Checking the cybersecurity pulse of medical devices

Hospitals are increasingly becoming a favored target of cyber criminals. Yet if you think about medical equipment that is vulnerable to being hacked at a hospital, you might not immediately think of high-end, critical equipment such as MRI and X-ray scanners, and nuclear medicine devices.  After all, these devices go through rigorous approval processes by the US Food & Drug Administration (FDA) before they are approved for safe use on patients.

Yet today many, if not most, medical devices, have computers embedded in them, are connected to the hospital network, and often to the internet as well, so they provide a potential attack vector for cyber criminals. In late 2015 security researchers found that thousands of medical devices were vulnerable to attack and exposed to the public Internet. Interestingly, these  researchers also found that many of the devices in question were running Windows XP – which is no longer supported or updated by Microsoft – and did not run antivirus software to protect them against malware.  This combination raises an obvious security red flag.

Ironically, these security vulnerabilities were further exacerbated because of the very FDA approvals process that certifies the devices. The approval process is, quite rightly, extremely rigorous.  It is also lengthy and expensive. And if a manufacturer or vendor makes a change to a device, it needed to be re-certified.  Until very recently, a ‘change’ to a medical device meant any sort of change – including patching devices’ operating systems and firmware to close off potential network security vulnerabilities.

You can see where this is going: making simple updates to medical equipment to improve its defenses against cyberattacks was made that much more difficult and complex for the device manufacturers, because of the need for FDA re-certification every time a change was made.  And of course, this potential delay in patching vulnerabilities made it easy for a hacker to try and ‘update’ the device in his own way, for criminal purposes.  Hackers are usually not too concerned about getting FDA approval for their work.

Fortunately, the FDA released new guidelines last year that allowed equipment manufacturers to patch software as required without undergoing re-certification—provided the change or modification does not ‘significantly affect the safety or effectiveness of the medical device’.  That’s good news – but it’s not quite the end of the story.

The FDA’s guidelines are only a partial panacea to the overall problem. They overlook the fact that many medical devices are running obsolete operating systems like Windows XP.  What’s more, the actual process of applying patches to the computers in medical devices can vary enormously from manufacturer to manufacturer, with some patches needing to be downloaded and applied manually, while others may be pushed automatically.  In either case, there could still be a window of weeks, months or even years before the device’s vendor issues a patch for a given vulnerability – a window that a hacker could exploit before the hospital’s IT team becomes aware that the vulnerability exists.

This means that hospitals need to take great care when it comes to structuring and segmenting their network. It is vital that connected medical devices – particularly those where the internal OS may be out of date – are placed within defined, segregated segments of the network, and robustly protected with next-generation firewalls, web proxies and other filters.  While network segmentation and filtering will not protect unpatched or obsolete operating system, they will ensure that the hospital’s network is secured to the best of its ability.