Murder by Health Hack
Medical device manufacturers, regulators, and privacy advocates must do more to counter security flaws that endanger patients.
On August 29, the US Food and Drug Administration (FDA) issued a recall for nearly half a million pacemakers made by Abbott. The agency found that the devices could be hacked to control pacing or deplete the devices’ batteries, with potentially fatal consequences. All patients whose lives depend on one of the affected pacemaker models, approximately 745,000 persons worldwide, now have to visit their doctors to receive a firmware update that patches the security flaws.
Regular patching of cyber security vulnerabilities, a practice most people know only from their desktop IT systems, is on the way to becoming a common procedure in health care. Modern medical devices are equipped with increasing computational power and wireless connectivity, which can offer safer, more efficient, and timely healthcare delivery. Yet, these technologies will also expose them to the same network and information security (i.e., cyber security) threats as other IT systems. The management of these risks requires the extension of existing governance mechanisms, including regulation, standards, and industry best practices to encompass cyber security.
Problems and warnings go unheeded
For over a decade, researchers have been warning that the level of cyber security in safety-critical devices is alarmingly low – the Abbott pacemaker recall is just the latest in a series of incidents. While no one is known to date to have caused a death by hacking into a pacemaker or insulin pump, several researchers have demonstrated that it is possible. In 2008, a team of researchers first demonstrated attacks against implantable cardiac defibrillators. With the help of a commercially available device programmer, the team was able to extract a patient’s private data and reprogram the pacemaker to deny service.
Since then, several have demonstrated different possibilities for hacking pacemakers and insulin pumps. In May of this year, researchers from the security firm White- Scope discovered a total of 8,665 open and known vulnerabilities in third-party software libraries implemented across four different pacemaker programmers from four different manufacturers. This is a failure of enormous proportions.
Not only implantable but also stationary hospital devices are vulnerable to hacking. A 2014 report by the SANS Institute concluded that 94 percent of healthcare organizations have been the victim of a cyber attack, including attacks against medical devices and infrastructure. Other reports have shown how vulnerable medical devices served as conduits for hackers to attack hospital networks. The “WannaCry” ransomware cryptoworm, which compromised the networks of many global corporations earlier this year, also affected medical devices in hospitals and prompted the US Industrial Control System Computer Emergency Response Team (ICS-CERT) and several medical device vendors to issue security alerts about vulnerable devices.
These examples and others show that cyber security risks in health care are systemic. Many medical devices lack even basic security features, and the resulting risks are externalized. Unfortunately, the parties most affected by the risk – the patients themselves – can do little to improve the security of the devices that their own health depends on.
Oversight and standards lag behind
The ultimate responsibility for the mitigation of such risks lies with device manufacturers and suppliers. Yet while device makers are aware of the risk, only a few seem to act. According to a 2017 study by the Ponemon Institute, a data protection research firm, 67 percent of device makers surveyed believe an attack on one or more medical devices they have built is likely, but only 5 percent conduct annual cyber security tests of released devices.
With the private sector slow to deal with the problem, regulation is becoming crucial for establishing an overarching legal framework and security requirements for manufacturers. In addition, standards and technical guidelines devised by international standardization bodies can provide guidance for the fulfillment of those requirements.
So far, regulation and standards for medical device safety and performance have not kept pace with digital innovation. While medical devices are highly regulated for safety and performance in most countries, those rules insufficiently address cyber security. Hence, regulators and standardization bodies need to update and extend existing frameworks beyond safety requirements to security.
Political bodies in the US and more recently in Europe have started to take action, but much remains to be done. So far, the FDA has assumed a leading role in this field. It has issued two sets of guidelines for cyber security in medical devices, a pre-market guidance in October 2014 and a post-market guidance in December 2016. They are intended to support manufacturers in fulfilling the requirements of the pre-market approval and post-market monitoring processes with respect to cyber security risks throughout a product’s entire lifecycle.
However, implementation remains poor. The aforementioned Ponemon Institute study found that only 51 percent of surveyed device makers follow the FDA’s guidance to mitigate or reduce inherent security risks in medical devices, and only 44 percent of health organizations follow the guidance. The FDA’s enforcement mechanisms, such as the issuance of recalls and safety notices, as well as liability for device failure and reputational damage will raise the cost of bad security for manufacturers.
