowing patients to assume more control of their health.

Yet digitization is also turning the healthcare industry into a sitting duck for cyber crime. Attacks against the sector jumped 11 percent last year, with the U.S. Department of Health and Human Services reporting a record 712 breaches (an average 59 per month) affecting 45 million people.

Thus far, cyberattackers have mostly targeted electronic medical record systems for their trove of private patient data, which can fetch up to $250 per record on the black market. Hackers sell the information on the deep web for use in fake IDs, phony insurance claims, and bogus bank accounts.

But cybercriminals have stepped up their game of late with more sophisticated attacks that aim to disrupt patient care. Hackers realize they can demand bigger ransom payments and inflict more damage with service-ending network outages than they can with stolen medical records.

“The degree of connectedness of medical devices has really changed,” Kevin Fu, acting director, Medical Device Cybersecurity at the U.S. Food and Drug Administration’s (FDA) Center for Devices and Radiological Health (CDRH), told an audience at last year’s AdvaMed conference. “The consequences are changing just because of how much we depend on them.”

Fu considers the ransomware attack on Elekta’s storage system a “watershed” moment for medical device security because it directly impacted patient care.

“Instead of ransomware simply disabling access to, say, electronic health records, which is still quite inconvenient, in this case the remediation process to the ransomware caused an outage such that patients could not receive that particular therapy from the medical device,” he said. “That was something we haven’t seen before.”

But probably will again: As healthcare’s dependency on connectivity grows, so too will the potential for disruptive cyberattacks. However, hospitals and medical device developers have various options at their disposal for combating these assaults.

The most effective strategy entails an inherent understanding of existing security threats and their possible impact on connected health systems. That requires hospitals to identify the network location of sensitive data and the precise number of connected devices (including desktop computers, tablets and smartphones). Hospitals also should clearly comprehend its interoperability workflows and practices—i.e., the steps needed to ensure sensitive clinical data and assets are shared only with authorized individuals. 

Contrarily, medical device manufacturers can reduce cybersecurity risks in their devices by baking security into their products’ designs. “‘Security by design’ is integral to development of devices that will be better able to withstand vulnerabilities throughout the device’s total product lifecycle and remain resilient,” Suzanne Schwartz, M.D., director, Office of Strategic Partnerships & Technology Innovation at CDRH, told MPO. “The incorporation of scientifically rigorous threat modeling during the earliest stages of device concept and design further informs the security engineering of the device.”

Besides threat modeling, device manufacturers also must consider the type of technology being used in their product when designing for security as well as system design, cryptography, encryption, threat detection, and risk assessment.

Knowledge of security regulations is essential, too. The FDA’s new draft guidance—issued April 7—recommends that device makers address and document numerous cybersecurity concerns in their premarket submissions, including:

• Threat modeling: Identifying the security objectives, risks, and vulnerabilities of a system and defining countermeasures to prevent or mitigate threats throughout the product’s lifecycle.
• Security risk management: A summary of the manufacturer’s risk evaluation methods and processes, including details of the security risk assessment and risk mitigation activities undertaken, controls, and the testing involved to ensure the device is secure.
• Security controls implementation: Includes authentication; authorization; cryptography; code, data, and execution integrity; confidentiality; event detection and logging; resiliency and recovery; updatability and patching.
• Third-party software components: Providing the FDA and customers (as part of product “labeling”) a software bill of materials (SBOM) that contain information about the manufacturer’s developed components as well as third-party purchased, licensed, open-source software.

An SBOM (essentially, a list of all included software components) can be an effective weapon against cybercriminals, as it provides visibility into a manufacturer’s software supply chain. Most medical-related software consists of third-party components (libraries, executables, or source code) that have not been adequately identified or recorded; such insufficient knowledge makes it difficult for hospitals (and medtech companies) to determine whether their software is potentially vulnerable to a breach.

