Medical devices a ‘bulls-eye’ for cyber-attacks, says cybersecurity executive

The influx of networked devices in the clinical environment has opened the door to faster, more effective treatment, equipping clinicians with tools to help them cope with rising patient numbers.

Yet it also exposes the industry to the multitude of threats associated with the digital world. With such a large focus being placed on the clinical functionality of medical equipment, comparatively little has been spent ensuring they are adequately protected.

During the global WannaCry outbreak, ransomware inflected at least 1,220 pieces of NHS diagnostic equipment, with more being disconnected to stop it spreading further.

Rusty Carter, vice president of product management at Arxan Technologies, points out that medical devices and critical systems in particular were not originally designed to operate in networked environments, leaving the healthcare community easy prey for cyber-criminals.

“Pacemakers, MRI machines, all these devices – they weren’t built for security, or to defend against the things that are attacking them today,” says Carter.

“They’re really focused on patient care. It’s been about getting those technologies in and making care faster, easier and more user-friendly. There’s a trade-off a lot of the time, where security isn’t considered.”

Carter has been in the software business for 20 years. He “stumbled” into security in November 2000, when he began working as an engineer for Vertias Software prior to its merger with Symantec.

He later moved to McAfee, where he was responsible for overseeing security products aimed at consumers. After a brief stint at GM Mobile Security, he moved to Arxan Technologies in August 2016.

Arxan develops a range of security solutions for enterprises, some of which are designed to prevent applications being reverse-engineered for nefarious purposes.

Reversing an application can allow a hacker to mount an attack against a device. This poses a considerable threat within healthcare as medical devices generally lack binary protection, which stops application code being tampered with.

In August, the US Food and Drug Administration recalled nearly half a million pacemakers sold by St Jude Medical over fears that the device’s firmware could be hacked and re-purposed, with potentially deadly consequences for users.

“The bullseye is on the medical community”

While there were no reports of patients being targeted, the story served as a stark warning about the vulnerability of medical devices in our networked age, and underlined the need for tougher regulations around the security of clinical equipment.

“The bulls-eye is squarely on the medical community and clinical devices”, says Carter.

“There are really broad recommendations and not a whole lot of specificity when it comes to security…From a vendor point of view, it’s really important that device manufacturers realise that their targeted user is not the only person that has access to their device. They have to take security into consideration.”

Patient safety is, naturally, the number one concern. Breaches in healthcare can impact individuals in a number of ways, from physical harm to data loss and theft of personal information.

This was demonstrated in October, when hackers broke into London Bridge Plastic Surgery Clinic’s IT system and gained access to photos of patients undergoing breast and genitalia enhancement procedures.

The knock-on effects go beyond the individual patient though, and Carter points out that a single bad event for one vendor can harm the entire industry.

“In the longer term, the rapid innovation around the clinical applications around consumer devices will suffer. If devices are attacked and large-scale data loss or impact to human life occurs, the trust will be gone.

“The advancement in these technologies has done so much to improve human life, and so from a societal standpoint and humankind standpoint, it would slow adoption because of a lack of trust in those devices.”

Security by design

Carter says the industry can continue to innovate safely by putting cybersecurity at the forefront. “From a device manufacturer standpoint, they really need to start building security by design. This needs to be a part of their routine.”

For hospitals and other clinical environments, Carter recommends a stricter vetting process for vendors.

“There is a requirement to develop stricter guidelines about what devices they allow into the clinical environment. It can be as simple as asking questions. For example: what safeguards are you taking to protect your devices? How closely do you monitor them to ensure that, if a breach or vulnerability is discovered, it’s remedied quickly?

“Challenge the manufacturers and the technologies that you’re bringing in to prove security, in addition to proving the clinical effectiveness.”

NHS Digital recently announced a £20m investment that will see it enlist the help of an outside firm to support its cyber-defences.

Carter suggests similar “white hat” schemes should be used by vendors to identify weaknesses in their devices, and patch them before they can be exploited.

He also highlights the success of bug bounty programmes used by the likes of Google, Facebook and Microsoft, in which individuals are rewarded for reporting software bugs.

However, Carter points out that stricter rules governing the use of medical devices – particularly when it comes to reverse-engineering them – could prove an obstacle.

“It’s going to take a lot of work, and a lot of expertise that companies need to bring in order to protect their patients, their customers and ultimately, their reputation. Because if consumers and clinicians don’t trust the new generation of devices they’ll reject them, and it’ll be both the patients and the companies that suffer.”