Medical Device Security: A Higher ProfileWhite House Official Highlights Issue; Investigation Under Way
White House Cybersecurity Coordinator Michael Daniel says medical device manufacturers need to do a better job of baking cybersecurity into the development of their products, just as manufacturers in other industries consider potential safety concerns in their designs.
"I think it goes back to some of the root design of just making cybersecurity one of the design features included in any [medical] device or product, the same way we have incorporated electrical security into all of our appliances," Daniel said at an Oct. 22 Food and Drug Administration workshop. "We have worked very hard at baking that safety feature into the system. ... I think we're going to have to apply a lot of the same principles we have learned in the safety area into the cybersecurity area."
Meanwhile, the Department of Homeland Security confirmed to Information Security Media Group the accuracy of a Reuters report that it's investigating two dozen cases of suspected cybersecurity flaws in medical devices and hospital equipment that officials fear could be exploited by hackers. However, the department "will not confirm any specific types of devices, equipment or manufacturers ... [nor] comment on status of cases," a DHS spokesperson said.
Cybersecurity experts speaking at the FDA medical device cybersecurity workshop voiced concern that it's only a matter of time before a patient is killed or injured due to a targeted cyber-attack against a medical device - or even as the result of an unintentional cyber vulnerability (see Medical Devices Hacks: The Dangers).
The FDA earlier this month issued final guidance calling for manufacturers to consider cybersecurity risks as part of the design and development of medical devices (see FDA Issues Medical Device Security Guide).
The Obama administration is urging organizations that support the nation's critical infrastructure, including those in the healthcare sector, to adapt the National Institute of Standards and Technology's cybersecurity framework to meet their needs, Daniel said.
"One of the questions that we have been pursuing with NIST as we have looked at the framework is how do you start to have some industry-specific examples of the framework? How could we work with the healthcare industry to develop a healthcare overlay to the framework that would be specific for the healthcare industry and help point healthcare organizations in some specific directions that are, if not unique, at least very relevant?"
The National Health Information Sharing and Analysis Center and the FDA are spearheading efforts to adapt the NIST framework to better meet industry stakeholders needs related to the cybersecurity of medical devices, said NH-ISAC Executive Director Deborah Kobza. That effort will include roundtable discussions and workshops around the country in the coming months, she said.
In a recent interview with ISMG, Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society, called on NIST to make available "more usable and prescriptive guidance" for how the healthcare sector can implement the cybersecurity framework.
Information Sharing Hurdles
While improved cyberthreat information sharing among healthcare sector stakeholders could help bolster cybersecurity of medical devices, many obstacles need to be overcome first, FDA workshop participants pointed out.
For an assortment of reasons, ranging from a legal worries and insufficient resources to a lack of a common communication vehicle, medical device makers as well as healthcare organizations are often hesitant to share information about the cybersecurity vulnerabilities and threats they encounter with products.
Rick Hampton, wireless communications manager at Partners HealthCare System in Boston, acknowledged that he and other biomedical engineers regularly find issues with medical devices, including security-related problems.
However, unlike white hat hackers who'll often release public reports when they discover cybersecurity issues in medical devices, Hampton said that he and other hospital engineers on the frontlines instead usually work directly with the vendors to quietly find a solution, rather than sound a public alarm. That's because these engineers face so many other pressing issues.
In addressing the white hat hackers who discover vulnerabilities in medical devices, Hampton added, "In one of my hospitals, I deal with 400 different device manufacturers with 4,000 different makes and models of devices. You found a problem with the device? You know what? I have known about all of those problems for decades. Why have they not risen to the top of my list? Remember, every problem is important but some problems are more important."
When white hat hackers or cybersecurity researchers contact medical device makers about vulnerabilities they've discovered, some manufacturers admit that one of the first things they do is call up their legal teams. "When there's a call from a researcher ... there is panic mode. Lawyers get pulled in," said Elizabeth George, vice president of global regulations and standards at Philips Healthcare.
Even when there is cybersecurity information that's shared, whether it's alerts from NH-ISAC or other cyber-intelligence sources, healthcare organizations often have a difficult time deciphering what the new vulnerability, risk or threat means to them and face challenges coming up with the resources and a strategy to mitigate the issues.
"Many small and medium-sized healthcare providers are just trying to keep their heads above water," and need basic help in understanding cybersecurity risks and how to address them, HIMSS' Kim said.
Some workshop participants urged the development of common tools to assess cybersecurity risks and to efficiently communicate information about vulnerabilities and threats.
"We can create a mechanism where we can share honorable information," suggested Steven Abrahamson, an executive at GE Healthcare.
Some attendees also suggested that the FDA should collect from medical device makers a list of key components, including operating systems software, that are used in their products so that there is a central repository to help identify devices that could potentially be affected by newly discovered vulnerabilities.
However, that suggestion was shot down by other speakers. We "don't want to be in a country where the government knows every component of every device," said Carlos Kizzee, deputy director in the office of cybersecurity and intelligence of the Department of Homeland Security. "We need an ecosystem where there are voluntary incentives to be participants [in information sharing]."
When it comes to healthcare providers, there's also still a lot of uncertainty about the kinds of cybersecurity-related information that should be shared, said Chantal Worzala, director of policy at the American Hospital Association. "People don't know what's appropriate to share."