To help advance the state of medical device cybersecurity the U.S Food and Drug Administration (FDA) now has new guidance to help improve security for 2017, but it might not be enough to handle the immediate challenge of the growing problem.
2016 was not a good year for healthcare cybersecurity, with a 63 percent year-over-year increase in major attacks, according to security firm TrapX.
The situation has not escaped the notice of the U.S Government, with the Food and Drug Administration(FDA) issuing a 30-page report on Cybersecurity in Medical Devices, on Dec. 28, 2016.”Protecting medical devices from ever-shifting cybersecurity threats requires an all-out, lifecycle approach that begins with early product development and extends throughout the product’s lifespan,” Suzanne Schwartz, FDA associate director for science and strategic partnerships, wrote in a blog post.Among the core elements of the FDA guidance for medical device security is understanding the risks and potential vulnerabilities of devices.
Additionally the FDA recommends that organizations have a process in place to work with security researchers to receive and act on information related to potential vulnerabilities.
The FDA also suggests that organizations deploy software patches quickly, before they can be exploited.Moshe Ben-Simon, co-founder and vice president of services at TrapX has a mixed outlook on the FDA guidance and how it can help to improve security in the healthcare market.
“As guidance it takes the industry in the right direction,” Ben-Simon told eWEEK. “The challenge is that the existing installed base of medical devices and the infrastructure that support them cannot be remediated in a period measured in other than years.”
The scope of the medical device cybersecurity challenge is large, with approximately 6,500 medical device manufacturers and perhaps millions of medical devices within the installed base.
Ben-Simon commented that many medical devices are installed on a long projected financial and operating life, but the manufacturers do not plan on ever upgrading the internal embedded processors and making major structural changes to the devices.”In contrast, the hospitals cannot afford to end-of-life these older devices – they want the manufacturer to offer a no or low cost upgrade so they can be more cyber resilient,” Ben-Simon said. “To complicate matters, beyond the purview of the FDA, the basic weakness in the networks that host the medical devices is perhaps worse and definitely part of the problem.”In June 2016, TrapX released a report on an attack against medical devices dubbed ‘MEDJACK 2’. With the MEDJACK attack, hackers scan networks looking for potentially vulnerable medical device in an attempt to deploy various forms of malware and ransomware.Ben-Simon noted that the FDA guidance for medical device cybersecurity could potentially help to prevent MEDJACK attacks in the long term.”The challenge is that without mandatory compliance, neither the medical device manufacturers nor the hospitals can afford to invest in upgrading the massive installed base of devices,” Ben-Simon said.Ben-Simon noted that MEDJACK can only be detected when attackers move laterally from the infected medical devices across a network and most hospitals do not have the technology to identify attacker safe havens.
In the meantime, Ben-Simon said that TrapX continues detect MEDJACK in just about every healthcare institution in which it has close involvement.Overall 2016 was a challenging year for security in the medical community.
TrapX’s 2016 Healthcare Cyber Breach Research Report found a 63 percent year-over-year increase in attacks against healthcare institutions in the U.S.”The rapid emergence of ransomware nationally happened at a faster pace than anyone expected within healthcare,” Ben-Simon said.There were attacks against healthcare organizations in 2015 as well, including large breaches at Anthem, Premera and Excellus Blue Cross/Blue Shield.
Ben-Simon noted that in 2015 a few massive institutions were impacted by the theft of over 100 million healthcare records.”The 2016 research and analysis was a big wake up in that it shows a broadening of attacks from the largest institutions to a broad mid-section,” Ben-Simon said. “This broad mid-section includes not only hospitals, but large physician practices, cancer treatment centers, urology center, MRI/CT scan centers, surgical centers, skilled nursing facilities (SNFs) and diagnostic laboratories.””Attackers are exploiting their market opportunity quickly, finding the weakest points on which to land and expand, and they are reaching out to do so using new tools like ransomware to improve their return on investment,” he said.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.
Follow him on Twitter @TechJournalist.