Our cyber security columnist, Davey Winder, explains why security conversations surrounding connected medical devices are not over yet. 

I’ve been warning about the Internet of Medical Things (IoT) from the threat-mapping perspective since I first started writing on cybersecurity for Digital Health six years ago.

A lot has changed since 2016 and, sadly, much has stayed the same. On the positive side of the connected-device security landscape fence sits the Product Security and Telecommunications Infrastructure (PSTI) Bill which, as of 23 March 2022, according to the parliamentary bill’s status site remains at the report stage. Assuming this passes into law before the end of the year, this would prohibit the use of factory set weak default passwords for IoT devices. That’s a really good move. Hop to the other side of the fence and you quickly learn that the PSTI Bill is consumer legislation and won’t cover medical devices. OK, let’s try and find some positives in that.

Is existing legislation enough?

At the end of last year, I interviewed David Rogers MBE for a Forbes article about the PSTI Bill. Rogers, as well as being CEO of IoT security outfit Copper Horse is also chair of the GSM Association (GSMA) Fraud and Security Group as well as sitting on the executive board of the Internet of Things Security Foundation. Most notably, however, he drafted a set of technical requirements that eventually became what is now the UK Code of Practice for Consumer IoT Security. In other words, he’s an IoT security expert of the highest calibre. So, why was he not too concerned about medical devices not being included in the proposed legislation? Rogers spoke to the clear “sectoral differences and already existing regulation,” particularly in the medical sector, which cover safety aspects and “go above and beyond where we are here, and it doesn’t seem to make sense to land grab those spaces”.

Indeed, the Medicines and Medical Devices Act 2021 was granted Royal Assent last year and built upon the Medical Devices Regulations 2002 to “update the regulatory system for medical devices as and when required”, according to the Department of Health and Social Care. Whether this actually does ensure an “effective system for regulating medical devices” remains to be seen. I’m skeptical not least because while the Medicines and Healthcare products Regulatory Agency (MHRA) has oversight when it comes to the safety, quality and performance of medical devices, there’s a world of difference between measuring clinical effectiveness and potential cybersecurity vulnerability. I’m inclined to think that excluding these devices from the PSTI Bill is, actually, regrettable.

Research found 75% of medical IoT devices had known security gaps

As we all know how vulnerable medial IoT devices can be. If you want some examples of what happens when they are, look no further (although this particular research was US-based so it is admittedly a fair way) than a recent study by Unit 42 researchers with Palo Alto Networks of data from 200,000 healthcare network-connected medical infusion pumps that found:

  • 75% had “known security gaps” leaving them at “heightened risk of being compromised by attackers.” These related to 40 different vulnerabilities and/or “70 other types of known security shortcomings.”
  • 52% were open to two vulnerabilities, with high and critical severity ratings, that were first disclosed in 2019.

“As the NHS urges hospitals to reinforce cybersecurity amid the current international conflict, many in healthcare will remember the devastating effects of the WannaCry ransomware attacks,” says Keiron Holyome, VP UK, Ireland, and Middle East, at BlackBerry.

Poorly protected endpoints are a major red flag when it comes to ransomware, a threat that most certainly has not gone away although efforts by NHS Digital and individual trusts have certainly reduced the risk.

“To prevent attacks, healthcare organisations must ensure that every device is safe, reliable, secure and safety certifiable,” Holyome continues, and that includes “IoT-connected medical devices such as ventilators or robotic surgery arms.” T

he problem there being, amongst others, that much of this medical device footprint will be legacy-based and cost-issues will prohibit replacement, and patching isn’t even doable for many bits of IoT kit.

Are we shouting loudly enough?

This is a very complex conversation, there’s no doubt about it, and one that NHS Digital is absolutely engaged in. The latest security guidance for healthcare providers when it comes to procuring and deploying connected medical devices (CMDs) includes legacy devices with ‘inadequate’ support.

Top of the list of resources is the Data Security and Protection Toolkit (DSPT). At the end of last year this was updated to include a requirement for up-to-date records of such CMDs. While this doesn’t solve the problem, there are no silver bullets, it does mean the conversation is being had loud and clear at trusts and providers who understand what DSPT compliance really means. Anything that helps focus attention on this particular piece of an overall security posture gets two thumbs up from me. Is it enough? No, no way.

Allow me to finish where I began, straddling that connected-device security landscape fence. The NHS Digital guidance makes it very clear that the guidance is “more applicable to large devices” and this represents a “gap in the guidance currently available.”

The kind of CMD referred to include low-cost and legacy ones where risk-reduction measures “are not viable” as well as those devices with “inflexible supporting network architecture.” I have the feeling that both the threats and the conversation will be continuing for some time to come.