Medical device hacking is a concern that is growing continuously, While ransomware is still the most significant healthcare security risk. Last week, The Department of Homeland Security issued a detailed warning about vulnerabilities in Medfusion’s Syringe Infusion Pump.
Today in Boston, the speakers described many problems inherited in defending older legacy medical devices against new security threats At the HIMSS Media Healthcare Security Forum.
While addressing at the forum Jeff Livingstone, the vice president at Unisys Enterprise Solutions said, “In the medical device area, many of the devices, half if not more, are what we would consider legacy”. He further stated, “It takes about 5 to 7 years or so for class 1 or class 2 devices to go from concept to market. It can take another year to clear FDA guidance. So there’s a substantial delay between when protections are built in and when they make it to market.”
Too often within the hospitals, the focus has been observed to be on the development of protections into new devices. Rather they should be making sure that the old devices which are currently implanted in patients are safe.
Regarding this, Intermountain Healthcare Security Architecture and Engineering Director Bruce James opined, “In my mind, right now, implantable devices are in a very precarious position. We had a situation where we had executives who inquired about the security of devices and what their status is. So when we talked with our medical group, one person told us ‘Don’t worry, we’ve got this handled, all the devices are patched.’ It ends up when we got into the conversation a little bit, what they’re talking about is ‘All the devices in their supply chain warehouse that are ready to implant are fine’. It’s not even in their purview to think about the devices that are already implanted in patients.”
According to Heather Roszkowski, network chief information security officer at The University of Vermont Health Network. The older devices are often at-risk, since many of those devices weren’t even designed to be as connected devices.
“The risks associated with using the devices have been transferred to the organization using them, for the most part, there are many number of reasons why these devices have become connected over the years,” she said. “So it is the responsibility of healthcare organization’s to do it securely. If you can’t use an antivirus solution or you can’t do logging on them, you have to look at ‘How can I remove them from our production environment or firewall them off?’ There are a lot of ways we’re being forced to alleviate the risks associated with these devices until some better security tools can be put in place on them, if that’s even possible. I appreciate the fact that the new devices have more security, but I still think there’s a cultural change that needs to happen.”
Managing director for healthcare industry practice at Proofpoint, Ryan Witt suggested that the industry should put pressure on device manufacturing companies to address the problem. But in the meantime, healthcare providers should embrace robust security as a selling point for their system.
Witt said, “The most effective hospitals use security as a competitive advantage. They recognize that over time they’re moving from brick and mortar care to home-based care and they use security to convey that ability. They say ‘I’m going to safeguard this patient-doctor experience remotely’. And how do you do that without a robust security architecture?”
Healthcare providers can often upgrade their old devices to make them safer. If they can’t, as Roszowski said, they have to find ways to separate the devices from the network or hide them. As for newer devices, the best thing a hospital can do is to conduct a lot of inspection — but even that isn’t always enough.
While expressing her thoughts she said, “One of the things we’ve tried to do is we have a process to onboarding new devices or software or hardware in our environment”, ” we’ve rejected medical devices a number of times because of security concerns and we’ve gone to other vendors. It’s pretty sad when you’ve reviewed three vendors in the same space and the briefing you get is ‘This is the best of the worst. The other two are much worse than this.’ And that’s not a conversation you want to be having when you’re talking about a medical device for your patients.”
