Medical Device Security

Securing Device Management and Communications Systems

September 04, 2013

Executive Summary

It has been almost twenty years since the Health Insurance Portability and Accountability Act (HIPAA) became law.1 This law had many purposes, among them addressing the security and privacy of health data, and defining policies, procedures and guidelines for maintaining the privacy and security of protected health information (PHI). As medical devices have progressed towards wireless, point of care and even electronic, implantable technologies, there have been several high profile instances of devices being hacked. The target of these acts is not the data, but the operating and communications systems over which this data is carried. However, these acts can alter how the device operates, resulting in potential patient illness, injury and even death. Recent legislation has been signed into law, along with calls by Federal agencies for more stringent oversight of medical device security, which are designed to combat this threat. Additionally, device manufacturers, manufacturers of OEM anti-malware software, medical practitioners and hospital IT services can – and should – take actions to ensure the safety of those patients who are using potentially vulnerable medical devices and their supporting communications networks.

The Threat

In early 2011, a man attending The Black Hat Briefings2, a computer information security conference whose attendees include federal agencies, corporations and hackers, demonstrated how he had hacked a wireless communication system between a glucose meter and pump controller, and a wearable insulin pump.3 The man was a diabetic who personally used wireless insulin pump technology. The hack intercepted the wireless signals between the devices and broadcasted a stronger signal to change the readout, causing the person to adjust their dose. This would allow an attacker to manipulate the diabetic’s insulin injections and could possibly be used to injure or kill the pump user.

Later that year, the OEM of a similar insulin pump system requested that software security experts investigate potential vulnerabilities associated with their device, in response to claims that their devices could be hacked, with potentially similar patient outcomes.4

Early last year, security researchers confirmed that the OEM’s device was not only vulnerable to this type of malicious attack, but that several of its other features were also vulnerable, potentially causing the user to operate the device in an unintended manner or to miss warnings that insulin should be delivered.5

While wearable insulin pump devices have received much of the attention relative to malicious attacks, many other classes of devices, including those critical to patient health and safety, may also be vulnerable.6

Threats to patient safety are not just limited to the point-of-care devices themselves. Point of care devices used in clinical settings are more commonly being managed by centralized Medical Device Management software applications and associated hardware and wireless communications configurations, which are also proving to be vulnerable to attack.In March 2013, the OEM of a hospital management system was hacked and disabled by just six lines of malicious code.7

Lastly, there is growing evidence that many medical service providers, hospitals and clinics are neglecting to secure medical devices and associated networks, as they believe it is the OEMs responsibility to secure their devices.8 In a study conducted in late 2011, 69 percent of respondents said their data security policies do not cover medical devices, and ninety-four percent of respondents said they had at least one data breach in the past two years, up from 86 percent in 2010. The study also reported that costs associated with these breaches may total as much as $7 billion per year.9

Current State of Regulatory Affairs

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act became law.10 This Act, which is essentially a reinforcement of existing HIPAA law,11 contains a new Stage 2 “Meaningful Use” Rule12 which requires that participants conduct risk assessments, as was required in Stage 1 of HIPAA. However, the Stage 2 rule specifically requires that the analysis address the security of data stored in Certified Electronic Health Records Technology (CEHRT).13 While the original rule requires a risk assessment for the security of PHI, it was not equipped to address today’s encryption challenges; the Stage 2 rule requires that device software be designed to automatically encrypt electronic health information stored locally on end-user devices.14 In early 2013, the U.S. Department of Health and Human Services (HHS) issued its Final Rule on the Act, which went into effect on March 26.15 While the Act addressed the protection of “data at rest,” the security requirements contained in the Act were developed prior to the high-profile device hacking. This has resulted in additional calls to action for greater device security.

In August, 2012, the U.S Government Accounting Office (GAO) issued a report to Congress which urged the U.S Food and Drug Administration (FDA) to consider expanding information security requirements for certain types of medical devices.16 In their report, the GAO identifies threats, vulnerabilities and risks associated with implantable medical devices. They also evaluated how deeply the FDA considers information security during its premarket review of certain devices with known vulnerabilities, and determined the post-market efforts the FDA has in place to identify information security problems17. Several weeks later, the FDA announced that it was investigating how it monitors medical device security threats, including potentially strengthening requirements related to the reporting of safety and security issues.18 They also cited that medical device security events are ineffectively reported to the FDA and also called for working with other agencies, including the Department of Homeland Security (DHS) in the identification and tracking of potential threats.19 In June, 2013, the FDA issued a safety communications calling for medical device manufacturers to take measures to minimize the risk of malicious attack. It also summarized the scope of the exposure and recommended actions for both device manufacturers and healthcare facilities for evaluating device and network security.20 The communications started the process for implementing a more comprehensive event reporting process through their Adverse Event Reporting (AER) program.21

Recommendations for Improved Security

The following methods can be used to secure medical device technology including risk analysis, leveraging the current state of electronics security technologies, and providing training and education for information technology staff and learned intermediaries, who manage and use potentially vulnerable medical devices.

