Download this white paper from Health-ISAC Navigator, Dellfer:
Addressing a Major Healthcare Challenge
The healthcare industry faces security challenges with its healthcare information systems and medical devices. Healthcare organizations are constantly under attack, resulting in significant fiscal impact and endangering patient safety and care delivery. A recent study by Proofpoint and the Ponemon Institute2 surveyed 641 IT and IT security practitioners in healthcare organizations. A major purpose of the survey was to determine the impact of cyber-attacks on patient safety and care delivery. The survey found 89 percent of respondents had cyber-attacks over the past 12 months. The Ponemon Institute also found that cyber-attacks cause more than twenty percent of impacted healthcare organizations to suffer increased mortality rates.3 The most common consequences of cyber-attacks are delayed procedures and tests, resulting in poor patient outcomes for 57% of the healthcare providers and increased complications from medical procedures for half of them.4 In addition, Ponemon reported survey responders believed that insecure medical devices were the cybersecurity threat of greatest concern.
The Food and Drug Administration (FDA) is aware of the impacts of cyber-attacks and has recently issued draft guidance5 for medical devices. In the report, the FDA states: …cybersecurity threats to the healthcare sector have become more frequent and more severe, carrying increased potential for clinical impact. Cybersecurity incidents have rendered medical devices and hospital networks inoperable, disrupting the delivery of patient care across healthcare facilities in the U.S. and globally. Such cyber-attacks and exploits may lead to patient harm as a result of clinical hazards, such as delay in diagnoses and/or treatment…. increased connectivity has resulted in individual devices operating as single elements of larger medical device systems. These systems can include health care facility networks, other devices, and software update servers, among other interconnected components. Consequently, without adequate cybersecurity considerations across all aspects of these systems, a cybersecurity threat can compromise the safety and/or effectiveness of a device by compromising the functionality of any asset in the system. As a result, ensuring device safety and effectiveness includes adequate device cybersecurity, as well as its security as part of the larger system.”6
Additional cybersecurity steps beyond current measures must be taken. The highest return on an incremental investment is improved cybersecurity for medical devices. There are two reasons for this. First, the Ponemon survey found that medical devices represent the greatest cyber threat. Second, the FDA already regulates medical devices Ensuring the Safety and Security of the Medical Device Ecosystem | www.dellfer.com and is developing new lifecycle cybersecurity regulations for them. This is illustrated in the draft FDA guidance that states: …the rapidly evolving landscape, an increased understanding of emerging threats, and the need for capable deployment of mitigations throughout the total product lifecycle (TPLC) warrants an updated, iterative approach to device cybersecurity.”7
Clearly, it is logical to focus on cybersecurity improvements in medical device security and safety. In the following section, we will address the steps the healthcare industry should take to ensure that the medical device software is developed using best practices and associated standards for security and safety. In the last section, the paper will propose a solution for implementing the best cybersecurity and safety protection for the medical device during operation.
Software Development and the Software Supply Chain
Today, most companies develop software using a combination of self-developed code, vendor code, and free and open-source software. The Linux Foundation estimates that free and open-source software (FOSS) constitutes 70-90% of any given piece of modern software8. Given the potential vulnerabilities of such a combination of software, organizations must keep a comprehensive and ongoing cybersecurity supply chain risk management program as part of their software development process. Therefore, during the software acquisition, healthcare organizations should ensure vendors have a rigorous software supply chain process like the one discussed in the next section. The need for of a well-managed software supply chain program is demonstrated by the Solar Winds Sunburst cybersecurity attack by Russian hackers who successfully compromised many of the largest technology companies, the US government, and a hospital chain.9 The source of the attack was the compromised Solar Winds Orion Platform, an infrastructure monitoring and management platform for IT administration10. For details of how the attack was successful and suggestions for mitigation, see https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth.