The University of Michigan’s Archimedes Center for Medical Device Security hosted its second annual MDS 101 conference in Orlando this month. The conference provides a secure forum for attendees to speak freely about cybersecurity issues with respected professionals who can help establish best practices for improving medical device security.
We found the format to be a refreshing change from some of the larger conferences. “Coordination, collaboration, and communication” were three words used by Suzanne Schwartz, Associate Director for Science and Strategic Partnerships at the U.S. Food and Drug Administration (FDA), that not only defined the necessary future state for the medical device ecosystem, but echoed the reason we were all there at the conference.
While medical device security is often thought of as a dilemma for device manufacturers and healthcare providers, the FDA and constituents – manufacturers, healthcare delivery organizations (HDOs), academics, and vendors – presented the case that extensive, community-wide support is required to overcome the expansive list of vulnerabilities. Recent threats such as Spectre, Meltdown, WannaCry, and EternalBlue affected or could potentially affect the integrity of medical devices throughout their total product lifecycle (TPL). The FDA emphasized the need to consider scenarios beyond the intended use of medical devices and the ability to integrate threat modeling into the product lifecycle. A well-coordinated disclosure of vulnerabilities leads to more effective mitigation.
Archimedes Director Kevin Fu, Tony Sager of the Center for Internet Security (CIS), and other presenters concurred that medical devices were traditionally manufactured with patient safety in mind, from an operational technology perspective. Today, given the advanced and persistent threats that these devices now face from attackers, security and privacy mechanisms must be embedded to achieve the original goal of patient safety, but from an information technology angle. These devices may not have been part of a connected ecosystem with data coming and going in the past, but they’re now a part of the new world of interoperability in healthcare.
Dr. Christian Dameff from the University of California, San Diego, presented on the need for risk management in healthcare IT and its impact on patient care. Patient care disruptions caused by security vulnerabilities in medical devices due to recent attacks were called out during the session. While there is heightened awareness for the need to include secure practices in medical device product development, risk management of legacy medical devices used by HDOs was identified as a major challenge.
Ken Khouri, Director of OCS Enterprise Solutions at Coalfire’s client Varian Medical Systems, presented on the benefits of leveraging security as a market differentiator. According to Khouri, three years ago their customers seldom asked about data security. But today it’s a topic on the minds of every CIO and CMIO at HDOs. They want to understand the risk they’re assuming when purchasing software and devices from vendors. While Varian is a medical technology company and not a security company, the high stakes warranted a more proactive, systematic approach they can now use as a competitive differentiator. Varian implemented several concentrated actions on security: They shifted substantial engineering investment to security and hired additional domain expertise; they engaged multiple parties to conduct in-depth threat analyses on their software and hardware solutions; and finally, they took a risk-management approach to enhancements that introduced additional barriers against malicious actors.
Here are some things organizations should be doing to keep medical devices secure:
Healthcare Delivery Organizations
- Isolate medical devices to their own network segment, which allows for ease in maintaining an inventory. It also provides greater control in restricting network traffic to only what is necessary and approved.
- Use a risk-based framework for assessing, prioritizing, and remediating medical device vulnerabilities. Assess the impact of vulnerabilities on patient safety and essential performance of medical devices. Leverage the FDA’s post-market guidance on cybersecurity management.
- Review vulnerability listings and patch accordingly. Vulnerability listings and exploits are available online at the following resources:
- National vulnerability database
- Common vulnerability scoring service (CVSS)
- SANS Internet Storm Center
- Exploit-DB (EDB)
- HITRUST Cyber Threat Xchange (CTX)
- Perform pre-purchase and ongoing risk assessments on devices. The following resources are available to facilitate these assessments:
- MDS2 forms
- ISO 80001
- UL 2900
- Maintain close relationships with IT security, clinical engineering, and device manufacturers to ensure that procured devices are configured and deployed in a manner that increases patient safety while enforcing strong security and privacy measures.
- Implement a patch management process for medical devices. Leverage resources like NIST 800-40v2 for guidance.
- Perform vulnerability scans and penetration testing on your medical device network.
- Require vendors to provide a bill of materials (BOM) for their devices. This will allow you to "know the ingredients" that have been embedded in each device. It will also help you track vulnerabilities in software/firmware associated with each device.
- Perform comprehensive testing on each device, including but not limited to software composition analysis, static code testing, malformed input testing (fuzz testing), and penetration testing.
- Embed controls into the configuration of your devices that promote security and privacy, as well as patient safety.
- Leverage the FDA’s pre-market guidance on medical device cybersecurity management. Integrate threat modeling as part of the risk management process.
- To assist with asset identification and tracking, devices should be configured in a way that makes them easier to detect and inventory on the network.
- Provide MDS2 forms and a bill of materials upon request from customers.
- As more HDOs adopt vendor risk management programs, be patient and provide timely feedback to their requests (e.g., questionnaires).
- Listen to the feedback of customers and the community at large.
- Participate in medical device knowledge sharing at events hosted by the Archimedes Center for MDS or NH-ISAC.
- Make security a market differentiator by implementing a pre-market risk assessment methodology and communicating this advantage. The following frameworks are available:
- UL 2900 (certification)
- ISO 14971
The Archimedes Center for Medical Device Security was established to help manufacturers and industry experts navigate the operational hazards of cybersecurity implementation and prepare them for the future challenges of FDA requirements. We think that while medical device security has a long way to go, the community has taken a huge step forward in realizing that the benefits of medical devices still outweigh the risks, and that the security of those devices can be drastically improved by practicing basic security hygiene.