As COVID-19 continues to turn the world upside down, hospitals are facing unprecedented challenges: Do we have enough staff to treat the influx of patients? Are there enough beds and equipment for those patients? Will patients' lives be threatened by hackers holding the medical devices keeping them alive for ransom?
While that last concern is not unique to the COVID-19 crisis, it's certainly of heightened risk given that hospitals and emergency rooms have been overwhelmed with a massive influx of patients, resulting in even more patient-connected devices going online. While important, every piece of connected medical equipment, referred to as the Internet of Medical Things (IoMT), provides an easy on-ramp for hackers to bring a hospital to its knees.
"We are overdependent on undependable things," says Joshua Corman, former member of the HHS Cybersecurity Task Force under the Obama administration, and co-founder of I Am The Cavalry, a grassroots group focused on the intersection of computer security and public safety. "On the whole, these medical advances are improving lives, making care more available, and curing ailments that haven't been cured before. But I want the trust placed upon those innovations to be worthy of that trust. It's not right now."
The problems with IoMT are, essentially, threefold, with some deeper complications sprinkled throughout: One, the devices tend to run on outdated operating systems, like Windows 95, Windows XP, or Windows 7, and many were never intended to go online so they have no cybersecurity protection whatsoever. Two, hospital networks are often not segmented, allowing attackers to enter anywhere and move around. Three, vulnerable equipment is often not being replaced or patched, and not nearly enough is being recalled.
That combination could literally prove deadly for patients.
"An old, unpatched device that was inadvertently exposed to the Internet can make a great foothold into a network, where attackers can then move around and find more sensitive data," says Charles Ragland, security engineer at Digital Shadows, a San Francisco-based provider of digital risk-protection solutions. "This could also lead to a ransomware attack that could incapacitate infrastructure that is critical for patient care and safety."
Ransomware and distributed denial-of-service (DDoS) are two of the more common attacks that affect IoMT. "The devices perform an important function, and people are much more likely to pay up or meet the demands of criminals who have carried out the attacks," Ragland says.
"When you talk about medical devices, the typical scenario frightening organizations is, what if there's a targeted attack? What if a nation-state specifically targets an IV pump and changes the dose of medication?" says Leon Lerman, CEO of IoMT security platform Cynerio. "That definitely could happen. But there's a lot more of a basic threat. Ransomware, phishing emails ... those attacks target the weakest and older OSes" typically running on these devices.
Indeed, hospitals are now the top targets in the world for ransomware because "they're vulnerable and they pay," Corman says. He adds that part of the problem stems from hospital insurance policies themselves, which have inadvertently covered ransom payments, usually in their kidnapping clauses. Corman says he is working with insurance companies to help change that going forward and to add in language that incentivizes providers to take necessary steps to address security flaws and respond to FDA recalls or pay higher premiums.
For now, while paying ransom might seem like the better choice than having medical systems incapacitated, this, of course, only incentivizes hackers to return to these reliable, lucrative gigs.
So why are hospitals overrun with outdated technology that they're not fixing and willingly forking over bitcoins to nefarious Internet criminals?
The answer to that is a mixed bag of technology that wasn't built with security in mind, connected devices that take so long to develop and get certified that their technology is obsolete by the time they hit the market, and finger-pointing between hospitals, device manufacturers, and the FDA.
"If you talk to a medical device maker or hospital operator, you will often hear, 'We are not allowed to patch these things. The FDA won't let us.' Or, 'OK, we're allowed to, but they'll make us recertify.' Both are false," Corman says. Rather, he says, as long as an update does not change the "intended use" of a device, it is not necessary to recertify. "In most cases, addressing a security flaw preserves 'intended use,'" he says.
It's a "willful lie on the part of some stakeholders in the system that you can't update medical devices," Corman says, adding that oftentimes device manufacturers won't do updates on old technology because they just want to move on to other things, and it's inadvisable or impossible for hospitals to patch security flaws without the manufacturer's involvement.
"Not only can you update, the FDA really wants you to update," he says.
For its part, the FDA has worked to clarify requirements around medical technology. In postmarket guidance completed in 2016, the FDA explained that while federal regulations require manufacturers or importers to report certain actions concerning device corrections and removals, "the majority of actions taken by manufacturers to address cybersecurity vulnerabilities and exploits, referred to as 'cybersecurity routine updates and patches,' are generally considered to be a type of device enhancement for which the FDA does not require advance notification or reporting. … For a small subset of actions taken by manufacturers to correct device cybersecurity vulnerabilities and exploits that may pose a risk to health, the FDA would require medical device manufacturers to notify the Agency."
Furthermore, in a 2018 update on premarket guidance that was originally completed in 2014, the FDA drafted new guidelines for the manufacturing of and life-cycle planning for connected medical devices that instruct manufacturers to apply a risk-based approach to the design and development of devices that considers cybersecurity for the life cycle of the product.
This is good news for the future of IoMT. But Corman notes the earliest we're likely to see modernized devices hit the market is 2021, and it'll be longer before facilities actually do the upgrades. "Hospitals hold onto devices as long as they can," he says, and then those outdated, dangerous devices sometimes go on to their next lives, sold to hospitals in other countries.
In the meantime, medical facilities are overloaded with insecure connections on their networks that all have the potential to harm or end human life.
"It's not uncommon for a medical device to have over 1,000 known vulnerabilities," Corman says. "It only takes one to take out a whole hospital."
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "5 Ways to Prove Security's Worth in the Age of COVID-19."