Security of Medical Devices Needs Care

Medical devices, such as pacemakers, insulin pumps and defibrillators, could become lethal in the hands of a hacker tampering with them remotely. A new study that shows medical devices—and patients—are vulnerable to cyber attacks is a wake-up call for manufacturers, according to a Silicon Valley software company that sponsored the study. Device manufacturers must change their culture and look at security as an equal to patient safety, says Chris Clark, principal security engineer of strategic initiatives for Mountain View, Calif.-based Synopsys. The company’s study, which surveyed about 550 employees of device manufacturers and healthcare delivery organizations (HDOs), found that nearly 70% of manufacturers and nearly 60% of HDOs believe an attack on a device built or in use by them is likely to occur during the next 12 months. The most surprising finding, Clark says, is that about 40% of manufacturers and 45% of HDOs—despite being aware of the risks—take no steps to prevent medical-device attacks. See also: How to Make Smart Devices More Secure   There are, however, some positive takeaways, he says. The study, conducted by the IT research organization Ponemon Institute, showed that “a significant percentage” of HDOs are concerned about the risk of insecure medical devices, and many are taking measures to test them for vulnerabilities. That’s a good sign, Clark says, because most study respondents work for small organizations “with limited resources and expertise in this area.” Security painfully lacking About 60% of respondents work for organizations with fewer than 1,000 employees, 10% said they had no budget for device security and 40% said their annual budget was less than $500,000. The study found that 59% of respondents employed by HDOs rated the importance of medical device security as very high relative to all other data and IT security measures deployed. Yet, only 37% of those who work for manufacturers consider such security of very high importance. A cyber attack on a medical device can manifest in various ways. This tells us the manufacturers still operate under the pretense that security is an HDO issue, and medical device security will be a lower priority for the foreseeable future, Clark says. “This statistic alone should be of great concern and a critical lesson for HDOs who are truly interested in protecting their infrastructure.” An attacker could take control of a device to administer inappropriate or harmful treatment to a patient, Clark says. The attacker could dispense the wrong dosage of medication via an infusion pump, manipulate the electrical output of a pacemaker, crash or render a device inoperable, access the data stored or transmitted by a device or use it to pivot to other systems or devices within the same network. Hospitals risk erosion of patient confidence Each of these scenarios has a physical impact to a device or group of devices, but the real danger is a loss of confidence in the ability of HDOs to deliver quality care and protect patient information, Clark says. “A breach could be catastrophic for a hospital system.” The Synopsys study found that 80% of respondents who work for medical device manufacturers or HDOs say medical devices are very difficult to secure. The top reasons cited for device vulnerability include accidental coding errors, lack of knowledge/training about secure coding practices and pressure on development teams to meet product deadlines. Security an afterthought Securing medical devices also is difficult, Clark says, because security is not a primary consideration early in the design process. “This, along with the need for flexible communications that are often unencrypted or have no security characteristics, create a wide range of challenges.” Respondents in the Synopsys study were surveyed before the WannaCry ransomware attack in May. The worldwide cyber attack targeted computers running the Microsoft Windows operating system and, within a day, reportedly infected more than 230,000 computers and medical devices in more than 150 countries. See also: Can Your Health Device Be Hacked?   Healthcare organizations are “some of the most commonly targeted cyber attack victims, second to only the banking and financial industry,” Clark says. “If you couple that trend with the results of this survey showing how little is being done to protect medical devices, it’s not unreasonable to expect things to get worse before they get better.” Most stakeholders, though, are “genuinely concerned” about the impact of insecure medical devices—“both in terms of patient safety and risk to their organizations,” Clark says. “What remains to be seen is whether the industry steps up to voluntarily address these challenges or the U.S. Food and Drug Administration takes a more aggressive stance.” This article originally appeared on ThirdCertainty. It was written by Gary Stoller.