Medical Device Cyber Security will be a Problem for 15-20 Years

Medical systems built now are often three to four years away from market, so today's security technology will be 'old school' by the time equipment is in place.

"There's good guidance, but any systems built with that guidance are probably three to four years away from market, and most of this gear's built to last 10 to 15 years," said chief information security officer (CISO) of Ramsay Health Care, Christopher Neal, while speaking at a security and risk management summit in Sydney, Australia. "Anything you're buying today has not been built secure-by-design, most likely. This is a problem that's going to live in healthcare for another 15 to 20 years."

Neal is tasked with making sure Ramsay Health Care - Australia's largest operator of private hospitals - and its patients remain safe. Not from disease, but cyber attack.

"Everything with a power point is probably connected, or will be shortly. Increasingly that connectivity is critical to patient care," said Neal, who had recently returned from the DefCon Hacking Conference in Las Vegas in early August, where, among other things, hackers were tasked with breaching medical equipment.

"The most fun I saw was (when) a guy sat down at an ultrasound machine. Within 30 seconds he had unrestricted Powershell access to that system through a vulnerability in the file manager that's on the platform."

On a far broader scale, the issue of cyber security within the healthcare industry is one that needs attention. This is an industry that suffers more cyber attacks than any other. Over three quarters of large ($250M+) US healthcare organizations have been breached and 10% of UK healthcare organizations suffered the same fate more than 10 times during 2018 (ENISA Threat Landscape Report 2018).

Healthcare is a bonanza for hackers. Few other industries have such 'rich' data, which often includes social security numbers, addresses, email addresses, credit card numbers, medical and employment histories. This information can be used to obtain such things as government benefits and access to medical services and prescription medications.

Healthcare is also critical infrastructure and attractive to anyone wanting to wreak havoc, especially because it often involves life and death situations, as was shown with Medtronic MiniMed insulin pumps, which proved vulnerable to potentially life-threatening cyber attacks.

Why this seemingly lax cyber security across the industry? The move to digital by healthcare organizations was a rapid one. In 2008, 9.4% of US hospitals used electronic health records. This shot up to 96.9% within six years. Along the way, IT security was often given low priority within healthcare budgets, leaving data vulnerable to attack. Also, the nature of healthcare means that data needs to be accessed - often in a hurry - across numerous locations and devices. In emergencies, security can be seen as a hindrance.

Earlier this year, the US Department of Health and Human Services (HHS) announced it was going to alter the way it penalizes violations of the Health Insurance Portability and Accountability Act (HIPAA). Companies that changed their ways and met with HIPAA standards, but were still breached, would be fined less that those that knowingly violated the HIPAA. However, after nearly $29 million in penalties were handed out in 2018, health companies said that such fines may cause organizations to invest less, since they were fined despite efforts to meet the HIPAA requirements.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.