“Sometimes, an organization can do nothing wrong and still be exposed by an internet attack due to a supply chain vulnerability; that is, lack of visibility into not just what connected devices are running which products but what software components, including code libraries, are hidden within each product,” said Tamer Baker, vice president of Global Healthcare at device security firm Forescout Technologies, which acquired CyberMDX earlier this year. “Medical device manufacturers use commercial, open-sourced, and off-the-shelf software components from other vendors as they develop their products. As Forescout discovered when researching Access:7 and Ripple20, it was exceedingly difficult to even track down the correct people at the manufacturers to notify them of these SBOM vulnerabilities. Other researchers have actually had to search through LinkedIn to find someone at these manufacturers who may know if they used vulnerable software in their SBOM. Most manufacturers lack a process to address SBOM vulnerabilities, which can add up. It’s no surprise that the call for a standard software bill of materials is gaining momentum.”

Philips has worked closely with the National Telecommunications and Information Association (NTIA) on software transparency over the last two years. Last summer, the NTIA and U.S. Department of Commerce released the “minimum elements” for an SBOM, comprising three broad, interrelated areas including:

• Data fields: Documenting baseline information about each component that should be tracked
• Automation support: Allowing for scaling across the software ecosystem through automatic generation and machine-readability 
• Practices and processes: Defining the operations of SBOM requests, generation, and use

“For decades, open-source software has been the single most enabler for rapid software application development. Open-source software is prevalent in all software applications,” noted Dirk de Wit, head of Product Security at Philips. “Open-source software is free and is created by developers and crowdsourcing around the world. The integrity of this free and open software is a significant concern to all industries. Philips has worked closely with the NTIA on software transparency over the last two years. This effort focuses on the framing, transfer, and formats of a software bill of materials. The intent here is to provide SBOMs to consumers of technology products to understand and assess the risk of third-party software and open-source software to respond to any security threats or vulnerabilities associated with the software components.”

“Within Philips, we follow a robust framework where security is involved from the ideation phase until the End of Life of the device,” de Wit continued. “From the start, we perform threat modeling, define mitigations and requirements, enable our developers to develop secure code and use pre-approved secure software libraries and make sure we test all our products in line with the earlier requirements. This framework helps reduce cybersecurity risks from the start, but continued security maintenance is also key to staying secure.”

Software patches, particularly for legacy devices, is also key to  product security. Philips offers customers patches and software upgrade services for its medical devices containing the Microsoft operating system, while GE Healthcare continually evaluates and implements new security patches for its products.

“Connected devices are open gateways to the internet, with very high exposure to brute force and distributed denial-of-service attacks,” said Salwa Rafee, global managing director, Healthcare Security, at Accenture plc, an Irish firm specializing in IT services and consulting. “Manufacturers should update devices’ software and operating systems to leverage new security updates as feasible, work with health delivery organizations to isolate those devices on different network segments, and continuously patch to close vulnerabilities.”

Patchwork and software updates are not the sole responsibility of device manufacturers, though. Hospitals also must keep abreast of updates and communicate with device developers about patches for their older products.

“When possible, manufacturers should provide patches. If that is not possible, they need to be transparent with hospitals so that mitigation strategies can be implemented,” noted Margie Zuk, senior principal cybersecurity engineer at MITRE Corporation, a non-profit entity serving the public interest. “Securing legacy devices is a shared responsibility between the medical device manufacturers and hospitals.”

Cybersecurity in general, actually, is a shared responsibility, as neither hospitals nor medical device manufacturers can ward off the rising number of healthcare-targeted attacks on their own. They must join forces to protect both products and patients from harm.

“It’s intensifying,” Claroty’s Langer said of cybercriminals’ fierce assault on healthcare. “We’re at a point where healthcare systems are definitely under attack, and this is a real danger today. But this is a world of partnerships. There are definitely steps that medical device manufacturers can take in-house because they have the knowledge about the proprietary software in their product. It’s hard to tell them exactly how to adapt or modify the software to remediate the [security] risk. They know the software best. At the same time, these devices are deployed in healthcare delivery organizations. It’s a joint problem, so the solution can only be done in partnership.”

Stronger together.