Healthcare without cybersecurity is like ‘surgery without sterile instruments’, warns nurse

US regulations for internet of things (IoT) devices in medical environments are adequate – it’s just that too many hospitals and doctors aren’t following them, according to a leading US infosec strategist.

Josh Corman told The Daily Swig that too many doctors and hospitals have failed to to embrace changes in device cybersecurity introduced through the Health Information Technology for Economic and Clinical Health Act (HITECH).

Enacted in 2009, and amended and updated since, HITECH was designed to encourage hospitals to adopt electronic health records and health information technology.

The legislation sits alongside the better-known Health Insurance Portability and Accountability Act (HIPAA), which regulates privacy requirements for medical records, among other measures.

Despite examples of hacks against everything from pacemakers to infusion pumps (alongside guidance from the US Food and Drug Administration and provisions for a recall of vulnerable medical device technology, where necessary), individual US physicians often still don’t believe that cyber-attacks against healthcare devices are a credible threat.

Meanwhile, hospital admins are not compelled to act, and the attitude of using IoT medical equipment until it breaks still remains.

This inaction is not for want of adequate security controls. “We have the vaccine but there are still too many ‘anti-vaxxers’ when it comes to cybersecurity,” Corman explained.

Raising awareness

Cybersecurity issues with medical devices create practical problems , as evidenced by a US-CERT alert concerning medical devices from manufacturer Medtronic, issued last month.

Corman, a fellow of the Atlantic Council and co-founder of the I Am The Cavalry initiative, has been working with other experts, including medical practitioners, to raise awareness and promote better cybersecurity practices in healthcare environments.

Corman and his colleagues are working with patient advocacy groups as well as looking at how insurance risk might be used as a lever to improve cybersecurity practices.

Moves to improve awareness include a hack simulation with surgical dummies and tabletop exercises, delivered through the CyberMed healthcare security awareness program.

Change is slow. Part of the reason for this is that it takes six years for a medical device to come to market. The service life of medical devices can last as long as 30 years.

“In spite of good progress and recall provisions, hospitals and physicians are yet to heed the threat from cybersecurity,” Corman explained.

Dependence and trust

Corman recently chaired a discussion on medical device security at last month’s RSA Conference, which featured representatives from hospitals, as well as medical kit manufacturers.

One of the principal arguments put forward by those concerned with medical device security is that our dependence on connected technologies in healthcare is growing far faster than our ability to secure them.

We need only turn to the WannaCry ransomware outbreak of 2017 (which crippled 47 healthcare trusts in the UK alone) to see the damage that can be caused through using outdated operating systems on devices such as scanners.

Unfortunately, hospitals continue to rely on end-of-life technology – and even more worrying is evidence from recent straw polls that the majority of US healthcare facilities still lack even a single dedicated cybersecurity staff member.

Although the death of any patient that resulted from a compromised IoT medical device would be a tragedy, Corman said the real problem would arise from a crisis of confidence in the public to trust these devices in the future.

Any incident that causes chief medical officers to withdraw from using otherwise superior technology would be the most impactful loss, Corman argued, adding that connected technology has functionality that aids the delivery of better patient care.

“That connected technology has to be trustworthy and it’s our job that we maintain that trust,” Corman concluded.

Many European infosec experts – in contrast with Corman – argue tougher regulations are needed to manage the security risk of IoT devices in medical environments.

Jelena Milosevic, a pediatric nurse in the Netherlands who has developed an interest in cybersecurity over the past five years, told The Daily Swig that every party involved tends to put the blame on other groups for medical device insecurity when it ought to be a collective effort.

Milosevic said that medical devices often promised more than they can deliver because the “PR/selling story doesn't fit all the time with reality”.

“We have and security and privacy issue with all IoT & software,” Milosevic explained, adding that data sharing is a particular problem.

“Most of the times, the hospitals buy the cheaper and find that they are not working as promised,” she added.

Medical professionals assume that if they get something to work with, that it is safe and secure, so they do not question it. Milosevic concluded: “If they realize how bad it is, they will maybe do more?”

Milosevic’s bio for her Twitter account frames the importance of medical device cybersecurity in stark terms describing “health care without (basic) security is like surgery without sterile instruments”.