How manufacturers and hospitals can prevent cyber attacks
February 14, 2017
by Lauren Dubinsky, Senior Reporter
The health care industry has recently suffered the greatest number of data breaches compared to 16 other industries, according to a 2015 report conducted by the digital security company Gemalto. Is this industry the most attractive target for hackers, or is it the most vulnerable? “There are more and more reports of hospitals being the target of malicious intent,” says Rob Maliff, director of the applied solutions group at ECRI. “The numbers are rising in terms of how many health systems have been penetrated, but other industries have a quicker way to assess where they have been a subject of an attack.”
Hackers are aware that health care information is much more valuable than credit card information from a bank. If they get into a hospital’s electronic health record (EHR), they have access to the patient’s name, address, Social Security number and credit card number. The black market value of EHR information is about $50 per record and credit card information is only about a dollar, according to Maliff.
How did this happen?
The industry is embracing interoperability and the benefits it can bring to hospitals, but it comes at a cost. When medical devices are connected to a hospital’s network, information is shared and hacking becomes a concern. Manufacturers often remotely monitor a hospital’s imaging equipment, but they need protection on their end to prevent hackers from getting access to the hospital’s MR system. The field service engineers have administrative access to the equipment, and when they leave the company the hospital has to decide if a new password is needed.
“It’s not only cybersecurity in the form of attacks and scanning ports and IT infrastructure, but it also has a lot to do with individuals that perform phishing attacks and the ecosystem of people, processes and technologies that are responsible for preventing cybersecurity issues or causing the issues,” says Rik Primo, chair of the Medical Imaging and Technology Alliance (MITA) Cybersecurity Taskforce. A cybersecurity white paper published by MITA and the National Electrical Manufacturers Association (NEMA) in 2016 stated that cybersecurity for medical imaging is a shared responsibility between health care providers and manufacturers. The organizations believe the best line of defense is for manufacturers and health care providers to adopt best practices and standards.
The manufacturers’ role
To meet FDA standards and provide patients with quality health care, manufacturers need to build security into their devices, according to the MITA/NEMA white paper. They can do that with standardized coding practices and training for software developers. Manufacturers should test their devices by designing threat models that feature different use cases. A device is considered to be secure if it defends against unauthorized operation in the context of its intended environment and use.
They should also inform health care providers of the security software installed in the devices as well as security upgrades and software at risk. If the devices communicate using connections that aren’t covered by the hospital’s firewall, the manufacturer should have secure controls in place to access the network and use technology that doesn’t compromise security. According to MITA, medical device manufacturers are increasingly being considering business associates by their customers if their devices interact with patient data. The Health Information Technology for Economic and Clinical Health Act requires business associates to protect sensitive information.
For medical device manufacturers, the HITECH Act defines the minimum level of security and privacy to comply with regulations. “These things behave like the Internet of Things [because] there is machine-to- machine communication,” says Primo. “When an order is placed, the demographic information of the patient is automatically populated in the worklist on that modality.” The Association for the Advancement of Medical Instrumentation (AAMI) is working to help manufacturers improve the security of their devices. The FDA added AAMI’s information security recommendations to its list of recognized standards in July 2016. “Health care providers are demanding more security for their devices and manufacturers themselves know that there is a risk associated with their devices,” says Geoffrey Pastoe, co-chair of the AAMI design security workgroup. “The thing that is probably foremost in their mind right now is the push by the FDA to make devices more secure.”
The AAMI TIR57 technical report provides manufacturers with guidance on developing a cybersecurity risk management process for medical devices. From there, they can take action and correct any issues. Pastoe believes that risk management is not the only thing that is needed to maintain the security of devices. In a new technical report, AAMI will address post-market security management.
The hospitals’ role
Many health care executives don’t know if their organization is fully prepared to prevent damage that hackers can cause, including device malfunctions, service disruptions and patient data breaches, according to ECRI. ECRI offers a Cybersecurity Gap Analysis Service, which was launched in November. It identifies network-connected devices and their associated risks, manages the latest security patches for medical devices, prioritizes devices based on stored data and functionality and ensures that appropriate training is carried out.
“It’s meant to help the hospital switch from a reactive stance to more of a proactive stance when it comes to cyber safety,” says Maliff. “They might have their server closet locked down and [train users] to not share passwords, but what else can they be doing to minimize their vulnerability and improve their cyber safety stance?” As part of the service, ECRI sends one of its experts to a hospital to conduct interviews and examine documentation. The expert discusses plans moving forward with key players at the hospital. “When a board member asks what [the hospital] has done to prevent ransomware, senior leaders [better] have an answer for them and the Gap Analysis Service can be part of that answer,” says Maliff.
The deadly risk
In July 2015, Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. That means an unauthorized user could control the device and change the dosage that the pump delivers. No adverse events or unauthorized access to the infusion system were reported at that time, but Hospira decided to discontinue the development and distribution of it.
“The risk is that someone could gain access to a pacemaker and turn it off for that patient or gain access to the infusion pump and deliver a deadly dose of medication, but that’s awfully time-intensive and difficult,” says Maliff. “They have to target that device on that patient when they are using it.” However, there have been many cases in which a hospital’s EHR has been shut down until a ransom is paid in Bitcoin to establish access to operations. Maliff recommends that hospitals have a policy to care for patients if the EHR is compromised. “Up until this time, a lot of hospitals have focused on security of the network, which is great,” he says. “But now we are looking at the medical devices as a vector. A lot of hospitals and health systems haven’t figured out how to do this.”
Large health systems have deployed the resources to tackle this, including network medical device engineers and chief information security officers. But community hospitals usually outsource their biomedical engineering department and have a 5- to 10-person IT staff. “They are trying to tackle it, but it’s one of the many hats that they have to wear and they are struggling,” says Maliff.
Hackers are aware that health care information is much more valuable than credit card information from a bank. If they get into a hospital’s electronic health record (EHR), they have access to the patient’s name, address, Social Security number and credit card number. The black market value of EHR information is about $50 per record and credit card information is only about a dollar, according to Maliff.
How did this happen?
The industry is embracing interoperability and the benefits it can bring to hospitals, but it comes at a cost. When medical devices are connected to a hospital’s network, information is shared and hacking becomes a concern. Manufacturers often remotely monitor a hospital’s imaging equipment, but they need protection on their end to prevent hackers from getting access to the hospital’s MR system. The field service engineers have administrative access to the equipment, and when they leave the company the hospital has to decide if a new password is needed.
“It’s not only cybersecurity in the form of attacks and scanning ports and IT infrastructure, but it also has a lot to do with individuals that perform phishing attacks and the ecosystem of people, processes and technologies that are responsible for preventing cybersecurity issues or causing the issues,” says Rik Primo, chair of the Medical Imaging and Technology Alliance (MITA) Cybersecurity Taskforce. A cybersecurity white paper published by MITA and the National Electrical Manufacturers Association (NEMA) in 2016 stated that cybersecurity for medical imaging is a shared responsibility between health care providers and manufacturers. The organizations believe the best line of defense is for manufacturers and health care providers to adopt best practices and standards.
The manufacturers’ role
To meet FDA standards and provide patients with quality health care, manufacturers need to build security into their devices, according to the MITA/NEMA white paper. They can do that with standardized coding practices and training for software developers. Manufacturers should test their devices by designing threat models that feature different use cases. A device is considered to be secure if it defends against unauthorized operation in the context of its intended environment and use.
They should also inform health care providers of the security software installed in the devices as well as security upgrades and software at risk. If the devices communicate using connections that aren’t covered by the hospital’s firewall, the manufacturer should have secure controls in place to access the network and use technology that doesn’t compromise security. According to MITA, medical device manufacturers are increasingly being considering business associates by their customers if their devices interact with patient data. The Health Information Technology for Economic and Clinical Health Act requires business associates to protect sensitive information.
For medical device manufacturers, the HITECH Act defines the minimum level of security and privacy to comply with regulations. “These things behave like the Internet of Things [because] there is machine-to- machine communication,” says Primo. “When an order is placed, the demographic information of the patient is automatically populated in the worklist on that modality.” The Association for the Advancement of Medical Instrumentation (AAMI) is working to help manufacturers improve the security of their devices. The FDA added AAMI’s information security recommendations to its list of recognized standards in July 2016. “Health care providers are demanding more security for their devices and manufacturers themselves know that there is a risk associated with their devices,” says Geoffrey Pastoe, co-chair of the AAMI design security workgroup. “The thing that is probably foremost in their mind right now is the push by the FDA to make devices more secure.”
The AAMI TIR57 technical report provides manufacturers with guidance on developing a cybersecurity risk management process for medical devices. From there, they can take action and correct any issues. Pastoe believes that risk management is not the only thing that is needed to maintain the security of devices. In a new technical report, AAMI will address post-market security management.
The hospitals’ role
Many health care executives don’t know if their organization is fully prepared to prevent damage that hackers can cause, including device malfunctions, service disruptions and patient data breaches, according to ECRI. ECRI offers a Cybersecurity Gap Analysis Service, which was launched in November. It identifies network-connected devices and their associated risks, manages the latest security patches for medical devices, prioritizes devices based on stored data and functionality and ensures that appropriate training is carried out.
“It’s meant to help the hospital switch from a reactive stance to more of a proactive stance when it comes to cyber safety,” says Maliff. “They might have their server closet locked down and [train users] to not share passwords, but what else can they be doing to minimize their vulnerability and improve their cyber safety stance?” As part of the service, ECRI sends one of its experts to a hospital to conduct interviews and examine documentation. The expert discusses plans moving forward with key players at the hospital. “When a board member asks what [the hospital] has done to prevent ransomware, senior leaders [better] have an answer for them and the Gap Analysis Service can be part of that answer,” says Maliff.
The deadly risk
In July 2015, Hospira and an independent researcher confirmed that Hospira’s Symbiq Infusion System could be accessed remotely through a hospital’s network. That means an unauthorized user could control the device and change the dosage that the pump delivers. No adverse events or unauthorized access to the infusion system were reported at that time, but Hospira decided to discontinue the development and distribution of it.
“The risk is that someone could gain access to a pacemaker and turn it off for that patient or gain access to the infusion pump and deliver a deadly dose of medication, but that’s awfully time-intensive and difficult,” says Maliff. “They have to target that device on that patient when they are using it.” However, there have been many cases in which a hospital’s EHR has been shut down until a ransom is paid in Bitcoin to establish access to operations. Maliff recommends that hospitals have a policy to care for patients if the EHR is compromised. “Up until this time, a lot of hospitals have focused on security of the network, which is great,” he says. “But now we are looking at the medical devices as a vector. A lot of hospitals and health systems haven’t figured out how to do this.”
Large health systems have deployed the resources to tackle this, including network medical device engineers and chief information security officers. But community hospitals usually outsource their biomedical engineering department and have a 5- to 10-person IT staff. “They are trying to tackle it, but it’s one of the many hats that they have to wear and they are struggling,” says Maliff.