Hospital hackers – mitigating hospital cybersecurity risks

Last year, Johnson & Johnson warned patients that its OneTouch Ping insulin pump could be hacked to change the dosage. It seemed to confirm fears that medical internet-of-things (IoT) devices put patient safety at risk.

While there have been no instances of cybercriminals taking advantage of a bug to harm patients, that’s not to say that the virtual underworld has forgotten healthcare. It has simply identified the most lucrative marks. Most confirmed healthcare cyberattacks target hospitals and clinics with the intent of getting hold of patients’ valuable data and medical records.

Infected with malware that allows them to be remotely controlled, computers and IoT devices become part of botnets that are millions of machines strong. A distributed denial of service (DDOS) attack involves all these devices sending a request to a facility’s servers at the same time, designed to overload the system and bring management to its knees. Networks infected with ransomware – another type of malware – will lock users out to blackmail them into releasing funds or patient data. Following a successful attack on Hollywood Presbyterian Medical Center in California in early 2016, hospitals are emerging as primary targets for ransomware. And then there are the social-engineering methods tried and trusted by hackers since the internet began, like spear-phishing, which coaxes confidential information out of a target by sending emails that look like they come from a trusted address.

Patients can be identified even through indirect routes such as their age, gender and location, and a staff member who clicks on a link in a malicious email can be all it takes to infect a network with malware. Some of this can be prevented with basic measures like changing passwords regularly, securing wireless networks and educating users on security hygiene. Ensuring that each staff member and device only has access to the necessary parts of a network protects against attacks from inside an organisation or through compromised user accounts. 

Part of this protective strategy also involves making sure routers and IoT devices are up to date with the latest security patches. However, says Steve Abrahamson, GE Healthcare’s senior director for product cybersecurity, this is easier said than done. GE Healthcare manufactures IoT medical devices and maintains products from multiple vendors post-market. It provides monitored field service technicians, develops updates for its own software and reviews patches from third-party manufacturers before release.

“You can’t really deal with security issues only at the device level,” he explains. Healthcare facilities often deal with devices from hundreds of different vendors, including patients who supply their own. The network linking a facility’s devices is often just as vulnerable to attack as the devices themselves. GE’s security service teams conduct assessments at the network level for healthcare facilities as well as offering network-monitoring software, which doesn’t need to be familiar with each device’s operating system.

To compound the issue, security has been an afterthought for many manufacturers in the rush to get into the medical IoT game. It may be a hot topic now, but Abrahamson says it was barely on the radar when he started in the medical device security field six years ago.

“The real issue that we have is lack of implementation of design practices and standards for security within medical devices. There are devices out there that could be ten, 15, 20 years old, for which we’re going to have very limited ability to apply technical fixes. It’s really hard to patch and update those because they were not designed to be regularly updated,” he explains.

Collective security

When Apple, Microsoft or Google identify a security bug in your smartphone, their engineers can create a patch and push it to all their network-connected users. You get a notification, tap ‘OK’ and the bug is fixed. This is partly because the ability to update is built into a smartphone’s operating system but also because their patches don’t need to undergo the extreme QA process required for medical devices in order to ensure patient safety. Although security updates don’t require FDA approval, they must go through a stringent internal review process. Often, the patient is then asked to come in and have the patch installed by a qualified technician.

Although larger manufacturers have now taken steps to improve the security of their products, smaller players and start-ups may lack the resources or experience to do the same. The usual IT standards for QA and security can’t always be applied to medical devices when patient safety is at stake. Patient safety, in fact, requires so much focus during the development process that cybersecurity may be left by the wayside entirely. Those manufacturers’ customers in the healthcare world have also historically prioritised safety, as well as cost-effectiveness. In Abrahamson’s view, this state of affairs is on its way out, but the battle will eventually be won by collaboration – not technical know-how.

“[Cybersecurity] is getting a pretty high level of attention within our customer base,” he says. “We work with them to make sure that we have their needs baked into our design and support practices, and they also have a good understanding of some of the things that we can and cannot do.”

Abrahamson is a regular speaker at medical device security conferences, encouraging smaller manufacturers to join industry groups so they can benefit from the knowledge of larger players. He aims to share information with not only customers but also other manufacturers.

“We don’t want to compete on safety and security,” he says. “We want a patient to be able to walk into a care facility and feel that they’re secure. If they’re worried about cybersecurity, it’s not good for the industry. We don’t want them to have to look at what kind of logo is on the device to determine whether or not they feel safe.”

Late to the game

Manufacturers can be forgiven for being uninformed. The first communication from FDA regarding cybersecurity in medical devices didn’t go out until 2013. It was a safety alert that recommended, among other precautions, implementing user ID and password authentication, and backing up data – strategies considered basic in IT, but that had been ignored by much of the medical IoT world.

In January 2017, FDA released the final version of a guidance document regarding the post-market management of medical cybersecurity devices. The gist of it was that manufacturers should be building cybersecurity into their devices from the beginning of the design process, as part of a “structured and comprehensive” security program, and that they should “continuously monitor and address” vulnerabilities once a device was in use. The guidance also recommended that stakeholders “collaborate to leverage available resources and tools to establish a common understanding that assesses risks for identified vulnerabilities”.

The guidance was developed in close collaboration with industry groups – a move Abrahamson appreciates. FDA is also waiving some of the standard requirements for recall reporting for manufacturers that participate in an information sharing analysis organisation (ISAO). This, Abrahamson says, is the push that the industry needs.

“[The guidance] really opens the door for manufacturers to be more open in sharing information with their customers,” he says. “It establishes the principle that FDA wants manufacturers to share information and addresses the idea that transparency is a means of mitigating risk.

“That’s really what we’re going to be working on this year: establishing systemic communication mechanisms that would tie customers in to the type of information that we track internally,” he continues.

Abrahamson hopes to achieve a return to a risk-based approach to security requirements, rather than the compliance-based strategy currently gaining traction in which, driven by a growing number of standards and regulations, customers write cybersecurity requirements into contracts and apply IT frameworks to medical devices rather than engaging in an ongoing risk-assessment process.

“A compliance-based approach can dilute true risk management,” Abrahamson said at the Medical Device Cybersecurity Risk Mitigation conference in 2016. During the design phase for a new product, his team conducts risk assessment in terms of ‘failure modes’ like denial of service, unauthorised access or compromised data. They implement the most stringent security controls for high-impact failure modes, such as unauthorised access to a large database of medical records.

Cybersecure future

Abrahamson believes the next trend to watch will target the network layer. GE is the manufacturer and customer for one of its recent IoT products, the GE Health Cloud, a platform designed to connect with millions of imaging devices and manage the data they generate.

“The next generation is going to be advanced analytics and leveraging things that we’re learning in our cloud business at the device level. One of the key features that I think we really can improve is the mechanisms that we are implementing for audit logging, because that’s going to give us a lot of additional capability,” says Abrahamson.

Audit logging records what happens in an IT system, noting timestamps, user login details, what was accessed, and the source and destination of a request. This can prove invaluable in the wake of an attack and to catch potential threats.

Ultimately, given the absence of patient-targeted malicious activity so far, Abrahamson shares the confidence of many manufacturers that IoT is worth the risk.

“Certainly, it’s possible that could happen, which is why we put a lot of protections in our devices. But the benefits at this point are far in excess of the risks. We just have to make sure that the balance is continuing to be far on the side of benefitting the patients,” he says.