Why isn’t anyone paying attention to medical device insecurity?
They say things, good and bad, come in threes. Although I’m beginning to think that discussing medical device insecurity is futile, three separate occasions in one week brought me right back into the conversation. First, I spoke with a health system CISO who was rightfully concerned over some of their medical devices running obsolete operating systems after hearing of the Not Petya malware. A day later, during a media interview, I was asked point blank, “Are we ever going to do anything about the security of medical devices?” A couple days after that, I came across a presentation of recent research from the Ponemon Institute and Synopsys, aptly titled “Medical Device Security: An Industry Under Attack and Unprepared to Defend.” So after this third medical device insecurity encounter, I decided to talk about it once again.
The research results begin to explain why medical device security is such a massive challenge in the healthcare industry. This research effort went out to not only medical device makers, but also health systems who use them. It also represented the feedback of a broad audience, most importantly including the engineers who make these devices and the IT personnel who deploy them. There were more than 500 total respondents to the survey as well, which demonstrates how many people care about this issue. (Surveys often see a return rate of less than 200.)
What Did the Research Tell Us?
By and large, it told us we have a huge problem with medical devices that have the potential to threaten patient safety as well as data and network security. What’s more, it tells us that we know that, but in many cases chose not to deal with it — in other words, we knowingly ignore the risk.
To understand how we get to that conclusion, let’s take a look at several critical statistics from the study:
- At least one-third of all respondents said they knew their medical devices either had vulnerabilities or were affected by malware.
- Less than two-thirds of health system respondents said their enterprise could detect vulnerabilities in their devices and only one-third had confidence the security of the devices could protect patients and clinicians.
- One-third of respondents said they don’t even test devices to find these issues.
- More than half felt an attack against these devices was likely.
- 30 to 40 percent, depending on who was asked, knew of an adverse event or harm to a patient because of an insecure medical device.
Now for the real kicker: Nearly half were unsure, or knew, that the organization took no steps to mitigate the risk all together. We know the devices are vulnerable; we don’t have confidence that we would detect an attack, but we definitely expect attacks, and we know that these events can cause harm, but we aren’t taking action to mitigate the risk. Before this research, I had not heard of any claims of harm to patients linked directly to insecure medical devices, so this is a striking and very important revelation.
Who Has the Power to Fix the Problem?
The last two points I’d like to highlight from this research deal with how effective government guidance is in addressing this risk, and what it says about the device-makers’ commitment to helping solve the problem. Less than half of all healthcare organizations who responded said they follow or use the FDA guidance to assist them in mitigating the risks affecting their devices. The problem here is that it is just “guidance” at the end of the day and not required.
The second point deals with the device manufacturers and their commitment to mitigating security risks. The research actually lists multiple reasons for security issues with devices, but the top three really tell the story. The top three, in order, include lack of quality control processes, the pressure from “rush” to market, and accidental coding errors. In fact, the rush to market is more likely the number one reason and the other two are byproducts of that revenue-generating causal factor. The point is here is manufacturers are not incented to fix their issues.
So there you have it, another study, from a very credible research organization, summarizing the security problems with medical devices and by extension many IoT platforms. The guidance from the government is ineffective. The manufacturer, who is equally aware of the issues, is unwilling to fix it. Many of the health systems are equally aware and either frustrated or unwilling to address the issue. Where does that leave the patient?
About the Author:
Mac McMillan is President and Chief Strategy Officer of CynergisTek, Inc., a top-ranked information security and privacy consulting firm focused on the healthcare IT industry. He is a member of CHIME’s AEHIS Advisory Board, recognized as a HIMSS Fellow and former Chair of the HIMSS Privacy & Security Policy Task Force. McMillan brings nearly 40 years of combined intelligence, security countermeasures and consulting experience from positions within the government and private sector and has worked in the healthcare industry since his retirement from the federal government in 2000.