Four years ago I wrote about the need to secure medical devices from potential attackers. The problem is still there and the potential for harm is just as great or greater.
In October of this year (2018) the US Food And Drug Administration(FDA)’s Office of the Inspector General delivered a report entitled, THE FOOD AND DRUG ADMINISTRATION’S POLICIES AND PROCEDURES SHOULD BETTER ADDRESS POSTMARKET CYBERSECURITY RISK TO MEDICAL DEVICES. Its thirty-four pages are hardly riveting reading, but the message is made clear in the first sentence of the report summary: “FDA had plans and processes for addressing certain medical device problems in the postmarket phase, but its plans and processes were deficient for addressing medical device cybersecurity compromises.” In other words, there are vulnerable devices out there. I urge you to read the report in its entirety.
Our health systems – in the US and any other country – are part of the country’s critical infrastructure. The report acknowledges that and notes the FDA’s responsibilities in safeguarding that portion of the critical infrastructure. The responsibility primarily lies in the hands of the manufacturers and users of the equipment. The equipment must be designed and used securely. The FDA and/or others must test the equipment both pre- and post-manufacture to ensure its resilience to cyber attacks.
It is no longer only the domain of fiction writers to envision malicious attacks on medical devices. Healthcare IT News reported on a study of very real hospital ransomware attacks. Both human and device issues were discussed. Symantec reported earlier this year on additional attacks around the world. This is a continually growing threat.
I can envision a situation where a large scale bad actor could terrorize a nation by attacking hundreds or thousands of devices across many manufacturers and institutions.
There are two essential actions to be taken immediately: first, personnel must learn the negative implications of misusing equipment in ways such as surfing the internet on browsers connected to medical devices. That should seem obvious, but that was a vector reportedly used in some ransomware attacks, according to the Healthcare IT News report. Yes, that should be difficult or impossible to do, but absent that protection, the people involved need to be educated about the dire consequences of unsecured internet endpoints. Those interested in security awareness training should consider Learning Tree’s one day “Security Awareness” course.
Second, the hardware and software must be securely designed and tested. Secure hardware design is a huge topic and promises to be even more significant as the Internet of Things, or IoT continues to grow. This space is way to small to even touch that. I recommend Learning Tree’s “Endpoint Security and Network Access Control Training” to address that aspect of secure design and implementation of networked devices.
When it comes to testing, Learning has a course entitled “Penetration Testing: Tools and Techniques”. That is an excellent start for those interested in learning this process. The field is large and there are industry certifications for practitioners.
Based on the course recommendations I’ve made, this may seem like a large landscape and indeed it is. It is also good that there is a lot to learn because medical devices should not be designed insecurely and used by those unaware not only of the medical consequences but the cyber security consequences as well.
To your safe computing,