We’ve been talking about Cybersecurity Awareness Month in the last couple of posts, following along with their theme of If you Connect it Protect it and Securing devices at Work and at Home. This third installment is on securing medical devices. In truth, a lot of the things we talked about in the previous blog posts apply here. Make sure the SecOps team has the right tools. Make sure your patches are up to date. Make sure the users are educated. Make sure security policy and process are following best practices, etc.
You know. The same advice cybersecurity professionals have been giving all along.
The Same, But Different
The challenge with securing medical devices is they live in an environment that can make some of our usual advice difficult to implement. After all, it’s much easier to update and reboot your home router at a time when it won’t interfere with anyone than it is to update, say, an infusion pump.
While computer systems in hospitals can usually follow the same change management routines we use in the rest of the world, they can face a stricter validation cycle. While people may get annoyed when the conference room scheduling system goes down because of a bad patch, people could actually die if the pharmacy computers went offline.
Patches Take Time
Another challenge in the healthcare space is that some software vendors have a rather relaxed position when it comes to providing application updates, and that includes security updates. To be fair though, slow update cycles aren’t limited to medical applications. Even when they are proactive in releasing patches, they have the added checks and validations that are vital in any industry where lives can be at stake. This often leads to a slower patch cycle from the vendor before you even consider the validation the IT department does before they release a patch into their space.
These are common problems across a lot of industries, though the consequences of a failed software update can be rather more consequential in a hospital than at a retailor. Beyond the obvious keeping people alive part, is the sorts of data healthcare providers have on their customers. Outside the hospitals, clinics, dentist’s offices, there are the business offices of the healthcare providers. They may not have the systems and services that are actively keeping people alive, but they do have confidential, protected, information on the people they serve.
In this context, we’re going to focus on the healthcare facilities themselves, as they have the unique medical devices that we’re concerned with securing. The business offices are important, but we can view them as any other business environment and apply the same best practices we apply everywhere else.
Securing medical devices in particular poses challenges. These devices suffer from the same potential security flaws a lot of other IP enabled devices face. All too often, the only thoughts with a connected device is how to connect it and what features to connect. Securing medical devices doesn’t even come to mind. Or, if it does, its far down the list of priorities. While that’s understandable with a connected lightbulb or garden sprinkler, it’s a lot harder to justify being lax on security with a respirator or heart monitor.
Validate, Then Deploy
Another challenge with securing medical devices is validating security patches and firmware updates when they do come out. Our Datacenter SysAdmins will tell us, at length, that it takes them time to validate a new patch before they put it in production. They need to make sure the server, be it a database or webserver, won’t fall over when they deploy the patch into the production environment. When a medical device is part of a patient’s life support system? You know they are going to do their due diligence and make absolutely sure the system won’t crash, even after assurances from the hardware vendor that the patch has been tested safe. Though that extensive testing can frequently lead to devices rarely receiving patches in the first place. If it is working, why take the risk? Never mind the potential security issues. The hospital’s firewalls will keep the devices safe from harm, right?
I used a physical breach of a hospital as a case study in a recent webinar on Insider Threats. That kind of insider threat leads to the conclusion that you really can’t rely on perimeter defenses to keep the internal systems safe. That’s not even counting the numerous ways an attacker can break into the environment, meaning that we need to protect the devices themselves.
More Than Maintenance
Even when you do have a verified patch available, the change management cycle can be difficult. It’s easy to post a “Down for Maintenance” on your web portal, but not so easy to take a diffusion pump down for maintenance when it’s keeping someone alive. Yes, you can add the firmware update to the normal maintenance cycle the devices receive, but that may add another week or three to the deployment time.
That leaves us with using our security stack to protect the devices, which means making sure we have the best tools in place. While there aren’t many tools that can actually go into a medical IoT device, we have tools like behavioral analytics that can help keep them safe. After all, there are only so many things we expect that IP-enabled respirator to do which makes identifying abnormal behavior much easier.