Top 6 Challenges in Tackling Cybersecurity of Medical Devices in Hospitals

March 13, 2018

Cybersecurity teams at hospitals have a lot on their plates. Not only do they have to worry about the traditional cybersecurity challenge of maintaining an enterprise network and traditional corporate software, they have the growing challenge of an increasing number of connected medical devices attached to their networks. As an example, the Mayo Clinic, based in Rochester, Minn., has about 25,000 network-connected medical devices, comprised of 6,000 unique makes and models.

There are six primary challenges unique to most healthcare facilities when trying to maintain the cybersecurity of these connected medical devices.   

  1. Asset Identification

The first challenge, figuring out what medical devices are on a hospital’s network, is more difficult than it would seem. The big question is how hospitals identify what on their networks are medical devices. For example, how do they differentiate between the Windows box a nurse uses to check email, versus a Windows-based drug dispensing cart? One approach is the manual route, physically locating every connected medical device in the hospital, assigning it a unique asset number, and then associating that with something unique, such as its MAC address. This can be a long process, and it’s difficult for hospital cybersecurity teams to ever know if they’ve reached full coverage, since medical devices are often mobile, and can be hard to track down. The second approach is using tools specifically built for medical device network identification, such as MedScan, by MedSec.

  1. Software Maintenance and Updates

Once medical devices have been identified on a hospital’s network, their software requires maintenance in the form of updates. But how does a hospital’s IT staff know if a medical device’s software is out of date? Some systems are capable of alerting a user, but if nurses see such a prompt about an update, there is no guarantee they will tell the IT team. For systems that can’t provide alerts, the IT team needs to know if it will receive notifications from the manufacturer, or if they are required to periodically check the manufacturer's website. If healthcare and/or IT staff are made aware of updates, there needs to be a documented process for how it gets applied to these devices. Will it be done over the air? Via USB stick? Does a technician need to come out from the manufacturer? When going through the asset identification exercise, it can be beneficial to simultaneously determine the answers to each of these questions. Recall that the Mayo Clinic has 6,000 unique makes and models of connected medical devices on its network. Most likely, there will likely be little uniformity in the answers regarding software updates, creating the need for a small team to maintain the software.

  1. Asset Communications

Any organization with a strong security posture wants to understand what information is being sent around its network, what information is leaving its network, and who is sending it. With medical devices, it’s more vital to know due to the sensitive patient data medical devices may share. While typical network traffic monitoring tools can help, many medical devices use specific protocols such as DICOM, HL7, and ASTM, which traditional network monitoring tools will not know how to introspect into. This is again where medical device-specific tools such as MedScan are powerful, because of its support of medical specific protocols.

 4. Configuring for Security

“Secure by default” is the notion that a system will come with the supported security features already enabled. While this is a great idea, in theory, most systems come in a “usable by default” configuration instead, with the easiest-to-set-up modes enabled. Usability almost always has an inverse security tradeoff: If it’s easy to setup, it likely has its security features turned off. Many network-enabled medical devices support advanced security features, such as encryption, configurable session timeouts, or advanced wireless authentication modes such as WPA2 Enterprise with unique certificates per device. However, using the advanced security features, such as WPA2 Enterprise, requires a deliberate, non-trivial effort to deploy and configure. Healthcare facilities need to determine what security features a medical device supports, and then decide if enabling them is worth the tradeoffs.

 5. Default Credentials

Most connected medical devices are complex systems running different applications and hosting several different levels of credentials and authentication. Devices are typically shipped having default credentials for all of the possible authentications, which are often published in the user manuals, easily found online. Changing all possible default credentials on a system can greatly raise the cybersecurity posture of the system, but it can be difficult to determine what credentials exist and which can be changed. There are the more obvious logins, such as the main user login, but many devices also support behind-the-curtains services such as Telnet, FTP, or SSH, used for network communication and maintenance, which also leverage default credentials. Given the network-facing nature of these services, the urgency of addressing these credentials is often more paramount than the physical access logins. Often these behind-the-scenes credentials and services are not documented clearly in the manuals, or if they are, it is unclear whether changing the credentials will have an adverse effect on the system. Contacting the manufacturer for guidance, or reaching out to others who have already climbed this mountain, through healthcare information sharing and analysis organizations (ISAOs) such as NH-ISAC, are the best ways of tackling this challenge.

 6. Fragility to Traditional Network Scanning

Network port and vulnerability scanning is a common and recommended best practice for assessing the security posture of any organization’s networked systems. However, when it comes to medical devices, most connected devices were not designed or tested to handle such network traffic. This can often leave them in an unexpected and undesirable state. Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council, recently stated in an Ars Technica article that medical devices "have such interoperability issues—forget security issues—that they're so brittle, most hospitals will say that, even if you just do a port scan, you'll crash them—you don't even need to hack them."  Because of this, hospitals need to take extra precautions to exclude connected medical devices from their traditional network scans for fear of putting the systems in an unsafe state and look into ‘light touch’ and passive scanners that were designed to work with sensitive systems, such as these devices.

Conclusion

There are few healthcare delivery organizations that are not wrestling with at least several of these challenges.  Setting clear priorities, assigning resources, and determining the status of each of these areas are the first steps to building a roadmap for addressing and maintaining the cybersecurity of connected medical devices, so healthcare delivery organizations can continue to deliver exceptional patient care in a safe and secure manner.

About the Author: Stephanie Domas is Vice President of Research at MedSec (www.medsec.com), where she leads the development of services and products aimed toward addressing cybersecurity of medical devices in healthcare. She partners with medical device manufacturers and healthcare delivery organizations, and is a member of several medical device cybersecurity standard working groups, contributing to security guidance and standards for medical devices, a registered professional engineer (PE), and a certified ethical hacker (CEH).