The government’s push for threat sharing and collaboration, with rising alerts directed at the healthcare sector, is a welcome change in longstanding efforts to reduce cybersecurity challenges with global awareness. and a cyber posture in the industry.
But awareness doesn’t always translate into a viable solution, especially when it comes to tackling the details of medical devices. Due to the sheer complexity of the device ecosystem, resource constraints, and knowledge gaps, even the largest healthcare systems struggle to address risk management issues.
“I think medical devices and biomedical in general… are really kind of the redheaded son-in-law of healthcare organizations because they’re complex and nobody really knows how to deal with them,” said Ben Denkers, Chief Innovation Officer of CynergisTek.
Consider the FBI’s Legacy Medical Devices alert, which sounded the megaphone on the risks associated with exploiting legacy technology in devices directly related to patients. For many healthcare professionals, the messages sounded familiar: groups like CHIME have long warned of patch management issues and the impossibility of real-time inventory in the healthcare environment. Likewise, the recommendations were pretty vanilla: basic blocking and tackling at the end of the day.
Certainly, such reminders don’t hurt – encouraging some healthcare entities to leverage technology as protection to defend against a specific threat or to reduce overall risk. But some argue that the challenges facing many vendors cannot be reduced to a single problem or solution, and that current risk assessment could prevent a vulnerable market from seeing the forest through the trees.
SC Media spoke to Denkers about this dilemma and how the market can better overcome the multiple and sometimes conflicting obstacles to cybersecurity.
Persistent knowledge, staffing gaps
When the onslaught of healthcare ransomware attacks began in 2016, the rallying cry was that there was no silver bullet to solving cybersecurity problems. The sentiment remains, both for overall infrastructure and device security vulnerabilities.
As has probably always been in healthcare, the crux of its issues is actually a combination of resource and knowledge constraints, which are necessary to have a truly effective security and privacy program, Denkers explained. Vendors need a combination of people, processes, and technologies to have a successful privacy and security program, even before it’s applied to a specific area like medical devices.
“If you don’t have enough resources, it’s going to be problematic. If you don’t have the right technology, you’re going to have problems. And if you don’t have the right processes to make sure it all works and is effective, it’s no use to you,” Denkers said.
“That’s the problem. It’s not a singular problem of ‘hey, we don’t have the right technology to stop the attack,'” he continued. you can wave your magic wand and implement some kind of endpoint protection on all the medical devices. Great. But what if you don’t have the people to monitor the alerts or you have to manage a compromised device?
This means that even when a problem is identified, it still cannot be fixed without effective processes or controls. And if the problem persists, it can create downstream effects when the device remains in use, which could further impact patient safety.
Also, if hospital management doesn’t know how to use current security technology, “it won’t do much,” Denkers said. Others struggle without the resources to manage or monitor the tools, or even modify them to make them effective in the environment.
“I’ve had countless conversations with individuals in healthcare organizations, and similarly where they’ve invested a lot of money in technology to stick around because they don’t don’t have the resources or the know-how, or the physical resources to take the device and implement it,” he added.
“And they certainly don’t have the resources to validate that it works. The safety of medical devices is important, it absolutely is. But you’re also talking to organizations that, I would venture to guess, probably don’t even have endpoint protection.
Some resource issues are financial; organizations don’t have the money to invest in the tech stack or afford to hire the right people. Hiring challenges also persist for rural providers, who may not be able to physically recruit people into the organization.
“Many rural hospitals face staffing challenges purely because of their location,” he said. Health faces all of these issues, not just with medical devices and the higher level of risk due to direct attachment to care. But “if you really start peeling back the layers, you’ll start to see that health care in general still isn’t necessarily a frontrunner in security and privacy agendas.”
The elephant in the room
Denkers posed an important question: If an automaker had vehicles on the road that generally did what they were supposed to do, but passengers were at risk due to a faulty airbag or faulty brakes, what would happen? -he ? The manufacturer would be forced to make changes.
“The reason why we have to deal with these problems is that [medical devices] weren’t properly developed from the start,” he reflected. “It all starts with the software development lifecycle, and where does the SDLC start? It is the one who develops the product or the solution.
If issues are not properly investigated early in the development cycle, risks arise. As Denkers sees it, “it is the supplier’s responsibility to have a better product”.
It’s a snowball effect: you’re never really going to catch up, because it’s just going to keep getting worse every time you have outdated software or end-of-life hardware and products.
“It’s interesting, these types of risks wouldn’t be accepted in any other organization. But for some reason, we’re dealing with people, who have arguably the highest consequence rates, and that’s okay,” Denkers said.
Filling the gaps as threats grow
The FBI alert was likely intended to reflect current threats facing vulnerable platforms, warning that bad actors are increasingly using unpatched medical devices to gain a foothold on the network.
But the alert should rather serve as a guide: an exploit could ultimately impact data integrity and confidentiality, or even worse, cause disruptions in operational functions and impact patient safety.
Use this “like a compass or a North Star,” Denkers recommended, and review the guidance to check how well medical devices are protected. Many healthcare professionals find themselves in situations where they think they have certain safeguards in place, or some version of the recommended safeguards, inadvertently miss the most important element in the middle of the noise.
As Denkers makes clear, “The question then really becomes: How effective is this control?”
An entity may have endpoint protection or access controls, but be unaware of potential gaps in the environment, or unsure whether the tools adequately address vulnerabilities. Some “organizations typically don’t have a mechanism in place to validate the effectiveness of controls — whether it’s people, process, or technology,” he explained.
Segmentation is one of those areas where an entity may decide to separate certain devices from the main network, but the management of these devices is then handled by another department. They set security and forget about it. But as Denkers noted, “if they’re connected to the network, they’re still connected to the patients.”
And such oversights have serious consequences. If a device or supporting infrastructure were to be compromised and the device needs the internet to function or access certain parts of the environment, medical devices cannot function for patient care.
Depending on the organization’s requirements, there can be “many downstream effects of general compromises on the IT environment that quickly become problematic.”