The European Union (EU) and national oversight bodies in Europe have offered little guidance as to how medical IT cyber security practices and mechanisms should look, raising the specter of an uneven regulatory patchwork across the continent. Currently, moderate to high-risk medical devices’ conformity with safety and performance regulatory requirements is evaluated by certification bodies and overseen by national authorities. If they conform to the requirements, they obtain a CE (Communauté Européenne) label and can be marketed in the entire EU. In May 2017, the EU adopted a new Medical Device Regulation (MDR), which for the first time specifically requires manufacturers to develop devices in accordance with “state of the art” IT security requirements. But the regulation offers little guidance as to how the practices and mechanisms to be followed by manufacturers should look. That is a problem because standards that combine or complement established criteria for the functional safety of medical devices with appropriate IT security requirements do not yet exist – so there is no established definition of what “state of the art” means for the IT security of medical devices. Therefore, manufacturers and certification bodies that evaluate devices for their safety are left to define their own medical IT security certification and evaluation frameworks. This creates a risk that cyber security standards in health care are fragmenting across Europe and even within EU member states.
Testing, certification, and reporting needed
Public authorities, manufacturers, and certification bodies should develop common European baseline IT security criteria as a component of the medical device certification process. The European Commission has recently proposed an EU-wide cyber security certification framework that could serve as a basis for the certification of security properties of medical products and processes. Within the framework, medical-device-specific schemes and security requirements could serve as a basis for evaluation, testing, and certification of cyber security along with other medical system requirements. Such schemes should be harmonized with other international standards as much as possible with the goal of creating internationally applicable schemes that also lower device vendors’ transaction costs.
Other guidance can be deduced from international standards for the secure design and development of software components, FDA guidelines, and existing guidelines on Industrial Control Systems (ICS) security. ICS properties are in fact similar to those of medical devices since both are cyber-physical systems, in which embedded computers control physical devices’ interactions with their environments. The measures used to secure embedded computer systems in ICS are equally applicable in the healthcare context. Examples for guidance documents include the international draft IEC 62443 standard series on industrial network and system security, the US National Institute of Standards and Technology’s (NIST) ICS Security Guide, and the proposed European cyber security certification framework for industrial automated control system components.
In addition, oversight agencies should make information about IT security risks and incidents in medical devices publicly available. At present, national authorities need to submit information about safety incidents to the European Database on Medical Devices (EUDAMED), which is only accessible by EU institutions and national authorities. Per the MDR, most information submitted to EUDAMED will be public in the future.
Most importantly, medical device security should not be an afterthought but be designed into the devices from the start. The design of medical devices should follow proven secure lifecycle standards and secure supply chain management practices. All off-the-shelf hardware and software integrated into devices should be trustworthy and provide high technological assurance. Connectivity should be reduced to a minimum, and safety critical system components isolated from other potentially vulnerable components within the devices.
Moreover, manufacturers should operate a vulnerability reporting program through which they collaborate with third parties who discover software security flaws. They should operate an effective and usable patch management system. Once a vulnerability is known, devices need to receive timely software security updates. Since software updates themselves bear security risks if they interact with the use environment in an unforeseen way or render systems unavailable, they should be tested in use environments before being deployed. Moreover, device makers need to implement secure channels for the deployment of updates in order to prevent their manipulation.
All stakeholders – device makers, health organizations, and certification bodies – should engage in information sharing about vulnerabilities and threats with Computer Emergency Response Teams (CERTs), information sharing and analysis centers, and other potentially affected third parties.
Apart from medical device regulation, regulatory frameworks for critical infrastructure security and data protection play important roles for cyber security in health care. The European Network and Information Security (NIS) Directive, which has to be implemented in European member states by May 2018, requires operators of essential services, including hospitals, to implement minimum IT security standards and to notify of security breaches. The EU General Data Protection Regulation, which EU member states also have to implement by May 2018, will also apply to software and medical device vendors, as well as to health organizations and makes security and privacy by design and default mandatory.
In the long term, medical devices will be part of a ubiquitously interconnected clinical care process in which data will be continually exchanged and processed with the aim of making health care more effective and efficient. Technological innovation in health care does not only offer great health benefits, but also economic opportunities – according to a Roland Berger consultancy firm study, the digital healthcare market is set to grow at average annual growth rates of 21 percent until 2020. These developments will eventually rely on the dependability of communication and computing systems, whose groundworks should be laid before it is too late.