Threat Intelligence
5/25/2017
11:30 AM
50%
50%

Medical Devices Fall Short in Security Best Practices

More than half of medical device makers and healthcare delivery organizations anticipate an attack on their medical devices within the next 12 months, but only a smattering take significant steps to prevent it, according to a survey released today.

Over the next 12 months, 67% of medical device makers expect an attack on their devices, but only 17% of these companies are taking significant steps to prevent it, according to a Ponemon Institute study released today by Synopsys.

The study, Medical Device Security: An industry Under Attack and Unprepared to Defend, also found similar results for the healthcare delivery organization (HDO) industry, with 56% of survey respondents anticipating an attack on their devices within the next 12 months and 15% taking significant measures to mitigate it.

Part of the reason may rest with the survey results that show only one-third of the 550 North American medical device makers and HDO organizations were aware of potential adverse effects on patients due to insecure medical devices. But Mike Ahmadi, global director for critical systems security for Synopsys' Software Integrity Group, said a company's action (or inaction) to mitigate attacks often comes down budget.

"When you look at preventing attacks, it doesn't make patient care any better. It's only looked at as a cost," he says.

Hurdles in Building Secure Medical Devices

According to the survey, 80% of respondents characterized medical device security as difficult to achieve. The top three challenges they cited included a lack of knowledge and training in building secure code, accidental coding errors, and pressure to meet production deadlines, the survey found.

But Ahmadi noted production deadlines are by far the biggest reason why companies don't put into place secure coding practices.

"Everything comes down to money," Ahmadi says. "We have come to people and told them we found a problem in their code and they say they can't fix it because they are too far along in the development process."

The stakes are high in the healthcare field, where it can take anywhere from 18 months to three years and beyond to get Food and Drug Administration (FDA) approval for a medical device, while in the meantime it's costing thousands, upon thousands of dollars to keep operating during the approval process, Ahmadi says.

This pushback is nothing new for the security industry, which has endured similar tensions with other industries when software development teams are told to rework the code because of security flaws found in the software.

Trifecta Impact on Medical Device Security

Lax security testing, a lack of accountability and the FDA's cybersecurity guidance versus mandatory requirements have been detrimental to establishing strong cybersecurity on medical devices, according to the report.

According to the survey, 43% of medical device manufacturers and 53% of HDOs do not conduct cybersecurity testing on their medical devices. Meanwhile, only 9% of device makers and 5% of HDOs conduct medical device testing at least once a year.

And cybersecurity accountability at medical device makers and HDOs can sometimes be a mystery. It turns out that nearly one-third of survey respondents for both medical device makers and HDOs had no single person or job function that was primarily responsible for cybersecurity for the devices.

Lastly, only 51% of medical device makers and 44% of HDOs adhered to the voluntary FDA guidelines designed to mitigate cybersecurity risks in medical devices, according to the survey.

FDA Fact or Fiction?

Over the years, Ahmadi complained that the FDA has loosened regulations and guidelines on medical devices to where, in the case of Medical Device Data Systems (MDDS) these devices have morphed from a Class III device with high risk to a Class 1, low-risk, in February 2011, according to FDA documents. And in February 2015, according to FDA documents, the agency deregulated Class 1 MDDS devices to a classification as unregulated.

There are no cybersecurity laws for these devices and only voluntary guidelines, he noted. He added there is talk outside of the FDA to try to the voluntary guidelines into mandatory requirements.

In the last week of December, the FDA issued guidelines for handling cybersecurity monitoring on post-market medical devices. The voluntary guidelines were issued a couple weeks prior to the FDA's announcement in the controversial case involving St. Jude Medical's pacemaker devices and allegations by hedge fund Muddy Waters Capital and security researcher MedSec that vulnerabilities in St. Jude's pacemakers could potentially put patients at risk. In early January, the FDA confirmed the St. Jude vulnerabilities, putting out a notice to the public.

The FDA, however, contends it has regulations in place that address cybersecurity.

"Medical device manufacturers must comply with federal regulations. Part of those regulations, called quality system regulations (QSRs), require that medical device manufacturers address all risks, including cybersecurity risk," said an FDA spokeswoman. "The FDA has issued pre- and post- market cybersecurity guidances to provide recommendations for manufacturers to meet QSRs. These guidances represent the agency’s current thinking on this topic."

Manufacturers may choose to follow the recommendations in these guidelines, or they may choose other methods of managing cybersecurity in their devices, providing they comply with the QSR requirements and all other applicable FDA laws and regulations, she added.

But Morey Haber, vice president of technology for BeyondTrust, said cybersecurity basics should be enforced on every device sold that covers a life-saving function like a pacemaker or insulin pump.

"If the government can provide specifications for cars to have safety standards, there's no reason they should not be applied to medical devices, as well. This is especially true if a hack could potentially kill someone," Haber said.

Related Stories:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
bpaddock
50%
50%
bpaddock,
User Rank: Strategist
5/30/2017 | 1:28:40 PM
Medical Devices lack processing power and battery power
It is not that we do not know how to secure the devices, the problem is lack of power in terms of CPU horse power and battery power.

Like it or not high grade encryption/decryption is an energy intensive item and such energy is not available in many medical devices due to the limitations of today's batteries.

 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/30/2017 | 9:07:56 AM
Previous Experience
My previous experience as an Information Security Professional in Healthcare validates the truth of this article. The main argument is that if security in any way jeopardizes patient care then the safeguard is not to be implemented. Which, in my opinion, is a valid argument as patient care is paramount. The key to enhancing security is seamless integration. Without it, this will continue to be the case.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.