Nearly one-third of IoT medical device manfacturers, healthcare organizations, regulators, and users cite identifying and addressing cybersecurity issues as their top concern when dealing with both network-connected medical devices and older legacy equipment, according to a Deloitte survey released today.
The survey, which queried more than 370 professionals tied to the IoT medical device industry, also found that 35.6% of these organizations experienced a cybersecurity incident in the past year. The number of attacks via IoT medical devices was not measured in the report.
The online poll was taken in May, less than two weeks after WannaCry swept through 150 countries and hit UK healthcare providers particularly hard.
"That type of attack [WannaCry] was just the tip of the iceberg. There will be other attacks that address these IoT devices," says Russell Jones, Deloitte Risk and Financial Advisory partner at Deloitte & Touche. He notes that all it will take is one major event where a patient is put at risk or dies to change the way IoT medical device-makers and the healthcare industry prioritize IoT cybersecurity spending versus taking a backseat to capital spending and operating budget costs.
Part of the challenge is identifying which medical devices are attached to networks. "You can't secure and protect what you don't know," he says. "It's an asset management issue."
Driving this lack of visibility is a combination of tracking hordes of fielded devices that are currently in the market and in use, as well as legacy medical devices running outdated software that makes it difficult to inventory them in a systematic way, Jones adds.
Patrick Phelan, chief information security officer at the University of California San Francisco, agrees that tracking IoT devices in the medical field can be a huge challenge.
"The sheer number of connected devices - tens of thousands - makes asset-tracking challenging, complicated by the fact that many IoT devices move around the hospital, jumping from port to port or access point to access point," says Phelan.
UCSF Medical Center, for example, has nearly 1,000 licensed beds and last year handled 43,000 hospital admissions and 1.2 million outpatient visits. Phelan adds that UCSF has put a great deal of effort into building its inventory and classifying devices according to the risks they face, as well as potentially present.
"Using network segmentation to isolate and protect IoT devices is one of the most important things you can do," says Phelan. "At UCSF, our clinical technologies and IT departments are working closely on the problem."
He notes that medical devices present several security challenges to the industry. "Manufacturers can be slow to provide patches … Security basics are frequently overlooked: it's not uncommon to find medical devices using obsolete operating systems like Windows XP, insecure protocols, and simple passwords.," he says. "Also, IoT medical devices have a longer lifecycle than most technology. A device designed [more than] 10 years ago probably didn't anticipate the threat landscape of 2017."
Tackling security for legacy IoT devices may be done through monitoring any abnormal behavior around the device, as well as developing an effective incident response plan, Deloitte's Jones says.
"I have seen incident response plans developed but they didn't do any war gaming or pressure testing to test the plan. That testing should be part of the plan," Jones says.
And while manufacturers may bear the brunt of responsibility for making legacy IoT devices secure, the newer IoT devices coming into the market have far more security capability built in, and the onus for maintaining that security has shifted to the healthcare providers, Jones observes.
"Asset management. That is the single thing most thing that they should do for cyber risk management," he says. "You want to narrow down the problem to where is the single biggest risk that will affect the largest number of people."
Playing Nice Together
In order to bring substantial change to cybersecurity of IoT devices in the medical industry, Jones notes it will require collaboration among manufacturers, healthcare providers, and regulators.
IoT medical device manufacturers need to build cybersecurity into devices as they are being developed, and continue to support the devices during their lifecycle with updates and patches, Jones says. The healthcare industry, meanwhile, needs to provide input into product development discussions with manufacturers and regulators can assist with drafting guidelines for solutions, he notes.
In December, the US Food and Drug Administration (FDA) issued its final guidance on how cybersecurity for medical devices should be handled once the devices leave the manufacturing plant. That document builds on the pre-market cybersecurity guidance the FDA finalized in 2014.
"The FDA has expanded the scope of its work in cybersecurity over the past several years. We have worked diligently to bring the healthcare community together to propose and implement shared solutions to addressing cybersecurity concerns," says Suzanne Schwartz, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health.
She says the center identified medical device cybersecurity as a fiscal year 2017 regulatory science research priority, and that the FDA is focused on promoting the adoption of the guidelines throughout the medial device ecosystem.
"We also expect to see more and more manufacturers come to us this year with pre-submission meeting requests to include discussions about building cybersecurity controls into their devices. We welcome the interactions we'll be having this year to help the entire community move to a better place," she says.
Schwartz adds that addressing cybersecurity and public health takes input and effort from many stakeholders, and that proactive multi-stakeholder engagement is the cornerstone of the FDA's approach to addressing cybersecurity in medical devices.
The FDA's efforts, however, have received some mixed reactions.
"The FDA has published solid pre- and postmarket cybersecurity guidance for manufacturers, but there are no hard compliance requirements," Phelan says. "The Diabetes Technology Society released a security standard (DTSec) for connected diabetes devices in 2016, and I'm hoping we'll see more independent device certifications like this in the future.
"The good news is that medical device security is getting a lot of exposure these days," he says.
- Healthcare Industry Lacks Awareness of IoT Threat, Survey Says
- Major Cyberattacks On Healthcare Grew 63% In 2016
- Medical Device Security Gets Intensive Care
- IoT Security Incidents Rampant and Costly