Securing connected medical devices: Will categorizing them as ICS help?

Since April of this year, the Department of Homeland Security (DHS) Industrial Control Systems Emergency Response Team has issued several alerts advising healthcare entities of cyber vulnerabilities in equipment ranging from medical imaging systems to patient monitoring gear. In addition, medical device manufacturers have reported their own security vulnerabilities via ICS-CERT alerts, including Philips, Abbott and BD.

In reviewing the ICS-CERT notices, it’s interesting to note that within the United States, medical devices are categorized as Industrial Control Systems (ICS). For many in IT security, ICS or SCADA (Supervisory Control And Data Acquisition) security only gained notoriety with the advent of the Stuxnet malware that was used to compromise Iran’s nuclear facilities in 2010. Who could imagine that medical devices would be grouped with SCADA technologies in terms of the magnitude and criticality of their security?

When viewed as previously isolated and discrete hardware that has since been connected to a network, medical devices are no different from ICS or SCADA systems. While these devices have been networked and interconnected for some time now, only recently has the industry begun to implement physical and logical security controls to protect them.

Fortunately, several initiatives are underway to improve the security of medical devices, including the FDA’s recently published “Medical Device Safety Action Plan.” There’s also an interesting proposal for a Hypocratic Oath for Connected Medical Devicesthat has been proposed by I Am The Cavalry, a cybersecurity volunteer association focused on public safety concerns. Their Oath identifies measures to preserve patient safety and trust in the healthcare system as a response to the increasing reliance placed on connected devices.

Now that they’re longer protected by an “air gap,” let’s consider what’s needed to protect connected medical devices from security threats.

Protecting connected medical devices

Just as in IT, the foundation for medical device security begins with asset management, namely the discovery, assessment and inventory of all medical IoT devices in an environment. Understanding their security configurations and vulnerabilities is critical. Especially since many of the devices use outdated and end of life operating systems, and provide limited capabilities for updating device configurations or applying patches.

Step two involves log management, which provides visibility into activity on these devices. However, making sense of log data and turning it into actionable intelligence is more challenging than with IT devices, since medical systems are not designed with built-in security and management functionality.   There is some good news though. Advances in data science and machine learning can provide insights  that were previously unattainable and even predict impending problems.

Hackers have already demonstrated the ability to compromise and disrupt healthcare networks with ransomware or to “medjack” devices to infect other interconnected devices or IT systems.

Analytics can help protect medical devices in several ways. By taking the first step to discover what devices are present on the network, entity-based analytics enable organizations to detect unexpected changes in device configurations, broken or malfunctioning equipment and even devices that have gone rogue due to the introduction of malware or ransomware.

One important new capability provided by analytics is the ability to test for the veracity of the authorization model configured on the medical device. Most medical devices are set with a default username and password applied during manufacturing, which provide access to perform firmware updates or periodic preventative maintenance. Since these default credentials are present in similar devices all over the world, if left unchanged, they pose a massive security vulnerability. Using analytics to monitor medical devices can play a central role in reducing many of the inherent risks built into their standard configurations.

In addition, analytics can monitor the location of medical devices, especially since many of them are highly portable or mobile and are often being moved to different patients or locations. For example, analytics can provide information about whether a medical device is in use or how long ago it was used, and help manage inventory and “lost” devices.

Clearly, the pace of implementation of medical IoT devices has far outstripped both automated and manual management capabilities and update processes. While newer generations of medical devices will undoubtedly move beyond the current rudimentary functionality provided and become true smart devices, we need to find ways to manage and mitigate risk in current infrastructures. Analytics can provide the intelligence needed to mind the security gaps that are present in today’s medical devices, regardless of whether we call them ICS or IoT.