©2017 ECRI INSTITUTE
Medical Devices Cybersecurity?Introduction to the Cybersecurity
Landscape in Healthcare
Marc Schlessinger, RRT, MBA, FACHE
Senior Associate
Applied Solutions Group
May 5 & 6, 2017
©2017 ECRI INSTITUTE
Evolution of the Connected Medical Device
Self contained
device per bed
space
Interoperable
therapy/diagnosis system
with data exchange to
various information systems.
©2017 ECRI INSTITUTE
Cybersecurity Landscape in Healthcare
Medical devices are increasingly used with a network connection to enhance
safety and workflow
Documentation
Data transfer
Software updates
Troubleshooting
Calibration
More connected more vulnerabilities
©2017 ECRI INSTITUTE
What is different about healthcare when it
comes to cybersecurity?
100’s of device manufacturers
Long useful life
10+ year old device is not
uncommon
Clinical limitations
Life critical functions
Large attack surface
Patient and visitor access to areas with
sensitive devices
Emergency situations
Device needs to be available right now!
©2017 ECRI INSTITUTE©2017 ECRI INSTITUTE
Medical Device HackingWhat do we know today?
©2017 ECRI INSTITUTE
Medical Device HackingWhat do we know today?
NO EVIDENCE OF PATIENT HARM
Several device vulnerabilities have been identified by security
researchers Hard coded passwords
Remote device access/control
Disruption of device communication to other systems
Modification of some device configurations
How serious are these vulnerabilities?
©2017 ECRI INSTITUTE
Cybersecurity Vulnerabilities of Hospira Symbiq Infusion SystemFDA Safety Communication (July 31, 2015)
Remote ability to control an infusion pump
“We strongly encourage that health care facilities transition to alternative
infusion systems, and discontinue use of these pumps.” - FDA
©2017 ECRI INSTITUTE
What if a device was compromised…
Disabled communication to other information systems
Impact normal workflow
e.g., data does not flow to the patient’s EHR
Disabled the device
Availability of the device to perform its intended function may be limited
Possibly mitigated by a back up unit
As a vector to attack the organization’s network
Compromised wireless network credentials
Compromised enterprise network
©2017 ECRI INSTITUTE
What if a device was compromised…
Alter the intended operation of the device
Change device configuration or settings
Difficult, extended device access required – there are easier ways to hurt
people
Steal PHI
Confidential patient information lost
Loss of trust in the organization
Financial impacts, fines
©2017 ECRI INSTITUTE©2017 ECRI INSTITUTE
Healthcare Facility Action Plan How to Address Cybersecurity?
©2017 ECRI INSTITUTE
Problem of Legacy Devices
Long useful life of a medical device legacy systems
Finding XP as a part of medical equipment is common
Some devices may not have up-to-date security capabilities
Available security patches are likely limited
Document which legacy devices are connected to the network and what
data do they hold -> address the risk accordingly
©2017 ECRI INSTITUTE
Securing Medical DevicesA Significant Resource Drain
Equipment management
Patch management
Staff security training
Vulnerability scanning
Risk management
RFP language to include security features
Device Integration Test Lab
©2017 ECRI INSTITUTE
Equipment ManagementStart with Documentation!
Identify Which devices are connected to the network?
Document Software versions
Network configuration settings
IP Addresses
MAC Addresses
Prioritize Does the device hold PHI?
Life critical functionality – what happens if you cannot use the device?
©2017 ECRI INSTITUTE
Patch ManagementChallenges in Updating Medical Devices
How to ensure that medical devices are up to date with the latest security
patches?
Develop a policy for updating your medical devices
Challenges:
Lagging security patches – at best 2-3 months behind
Often hands on update required
Equipment down time -> impact patient care
Disconnect between FDA and the manufacturer
Security patches do not need a new 510(k)
©2017 ECRI INSTITUTE
Staff Security Training
Ensure appropriate security training is in place
Phishing scams
Identifying suspect emails, do not click on all email links
USBs can spread viruses and cause device
malfunction
ECRI Top 10 Hazard 2015
USB use policy – Block USB use if merited
Passwords do matter!
Promote the importance of strong passwords
Password sharing
□ Passwords do not belong on a post-it-note by the nurses station
BYOD – Bring your own device
Establish a policy on how to deal with BYOD
©2017 ECRI INSTITUTE
Vulnerability Scanning
Standard network tool to identify known vulnerabilities
Commonplace for IT assets
Limited to known vulnerabilities
Medical devices – Can I scan it?
Not always
Network scanning took out a facility’s telemetry system
Scanning for medical devices may be best done during the day shift, so
in case something does go wrong there is sufficient staffing to address
it.
©2017 ECRI INSTITUTE
Risk ManagementWhat to do with my networked medical devices?
Identify existing vulnerabilities
Develop compensating controls to minimize risk
e.g., block commonly used communication ports
Human resources to address network security needs e.g., CISO
Consider the adoption of ANSI/AAMI/IEC 80001-1:2010
©2017 ECRI INSTITUTE
ANSI/AAMI/IEC 80001-1:2010Application of risk management for IT Networks incorporating medical devices
Standard for healthcare facilities
How to implement a risk management system to address
networked devices
Downsides…
Expensive and difficult to implement
©2017 ECRI INSTITUTE
RFP language to include security features
Include language about common security features
Buying a system based on Windows XP with a lot of known vulnerabilities
is not necessarily the best idea
MDS2 – Manufacturer Disclosure Statement for Medical Device
Security Require it!
VA Directive 6550 for Pre-procurement Assessment
©2017 ECRI INSTITUTE
Device Integration Test Lab
Clinical engineering test and validate every patch and update prior to release
Ensure all systems are functioning as intended
Lab would include medical device and test server Expensive!
Some very high end/large hospitals
have this capability.
©2017 ECRI INSTITUTE©2017 ECRI INSTITUTE
Regulatory Issues
©2017 ECRI INSTITUTE
Regulatory PerspectiveFDA and cybersecurity
FDA’s evolving approach to cybersecurity
Cybersecurity is a consideration during new 510(k) submissions
according to FDA officials
Incentivize sharing of vulnerability information
Curb the “silent fixes”
Content of premarket submissions for management of cybersecurity in
medical devices (10/2014)
Guidance for manufacturers on how to address and identify cybersecurity during
design and development
Guidance for preparing premarket submissions
©2017 ECRI INSTITUTE
Regulatory PerspectiveFDA and cybersecurity
FDA’s evolving approach to cybersecurity
Postmarket Management of Cybersecurity in Medical Devices (Draft 01/2016)
Managing postmarket cybersecurity vulnerabilities for medical devices
□ Promote good behavior among manufacturers
How about the already cleared devices that might be vulnerable?
©2017 ECRI INSTITUTE
Why are we doing this?
Ransomware – The New Normal
Most recent public occurrences
MedStar Health (03/2016)
Methodist Hospital (03/2016)
Hollywood Presbyterian (02/2016)
Low Risk High Reward
©2017 ECRI INSTITUTE
Download the ECRI Infographic
Cybercrime: The Healthcare Epidemic of the 21st Century at:
https://www.ecri.org/Pages/cybersecurity-
infographic.aspxhttps://www.ecri.org/Pages/cybersecurity-infographic.aspx
©2017 ECRI INSTITUTE
©2017 ECRI INSTITUTE
Questions?
Marc Schlessinger Senior AssociateApplied Solutions(610) 825-6000 ext. [email protected]
