Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

IoT Medical Devices a Major Security Worry in Healthcare, Survey Shows

Healthcare providers, manufacturers, and regulators say cybersecurity risks of IoT medical devices and connected legacy systems a top concern.

Nearly one-third of IoT medical device manfacturers, healthcare organizations, regulators, and users cite identifying and addressing cybersecurity issues as their top concern when dealing with both network-connected medical devices and older legacy equipment, according to a Deloitte survey released today.

The survey, which queried more than 370 professionals tied to the IoT medical device industry, also found that 35.6% of these organizations experienced a cybersecurity incident in the past year. The number of attacks via IoT medical devices was not measured in the report.

The online poll was taken in May, less than two weeks after WannaCry swept through 150 countries and hit UK healthcare providers particularly hard.

"That type of attack [WannaCry] was just the tip of the iceberg. There will be other attacks that address these IoT devices," says Russell Jones, Deloitte Risk and Financial Advisory partner at Deloitte & Touche. He notes that all it will take is one major event where a patient is put at risk or dies to change the way IoT medical device-makers and the healthcare industry prioritize IoT cybersecurity spending versus taking a backseat to capital spending and operating budget costs.

Part of the challenge is identifying which medical devices are attached to networks. "You can't secure and protect what you don't know," he says. "It's an asset management issue."

Driving this lack of visibility is a combination of tracking hordes of fielded devices that are currently in the market and in use, as well as legacy medical devices running outdated software that makes it difficult to inventory them in a systematic way, Jones adds.

Patrick Phelan, chief information security officer at the University of California San Francisco, agrees that tracking IoT devices in the medical field can be a huge challenge.

"The sheer number of connected devices - tens of thousands - makes asset-tracking challenging, complicated by the fact that many IoT devices move around the hospital, jumping from port to port or access point to access point," says Phelan.

UCSF Medical Center, for example, has nearly 1,000 licensed beds and last year handled 43,000 hospital admissions and 1.2 million outpatient visits. Phelan adds that UCSF has put a great deal of effort into building its inventory and classifying devices according to the risks they face, as well as potentially present.

"Using network segmentation to isolate and protect IoT devices is one of the most important things you can do," says Phelan. "At UCSF, our clinical technologies and IT departments are working closely on the problem."

He notes that medical devices present several security challenges to the industry. "Manufacturers can be slow to provide patches … Security basics are frequently overlooked: it's not uncommon to find medical devices using obsolete operating systems like Windows XP, insecure protocols, and simple passwords.," he says. "Also, IoT medical devices have a longer lifecycle than most technology. A device designed [more than] 10 years ago probably didn't anticipate the threat landscape of 2017."

Tackling security for legacy IoT devices may be done through monitoring any abnormal behavior around the device, as well as developing an effective incident response plan, Deloitte's Jones says.

"I have seen incident response plans developed but they didn't do any war gaming or pressure testing to test the plan. That testing should be part of the plan," Jones says.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

And while manufacturers may bear the brunt of responsibility for making legacy IoT devices secure, the newer IoT devices coming into the market have far more security capability built in, and the onus for maintaining that security has shifted to the healthcare providers, Jones observes.

"Asset management. That is the single thing most thing that they should do for cyber risk management," he says. "You want to narrow down the problem to where is the single biggest risk that will affect the largest number of people."

Playing Nice Together

In order to bring substantial change to cybersecurity of IoT devices in the medical industry, Jones notes it will require collaboration among manufacturers, healthcare providers, and regulators.

IoT medical device manufacturers need to build cybersecurity into devices as they are being developed, and continue to support the devices during their lifecycle with updates and patches, Jones says. The healthcare industry, meanwhile, needs to provide input into product development discussions with manufacturers and regulators can assist with drafting guidelines for solutions, he notes.

In December, the US Food and Drug Administration (FDA) issued its final guidance on how cybersecurity for medical devices should be handled once the devices leave the manufacturing plant. That document builds on the pre-market cybersecurity guidance the FDA finalized in 2014.

"The FDA has expanded the scope of its work in cybersecurity over the past several years. We have worked diligently to bring the healthcare community together to propose and implement shared solutions to addressing cybersecurity concerns," says Suzanne Schwartz, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health.

She says the center identified medical device cybersecurity as a fiscal year 2017 regulatory science research priority, and that the FDA is focused on promoting the adoption of the guidelines throughout the medial device ecosystem.

"We also expect to see more and more manufacturers come to us this year with pre-submission meeting requests to include discussions about building cybersecurity controls into their devices. We welcome the interactions we'll be having this year to help the entire community move to a better place," she says.

Schwartz adds that addressing cybersecurity and public health takes input and effort from many stakeholders, and that proactive multi-stakeholder engagement is the cornerstone of the FDA's approach to addressing cybersecurity in medical devices.

The FDA's efforts, however, have received some mixed reactions. 

"The FDA has published solid pre- and postmarket cybersecurity guidance for manufacturers, but there are no hard compliance requirements," Phelan says. "The Diabetes Technology Society released a security standard (DTSec) for connected diabetes devices in 2016, and I'm hoping we'll see more independent device certifications like this in the future.

"The good news is that medical device security is getting a lot of exposure these days," he says.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
RDP Bug Takes New Approach to Host Compromise
Kelly Sheridan, Staff Editor, Dark Reading,  7/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14248
PUBLISHED: 2019-07-24
In libnasm.a in Netwide Assembler (NASM) 2.14.xx, asm/pragma.c allows a NULL pointer dereference in process_pragma, search_pragma_list, and nasm_set_limit when "%pragma limit" is mishandled.
CVE-2019-14249
PUBLISHED: 2019-07-24
dwarf_elf_load_headers.c in libdwarf before 2019-07-05 allows attackers to cause a denial of service (division by zero) via an ELF file with a zero-size section group (SHT_GROUP), as demonstrated by dwarfdump.
CVE-2019-14250
PUBLISHED: 2019-07-24
An issue was discovered in GNU libiberty, as distributed in GNU Binutils 2.32. simple_object_elf_match in simple-object-elf.c does not check for a zero shstrndx value, leading to an integer overflow and resultant heap-based buffer overflow.
CVE-2019-14247
PUBLISHED: 2019-07-24
The scan() function in mad.c in mpg321 0.3.2 allows remote attackers to trigger an out-of-bounds write via a zero bitrate in an MP3 file.
CVE-2019-2873
PUBLISHED: 2019-07-23
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.2.32 and prior to 6.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox...