In the wake of several recent massive retail data breaches, the U.S. Food and Drug Administration on Wednesday made final recommendations to manufacturers to better protect patient health and information stored on networks and medical devices.
What’s the big deal? Some medical devices such as computer can be vulnerable to security breaches that could impact the safety and even the efficacy of the devices. In short, it could be a much larger crisis than identity theft.
“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, director of emergency preparedness/operations and medical countermeasures at the FDA’s Center for Devices and Radiological Health. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”
What Health Care Can Learn From Retailers
The risk to medical devices is especially relevant to the security conversation because medical devices are often designed without any way to patch them, Tom Cross, research director of network security firm Lancope, told us. He hopes the new FDA regulations will force the health care industry to focus on the issue and drive a positive impact on the way that these devices are designed going forward.
“Computer malware can pose significant risks to patient safety, as well as the privacy of medical information,” Cross said. “When major vulnerabilities like Shellshock and Heartbleed get disclosed, health care providers need a path to upgrade any vulnerable network connected devices that they have, so that those devices aren't exposed to attacks.”
As Cross sees it, the recent string of breaches that hit retailers by targeting network connected point of sale terminals demonstrate that attackers are adept at getting access to network connected devices when they have a motivation to do so.
“Attacks on the Internet are often indiscriminate, and can impact network-connected systems even if they aren't specifically targeted,” he said. “Unfortunately, medical devices are often designed without a way to patch them.”
Operate Under This Assumption
Chris Petersen, CTO and co-founder of security intelligence company LogRhythm, told us he’s glad to see the guidelines but he called the FDA’s move “late.” Cybercriminals can easily bypass perimeter defenses and quickly find a foothold within even well-defended networks, he noted. What’s more, health care environments are typically home to a number of IP-connected medical devices that have not been hardened to withstand cyberthreats at all.
“Many existing medical devices are running commercial or open source operating systems such as Windows or Linux. New vulnerabilities are constantly being found in these operating systems and require constant patching to keep them secure,” Petersen said. “Many types of medical devices have been developed assuming they would never be patched, or patched rarely. Manufacturers may have minimal recourse to improve the security posture of deployed devices.”
For the foreseeable future, Petersen said health care organizations need to recognize and operate assuming the network is untrusted -- that the adversary is inside now, or will be tomorrow. He also suggested deploying security strategies that address the fact they likely have thousands of insecure, IP-enabled devices in their networks.
“An effective strategy will be one that prioritizes the speed with which threats can be detected once present in the environment and how quickly they can be responded to,” Petersen said. “This will be critical towards delivering trusted patient care, and protecting patient data, within an increasingly hostile threat environment.”
Byron Cornelius Faison:
Posted: 2014-10-07 @ 6:55am PT
This is a move in the right direction. I do believe that medical providers could use lessons in security in my opinion.