In 2019, the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security notified healthcare providers of a substantial security risk in medical devices. Dubbed “URGENT/11,” nearly a dozen zero-day events had been discovered in one of the most widely used operating systems in healthcare. This set off a whirlwind reaction of investigation and subsequent discoveries; the medical industry was shocked to find the extreme level of risk to which it was exposed.
The Problem of Medical Device Cybersecurity
At the very core of the issue, those in the medical community had made a simple assumption. They assumed that the rest of the world operated off one of the most fundamental tenets of medicine: first do no harm. Advanced security for interconnected health equipment wasn’t a substantial concern, because of all the industries hackers might target, they believed medicine would never appear on the list. The FDA doesn’t even conduct premarket testing for medical equipment, assuming that the manufacturer will include any necessary security features.
Unfortunately, this assumption proved to be inaccurate. Ransomware attacks have become more frequent in healthcare settings, where hackers will unlawfully access a system and encrypt data so that system can no longer operate. The network owners must pay to obtain the key that will unlock the ransomware. While this is frightening enough if a hospital’s administrative or billing system is attacked, the thought of patient care devices being compromised is terrifying.
The Challenges of Securing Medical Devices
Medical equipment comprised some of the earliest types of devices on the Internet of Things. Typically designed to accomplish a single purpose and do it with the lowest chance of failure, many medical devices are difficult — if not impossible — to update when vulnerabilities are found. Hospital equipment may only be capable of running the software that was originally installed at the factory.
Because engineers assumed that this equipment would never be targeted, security was not a critical priority at the design stage and is extremely difficult to include post-production. Healthcare equipment is often designed to operate for 10 to 20 years; the most sophisticated security standards of 2010 (or even 2000) are completely outdated today.
The operating environment varies widely. Equipment that is secured behind the most advanced hospital firewall in the world could also commonly appear in small clinics, long-term care facilities, or even living rooms with unsecured Wi-Fi networks. This requires that devices have a fundamental level of security built into them that isn’t dependent on external security.
One of the complicating factors of implementing advanced cybersecurity measures is that most medical devices are incredibly specialized with a dedicated function. Healthcare equipment simply doesn’t operate like a typical PC. While the standards for securing IT networks and medical firmware remain the same at a high level, it’s difficult to imagine how they could be more different when applied to each device.
The Solution to Healthcare Cybersecurity
The medical community is in the midst of not only addressing the immediate need to secure current equipment but also to develop consistent guidelines and standards for all future healthcare devices. The FDA has begun to publish guidance for healthcare security, and these have proven to be beneficial. There is little doubt that the federal agency primarily responsible for overseeing patient safety and standards of care will take a more active role in developing and publishing security policy in the coming years.
Manufacturers have realized that security must be a primary element from the foundational design phase of any device that will connect to the internet. They must have the ability to accept patches that will address future security vulnerabilities, and will likely need to have the capacity to be reimaged with a new software system during their lifecycle.
Hospitals and other care facilities are beginning to recognize that cybersecurity is now a core aspect of patient care, and preventing online viruses is just as critical as fighting biological ones. The healthcare industry must begin implementing information technology best practices that have long been standard procedure with enterprise business networks. These include robust firewalls, multifactor authentication, modern security protocols, and intrusion prevention and detection systems.
Possibly the brightest bit of good news in this situation is that, for the most part, these issues were proactively discovered and are being actively addressed. While we face a long road before we can say that security in medical devices is up to par with cybersecurity best practices, the healthcare industry has made a tremendous amount of progress in a very short time.