Networked Medical Devices: Security and Privacy Threats - Symantec
12
WHITE PAPER: NETWORKED MEDICAL DEVICES: SECURITY AND PRIVACY THREATS Networked Medical Devices: Security and Privacy Threats Healthcare IT at a crossroads
Networked Medical Devices: Security and Privacy Threats - Symantec
TS
Networked Medical Devices: Security and Privacy Threats Healthcare
IT at a crossroads
Networked Medical Devices: Security and Privacy Threats
CONTENTS
The government’s role: integration and privacy mandates . . . . . .
. . . . . . . 3
The CHIME member survey . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . 3
Participants and devices . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . 3
Experience and concerns . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . 4
Introduction
Healthcare information technology (IT) uses many of the same
infrastructure
elements, applications, off-the-shelf technologies, and processes
used by enterprise IT
in general. But healthcare networks are unique in two important
respects. First, they
contain and transmit information that is uniquely sensitive, and
therefore governed
by rigorous, industry-specific privacy and security regulations
like the U.S. Health
Insurance Portability and Accountability Act (HIPAA). Second, the
complexity, number,
and diversity of devices—especially network-connected devices—that
make up this
infrastructure expose healthcare networks to a broader range of
security and privacy
risks than “typical” network servers or endpoints.
The problem of vulnerable devices on sensitive networks has been
latent for years.
But today three trends are converging to make it an immediate
risk:
• Sharp rises in the volume, sophistication, and focus of malware,
raising the
likelihood of, and damage from, malware attacks and data
breaches
• Medical devices that incorporate more off-the-shelf hardware and
software,
increasing their vulnerability to malware, hacking, and data
theft
• New government incentives and mandates to share patient
information
electronically, simultaneous with severe penalties for any loss,
diversion,
or exposure
In this paper, we will first outline the risks introduced by
networked medical
devices, and then present results from a 2010 survey by the College
of Health
Information Management Executives (CHIME) to gain the perspective
of industry
insiders. Finally, we will review some of the organizations,
standards, and solutions
available to help hospitals, diagnostic centers, and clinics assess
and address
issues introduced by networked medical devices.
Converging risks
The potential for networked medical devices to serve as a vector
for cyber threats
is on the rise because of changes in the cyber-threat environment,
the special
characteristics of medical devices, and a changing regulatory
climate.
External risks: cyber threats
Cyber threats adapt to the opportunities and risks faced by their
creators. The
nuisance of amateur online vandalism has been eclipsed by new
opportunities for
professional criminals, created by high-bandwidth connections and
an explosion
of commercial and financial information and transactions on the
Web. Today’s
Internet threats are increasingly:
• Global—China is second only to the United States as a source of
online threats,
and Brazil, source of several high-profile attacks, has emerged as
number
three. Geographic variation in laws and enforcement complicates and
slows
prosecution of cybercrimes.
advance reconnaissance on social networks, custom-crafted “spear
phishing”
messages, multi-pronged attacks, and persistent data gathering over
long
periods.
• Web based—All of the current top-ranked cyber attacks, including
those that
implant keystroke loggers and other information-gathering tools,
exploit
vulnerabilities in browsers and other popular applications.
2
• Automated—“Crimeware” toolkits accelerate the creation of custom
exploits,
including deployment of botnets to launch global automated attacks.
More than
90,000 unique variants of one such kit appeared in 2009
alone.
• Financially driven—Today’s attacks focus on financial information
about
organizations and consumers. An underground online economy supports
a brisk
trade in stolen information: credit card information, for example,
sells between
$0.85 and $30.00, and bank account credentials from $15 to $850.
1
All organizations and consumers, not just hospitals and patients,
face this threat
environment. But the sensitivity of medical information, and the
exposure of
network-connected medical devices raise special risks in the
healthcare industry.
Internal risks: medical devices
Enterprise networks may incorporate tens of thousands of endpoints,
and while
security and data protection are constant concerns, the consensus
is that the risks
are under control. What makes network-attached medical devices so
different?
The answer is that even though newly released medical devices
operate more like
computers, they are still treated as though they are different—in
ways that carry
serious ramifications for security and data protection.
The PC revolution has transformed instruments and devices of all
kinds, and
medical devices are no exception. Their increasing use of
off-the-shelf hardware
and software technologies unlocks significant user-interface,
performance, and
cost advantages. As devices grow more productive, hospitals use
them to increase
staff efficiencies and they proliferate throughout hospitals. These
sophisticated
devices are more likely to be connected to networks to create
efficiencies and
enable control, data communication, management, and
integration—exposing
them to the full range of risks that afflict other network
endpoints.
But although medical devices share computers’ vulnerabilities, they
can’t be
protected in the same ways:
• Responsibility for medical devices often resides with Biomedical
(or Clinical)
Engineering departments, whose mission and training focus on
calibration and
maintenance. Security and data protection are typically
subordinated or shared
with the IT organization, for which medical devices are secondary
to maintaining
core IT service levels.
• Long device lifecycles keep hardware, operating systems,
communications
protocols, and applications systems in service on medical devices
long after they
have disappeared from enterprise IT networks—so devices remain
vulnerable to
exploits that are of no concern to desktops and laptops.
• Regulation has a paradoxical effect: the U.S. Federal Food and
Drug
Administration (FDA) and its counterparts outside the U.S.
stipulate that
medical device manufacturers, not owners, must control and validate
device
configuration, including security updates. This delays delivery of
vulnerability
patches to users, slows the pace of security and data-protection
upgrades, and
keeps third-party security solutions, no matter how effective, off
PCs embedded
in medical devices.
3
The government’s role: integration and privacy mandates
The unique status of medical devices excludes them from routine PC
protections
—a situation that has persisted for years. But regulatory changes
are forcing near-
term security and protection decisions that sometimes conflict. The
U.S. federal
government and other organizations are attempting to cut
duplication, errors, and
costs by integrating patient information from many sources into a
single electronic
record available to legitimate parties. At the same time, privacy
provisions require that
access to this information be convincingly blocked from all other
parties.
The healthcare community is well aware of HIPAA requirements to
protect patient
information. But unless medical devices can be secured, HIPAA
protections are
difficult to reconcile with incentives for Electronic Medical
Records under the
Health Information Technology for Economic and Clinical Health Act
(HITECH Act)
provisions of the American Recovery and Reinvestment Act of 2009
(ARRA).
The CHIME member survey
The College of Health Information Management Executives is an
organization that
supports Chief Information Officers (CIOs) and other senior leaders
in healthcare
IT. Considering the spread of medical devices, the difficulty of
protecting them and
their information, and the emerging potential conflict between
digitization and
security of medical records, CHIME surveyed its members’ concerns
about cyber
threats originating from, targeting, or propagated through
network-connected
medical devices in an online survey conducted during August and
September 2010.
Participants and devices
The 53 survey participants were predominantly director- or C-level
executives
at large U.S. hospitals (median 551 beds). As seen in Figure 1,
most of these
organizations have well over 1,000 medical devices. Almost 23
percent are network
connected; an additional 8 percent are network capable but not yet
connected.
Wired connections outnumber wireless three to two. Figure 1 also
reveals that the
concentration of both total and networked medical devices—for
example, devices
per bed—is much higher at larger hospitals.
Figure 1: Medical devices in use at survey participants’ hospitals.
Networked and network-ready
devices constitute more than 30 percent of the total.2
2 CHIME members are predominantly Healthcare IT executives; as a
result, Figure 1 may underestimate the number of medical devices at
hospitals where IT does not manage them, or manages them jointly
with Biomedical Engineering.
4
Networked Medical Devices: Security and Privacy Threats
In 45 percent of these organizations, the Biomedical (or Clinical)
Engineering
department alone manages medical devices, and in 45 percent they
either share
management responsibility with IT (38 percent), or have
consolidated Biomedical
Engineering and IT into a single group (7 percent). In only 6
percent of cases does
IT alone manage the devices; in 4 percent an outside group is
responsible.
Figure 2: Responsibility for managing medical devices is typically
assigned to the Biomedical/Clinical
Engineering department alone, or shared with IT.
Experience and concerns
Malware attacks on medical devices are more than a theoretical
concern for survey
participants: more than a third of them had experienced a virus or
other malware
on a medical device in the year preceding the survey, and a third
of that group
experienced multiple incidents.
Figure 3: More than one-third of survey participants reported a
cyber attack in the preceding year.
They also saw firsthand how difficult malware is to contain: in
more than half of the
reported outbreaks, infections spread beyond a single device to a
few devices, a
floor or department, or the entire hospital.
5
Networked Medical Devices: Security and Privacy Threats
Figure 4: More than half of reported outbreaks extended beyond a
single device
Further, as shown in Figure 5, 47 percent of participants see
malware threats as a
steady-state phenomenon—but 17 percent see them on the rise.
Figure 5: The majority of survey participants see malware attacks
as steady or rising year upon year.
Steady or rising, the threat is serious. Two-thirds of participants
rate cyber risks
from medical devices the same or greater than from general hospital
IT. Their areas
of greatest concern are:
• Key risks: hacker penetration, privacy breach, virus infection,
and virus
propagation
• Most serious impacts: patient care, clinical productivity,
clinical and IT
remediation burdens
Networked Medical Devices: Security and Privacy Threats
Figure 6: Security concerns run the gamut of medical devices. These
are the top 7 of 14 device types.
Initiatives
To date, network security initiatives account for most of the
protection against
malware and information loss: secure Virtual Local Area Network
architectures
protected from the outside by firewalls and “demilitarized zones”.
Almost half of the
participants use two or more external protective measures in
addition to protections
provided by the device manufacturer. Figure 7a illustrates the
distribution of
protective measures, and Figure 7b shows their concentration.
Figure 7: a) Surveyed hospitals use network-based defenses to
protect medical devices. b) Almost
half use two or more forms of network protection.
One of the most important measures for protecting any computing
system
or medical device is a disciplined management and upgrade process.
Device-
management solutions are an essential part of any security and
privacy initiative.
More than 80 percent of surveyed hospitals used one or more
automated
solutions—which are often bundled into suites—to help them manage
medical
devices from purchase through decommissioning. About half use more
than one
solution. Figure 8 shows the solutions they use.
7
Networked Medical Devices: Security and Privacy Threats
Figure 8: Hospitals use a full range of automated solutions to
manage medical devices throughout
their lifecycles from purchase through end of life.
Survey summary
A midsize to large U.S. hospital relies on more than a thousand
medical devices,
managed by Biomedical Engineering, either alone or jointly with IT.
About one-third
of the devices are exposed to malware or data loss through network
connections.
More than one-third of surveyed hospitals experienced one or more
virus or
malware incidents in the past year—and half of these spread beyond
the point of
entry. Responsible executives see the cyber-risk rates as steady
but serious; they
worry most about hackers and privacy breaches on their networks,
the security of
patient-connect devices, and impacts on patient care.
They use one or more network-based defenses to protect their
devices, networks,
and patient information, count on automated tools to manage devices
throughout
their lifecycles, and would generally welcome security and
vulnerability rating
services for medical devices.
With HITECH incentives built into ARRA, and EMR initiatives
generating
organizational support, now is the best time to extend the IT
security envelope to
include medical devices. IEC 800001–1:2010 Application of risk
management for IT- networks incorporating medical devices outlines
a risk-management approach that
aligns well with the organization and processes of most
hospitals.
Education—of both responsible departments and those affected by the
changes
—is an important component of any solution. The following section
offers links
to resources that offer background information, standards and
regulatory
frameworks, and software solutions governing device and network
security, access
control, lifecycle management, and data protection.
8
References
These articles report individual attacks on networked medical
devices and security
trends in healthcare environments:
Wirth, A. “Cyber Crimes Pose Growing Threat to Medical Devices,”
Biomedical
Instrumentation and Technology (BI&T), Jan/Feb 2011, Volume 45,
Number 1.
Keen, Cynthia E. Conficker worm highlights PACS cybersecurity
issues, AuntMinnie.
com, (online) June 2, 2009, accessed: February 1, 2011.
http://www.auntminnie.com/index.asp?Sec=sup&Sub=ris&Pag=dis&ItemId=86009
Massachusetts Medical Devices Journal LLC. Medical devices next on
hackers’ target list? MassDevice.com, (online) April 5, 2010,
accessed: December 7, 2010.
http://www.massdevice.com/blogs/massdevice/medical-devices-next-hackers-
target-list
Massachusetts Medical Devices Journal LLC. Confickered! Medical
devices and digital medical records are getting hacked,
MassDevice.com, (online) May 8, 2009,
accessed: December 7, 2010.
The Healthcare Information and Management Systems Society (HIMSS)
and the
National Electrical Manufacturers Association (NEMA) address
privacy issues
related to medical devices as part of the “Manufacturer Disclosure
Statement for
Medical Device Security” joint initiative (MDS2). Note that MDS2
disclosures are not
catalogued and are provided to customers by request only.
National Electrical Manufacturers Association, Manufacturer
Disclosure Statement for Medical Device Security (MDS2), NEMA.org,
(online) September 29, 2008,
accessed: January 24, 2011.
HIMSS.org, (online), accessed: January 24, 2011.
http://www.himss.org/ASP/topics_medicalDevice.asp
The Patient Care Device Domain working group of Integrating the
Healthcare
Enterprise deals primarily with clinical topics, such as alarm
communication,
message syntax, and so on, but also addresses security, privacy,
and configuration
management.
2010, accessed: January 24, 2011.
http://www.ihe.net/pcd/
9
The Clinical Engineering/IT (CE-IT) Community of the Association
for the
Advancement of Medical Instrumentation (AAMI), American College of
Clinical
Engineering (ACCE), and the Healthcare Information and Management
Systems
Society (HIMSS) is working to bridge the gap between traditionally
device-focused
clinical engineering and traditionally network-focused IT.
http://www.ceitcollaboration.org/
U.S. Food and Drug Administration, Reminder from FDA: Cybersecurity
for Networked Medical Devices Is a Shared Responsibility, FDA.gov,
(online) November 4, 2009,
accessed: January 24, 2011.
United States Computer Emergency Readiness Team, Cyber Security
Tips, US-CERT.
gov, (online), accessed: January 24, 2011.
http://www.us-cert.gov/cas/tips/
Center for Engineering & Occupational Safety and Health (CEOSH)
and U.S.
Department of Veterans Affairs), Medical Device Isolation
Architecture Guide, HIMSS.
org, (online) April 30, 2004, accessed: January 24, 2011.
http://www.himss.org/Content/files/VA_VLAN_Guide_040430.pdf
http://www.hitsp.org/ConstructSet_Details.aspx?&PrefixAlpha=5&PrefixNumeric=905
Cooper, Todd and Eagles, Sherman, Aiming for Patient Safety in the
Networked Healthcare Environment, AAMI.org, (online) 2010,
accessed: January 24, 2011.
http://www.aami.org/publications/ITHorizons/2010/18-20_StandardsRegs_Cooper.pdf
10
More information
Call toll-free 1 (800) 745-6054
To speak with a Product Specialist outside the U.S.
For specific country offices and contact numbers, please visit our
website.
About Symantec
Symantec is a global leader in providing security, storage and
systems
management solutions to help consumers and organizations secure and
manage
their information-driven world. Our software and services protect
against more
risks at more points, more completely and efficiently, enabling
confidence
wherever information is used or stored. Headquartered in Mountain
View, Calif.,
Symantec has operations in 40 countries. More information is
available at
www.symantec.com.
+1 (650) 527-8000
+1 (800) 721-3934
www.symantec.com