Threat Evaluation and Assessment

These methods can include:

  • Wireless Network Encryption - In many cases, wireless networking equipment is received with the encryption turned off.22 Wireless networking equipment such as routers should be encrypted with the highest level of encryption a network can support. Industry associations such as AdvaMed recognize that new digital technologies allow for medical devices and wireless networking to be manufactured with built-in encryption;23 whereas older and legacy devices may not support some of the highest levels of encryption available and thus be vulnerable.
  • Trusted Access - Taking steps to limit authorized device access to trusted users, particularly for those devices that are life-sustaining or could be directly connected to hospital networks. Such controls can include:
    • user authentication via user ID and password, smartcard or biometrics;
    • strengthening password protection by avoiding hard-coded passwords; and
    • limiting public access to passwords used for access to areas where devices are used via physical locks, card readers and security guards.24
  • Strategies - Protecting devices from exploitation and developing strategies for active security protection appropriate for the device’s use environment. Such strategies should include:
    • timely deployment of security patches; and
    • methods to restrict software or firmware updates to authenticated code.25
  • Fail Safe - Using design approaches that maintain a device’s critical functionality, even when security has been compromised.26
  • Recovery - Providing methods for retention and recovery after an incident where security has been compromised, including incident response plans that address the possibility of degraded operation as well as means of restoration and recovery.27

Use of 1st and 3rd Party Network Security Monitoring Software and Services

Many OEM device manufacturers and third-party service providers are recognizing the need to not just manage, but also monitor the operation and performance of wireless devices attached to a wireless network as a best practice for assessing real-time threats.28 Software systems that use predictive modeling and can monitor medical devices and provide alerts when there is an outage, device malfunction or intrusion within a clinical network can add an extra layer of protection on top of other security methods.29 30

Education and Training for Device Manufacturers and Learned Intermediaries

As medical devices continue to use more information technology in their operation and monitoring, device manufacturers, physicians, clinicians, learned intermediaries and IT professionals employed in the healthcare industry should have a working knowledge of device security and the threat that unsecure devices pose to their patients. This includes reinforcing data security policies including procedures for securing wireless medical devices, since many clinical IT security policies do not address this.31 Advanced education in security medical devices from vulnerabilities is essential. Colleges and institutions are responding to this need in the form of accredited courses in medical device security.32

Conclusion

The advance of wireless electronic medical devices has brought improved patient care and effective patient monitoring. The security of these devices has thus far lagged behind the importance of the protection of patient data. These devices can, and should be, given due consideration within the framework of hospital and clinical IT security; the means for doing so is becoming increasingly clear via regulatory rulings and IT security best practices. Application of regulatory guidance and security management best practices can help ensure both the security of electronic medical devices and the patients and medical professionals they serve.

Contact Us

To learn more about how OneBeacon Technology Insurance can help you manage online and other technology risks, please contact Lloyd Takata, SVP of OneBeacon Technology Insurance at ltakata@onebeacontech.com or 952.852.6028.

References

  1. "Health Insurance Portability and Accountability Act." Wikipedia, http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
  2. "Black Hat Briefings." Wikipedia, http://en.wikipedia.org/wiki/Black_Hat_Briefings
  3. “Hacker shows how to hack insulin pumps at Black Hat conference.” Slashgear.com, http://www.slashgear.com/hacker-shows-how-to-hack-insulin-pumps-at-black-hat-conference-05169762
  4.  “Exclusive: Medtronic probes insulin pump risks.” Reuters, http://www.reuters.com/article/2011/10/25/us-medtronic-cybersecurity-idUSTRE79O8EP20111025
  5. “McAfee Hacker Says Medtronic Insulin Pumps Vulnerable to Attack.” Bloomberg, http://www.bloomberg.com/news/2012-02-29/mcafee-hacker-says-medtronic-insulin-pumps-vulnerable-to-attack.html
  6. “Hacking Pacemakers.” IEEE Spectrum, http://spectrum.ieee.org/podcast/biomedical/devices/hacking-pacemakers
  7. “The 6 lines of code that could bring down a hospital.” MassDevice, http://www.massdevice.com/features/6-lines-code-could-bring-down-hospital
  8. "Many Doctors Don’t Secure Medical Devices From Hackers, Study Finds." Bloomberg TechBlog, http://go.bloomberg.com/tech-blog/2012-12-06-many-doctors-dont-secure-medical-devices-from-hackers-study-finds/
  9. Ibid
  10. “Health Information Technology for Economic and Clinical Health Act.” Wikipedia, http://en.wikipedia.org/wiki/Health_Information_Technology_for_Economic_and_Clinical_Health_Act
  11. “HIPAA Goes HITECH.” Hewlett-Packard white paper, https://h30406.www3.hp.com/campaigns/2010/events/all-whitepapers/images/PREVIEW_wpaper10.pdf
  12. "HITECH Stage 2 Rules Unveiled." HealthcareInfoSecurity, http://www.healthcareinfosecurity.com/hitech-stage-2-rules-unveiled-a-5060
  13. Ibid
  14. "HITECH Stage 2: Assessing Risks Is Key." HealthcareInfoSecurity, http://www.healthcareinfosecurity.com/hitech-stage-2-assessing-risks-key-a-5226
  15. "HHS Finalizes HIPAA/HITECH Rule: Dramatic Revisions to Marketing Practices and Research Authorizations." FDA Law Blog, http://www.fdalawblog.net/fda_law_blog_hyman_phelps/2013/01/hhs-finalizes-