Threat Intelligence
8/15/2017
11:30 AM
100%
0%

IoT Medical Devices a Major Security Worry in Healthcare, Survey Shows

Healthcare providers, manufacturers, and regulators say cybersecurity risks of IoT medical devices and connected legacy systems a top concern.

Nearly one-third of IoT medical device manfacturers, healthcare organizations, regulators, and users cite identifying and addressing cybersecurity issues as their top concern when dealing with both network-connected medical devices and older legacy equipment, according to a Deloitte survey released today.

The survey, which queried more than 370 professionals tied to the IoT medical device industry, also found that 35.6% of these organizations experienced a cybersecurity incident in the past year. The number of attacks via IoT medical devices was not measured in the report.

The online poll was taken in May, less than two weeks after WannaCry swept through 150 countries and hit UK healthcare providers particularly hard.

"That type of attack [WannaCry] was just the tip of the iceberg. There will be other attacks that address these IoT devices," says Russell Jones, Deloitte Risk and Financial Advisory partner at Deloitte & Touche. He notes that all it will take is one major event where a patient is put at risk or dies to change the way IoT medical device-makers and the healthcare industry prioritize IoT cybersecurity spending versus taking a backseat to capital spending and operating budget costs.

Part of the challenge is identifying which medical devices are attached to networks. "You can't secure and protect what you don't know," he says. "It's an asset management issue."

Driving this lack of visibility is a combination of tracking hordes of fielded devices that are currently in the market and in use, as well as legacy medical devices running outdated software that makes it difficult to inventory them in a systematic way, Jones adds.

Patrick Phelan, chief information security officer at the University of California San Francisco, agrees that tracking IoT devices in the medical field can be a huge challenge.

"The sheer number of connected devices - tens of thousands - makes asset-tracking challenging, complicated by the fact that many IoT devices move around the hospital, jumping from port to port or access point to access point," says Phelan.

UCSF Medical Center, for example, has nearly 1,000 licensed beds and last year handled 43,000 hospital admissions and 1.2 million outpatient visits. Phelan adds that UCSF has put a great deal of effort into building its inventory and classifying devices according to the risks they face, as well as potentially present.

"Using network segmentation to isolate and protect IoT devices is one of the most important things you can do," says Phelan. "At UCSF, our clinical technologies and IT departments are working closely on the problem."

He notes that medical devices present several security challenges to the industry. "Manufacturers can be slow to provide patches … Security basics are frequently overlooked: it's not uncommon to find medical devices using obsolete operating systems like Windows XP, insecure protocols, and simple passwords.," he says. "Also, IoT medical devices have a longer lifecycle than most technology. A device designed [more than] 10 years ago probably didn't anticipate the threat landscape of 2017."

Tackling security for legacy IoT devices may be done through monitoring any abnormal behavior around the device, as well as developing an effective incident response plan, Deloitte's Jones says.

"I have seen incident response plans developed but they didn't do any war gaming or pressure testing to test the plan. That testing should be part of the plan," Jones says.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

And while manufacturers may bear the brunt of responsibility for making legacy IoT devices secure, the newer IoT devices coming into the market have far more security capability built in, and the onus for maintaining that security has shifted to the healthcare providers, Jones observes.

"Asset management. That is the single thing most thing that they should do for cyber risk management," he says. "You want to narrow down the problem to where is the single biggest risk that will affect the largest number of people."

Playing Nice Together

In order to bring substantial change to cybersecurity of IoT devices in the medical industry, Jones notes it will require collaboration among manufacturers, healthcare providers, and regulators.

IoT medical device manufacturers need to build cybersecurity into devices as they are being developed, and continue to support the devices during their lifecycle with updates and patches, Jones says. The healthcare industry, meanwhile, needs to provide input into product development discussions with manufacturers and regulators can assist with drafting guidelines for solutions, he notes.

In December, the US Food and Drug Administration (FDA) issued its final guidance on how cybersecurity for medical devices should be handled once the devices leave the manufacturing plant. That document builds on the pre-market cybersecurity guidance the FDA finalized in 2014.

"The FDA has expanded the scope of its work in cybersecurity over the past several years. We have worked diligently to bring the healthcare community together to propose and implement shared solutions to addressing cybersecurity concerns," says Suzanne Schwartz, associate director for science and strategic partnerships at the FDA's Center for Devices and Radiological Health.

She says the center identified medical device cybersecurity as a fiscal year 2017 regulatory science research priority, and that the FDA is focused on promoting the adoption of the guidelines throughout the medial device ecosystem.

"We also expect to see more and more manufacturers come to us this year with pre-submission meeting requests to include discussions about building cybersecurity controls into their devices. We welcome the interactions we'll be having this year to help the entire community move to a better place," she says.

Schwartz adds that addressing cybersecurity and public health takes input and effort from many stakeholders, and that proactive multi-stakeholder engagement is the cornerstone of the FDA's approach to addressing cybersecurity in medical devices.

The FDA's efforts, however, have received some mixed reactions. 

"The FDA has published solid pre- and postmarket cybersecurity guidance for manufacturers, but there are no hard compliance requirements," Phelan says. "The Diabetes Technology Society released a security standard (DTSec) for connected diabetes devices in 2016, and I'm hoping we'll see more independent device certifications like this in the future.

"The good news is that medical device security is getting a lot of exposure these days," he says.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cybersecurity Must Be an International Effort
Kelly Sheridan, Associate Editor, Dark Reading,  12/6/2017
NIST Releases New Cybersecurity Framework Draft
Jai Vijayan, Freelance writer,  12/6/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.