Cybersecurity: Lessons learned in a hacker’s era
Monday, October 2, 2017
Cybersecurity is back in the public eye, with multiple incidents of malware attacks across the globe. Merck recently suffered an attack that disrupted the company’s manufacturing capabilities. Citing concerns about the drug supply, the U.S. House Committee on Energy and Commerce has asked Merck for an update by this week. The potential for cybersecurity intrusions also touches the medical device industry. Most recently, the U.S. Department of Homeland Security and ICS-CERT issued an advisory identifying eight cyber security vulnerabilities in an infusion pump from Smiths Medical. Previously, the FDA issued safety communications regarding vulnerabilities found in certain St. Jude Medical/Abbott cardiac pacemakers and Hospira infusion pumps.
Cybersecurity vulnerabilities threaten all types of computer systems and networks, including those of healthcare delivery organizations (HDOs). Hospital computer networks are routinely subjected to cyber attacks and intrusions, and medical devices connected to these networks are vulnerable to attack. “Modern medical devices are computers,” said Ben Ransford, CEO of Virta Labs. “We need to think about their security in the same way we think about security for other computers. Anything that can happen on a network of computers can happen on a network of medical devices.”
A cyber attack on a hospital that tampers with a medical device’s function could pose dangers to patients. “Any device that is connected to a communications network is potentially vulnerable to cyber intrusions and exploitation,” said Suzanne Schwartz, M.D., associate director for Science and Strategic Partnerships, Center for Devices and Radiological Health at the FDA. “The prevalence of malware and other viruses on networks—including in hospitals and other healthcare delivery organizations—is a primary concern in the cybersecurity of medical devices. Medical devices that are vulnerable to these sorts of intrusions and that do not have appropriate cyber hygiene practices or vulnerability management policies built in pose a potential risk to the patient if their ability to function is impaired.” The FDA regulates the safety and efficacy of devices, and has issued both pre- and post-market guidances with recommendations for how device manufacturers can address cybersecurity.
The FDA has expanded its role in cybersecurity, delaying some devices from coming to market and engaging with various industry and government stakeholders. “The FDA has responded to this challenge by hiring and growing their own cybersecurity expertise,” said Todd Carpenter, chief engineer at Adventium Labs. “They hold collaborative workshops to get academia, industry and HDOs working together on security and safety. They are willing to talk and hold reasoned conversations about requirements and designs. They are, however, understaffed for this daunting task.”
Like other computers, security vulnerabilities in medical devices can provide a path into a computer network and put multiple systems and data at risk. “An attacker might exploit vulnerabilities in an old, unpatched operating system to install their own programs on a medical device,” explained Carpenter. “That code could be used to attack other machines or to pull information off the device . . . . The programs might also delete files on the device, or encrypt them.”
The ability of attackers to gain access to medical and proprietary data also raises concerns for the clinical trial industry. “A clinical trial relies on the pharmaceutical company’s IT infrastructure,” said Carpenter. Any intrusion by malware into the company’s system could potentially compromise the integrity of the system.
A key issue for hospitals, which have large numbers of devices throughout their institutions, is that many devices have outdated software. “The biggest problem from a hospital’s perspective is having medical devices that were not designed with patching in mind,” said Ransford. “A device that could be in service for 20 years may have software that reaches the end of its support life cycle after only 10 years. Hospitals may have many of these legacy systems.” Ransford recommended that institutions apply the same best practices used for enterprise networks to medical device networks, which include staying current with software patches and upgrades.
One step that both HDOs and device companies can take to remediate cybersecurity issues is by performing a security risk assessment to identify what needs to be fixed. Various organizations offer guidance for conducting security risk assessments. For example, The Association for the Advancement of Medical Instrumentation (AAMI) has published a report (AAMI TIR57) that provides guidance for developing cybersecurity risk management processes for device manufacturers. Sans.org is another organization that offers cybersecurity training.
When vulnerabilities in a device are discovered in the field, often by an independent security researcher, the manufacturer should have a clear strategy in place to respond. “Manufacturers should get comfortable with coordinated vulnerability disclosure and make sure that security researchers can contact them easily,” said Ransford. “Also, they should put forth a coherent policy regarding patching and updating devices in the field. Device buyers are going to ask harder questions. Being smart about security is an opportunity for manufacturers to set themselves apart from their competition.”
Carpenter noted that there is much that organizations can do to protect themselves. “Much of the hardware available is well-designed and well-built. It outlives the software, and it has to be updated.” Carpenter encourages hiring the right people to apply available patches. Further, he cited the top four recommendations from the NSA and Australia’s Defense Signals Directorate that claim to avoid 85% of cyber intrusions: “Patch operating systems, patch applications, use white-listing and minimize administrator access. Those four things could stop most of the attacks dead in their tracks.”
This article was reprinted from Volume 21, Issue 39, of CWWeekly, a leading clinical research industry newsletter providing expanded analysis on breaking news, study leads, trial results and more. Subscribe »