By prioritizing controls and detection, IT teams can save time when medical equipment is attacked
ORLANDO – During the HIMSS24 panel discussion Securing the Modern Connected Hospital, James Angle, information security product manager at Trinity Health, and hired hacktivist Kevin Johnson, CEO at Secure Ideas LLC, encouraged healthcare cybersecurity leaders to get ahead of the curve on cyber adversaries attempting to compromise vulnerable medical devices by knowing when to patch medical devices, focusing on configurations, and prioritizing monitoring for these inevitable attacks.
Dr. Benoit Desjardins, professor of radiology and medicine at the University of Pennsylvania, moderated the discussion on cybersecurity maintenance of Internet of Things devices. The conversation also addressed how the regulatory landscape can enlighten or confuse healthcare cyber defenders, ending with a healthy debate about the current direction of regulatory oversight of device cyber control.
Advice on patching and detection strategies
“The day you buy a new medical device, it’s an old device,” Angle says. “The day you put it into use, treat it like an old piece of equipment, because if it’s not out of date when you put it into use, it will be soon after.”
Meanwhile, new vulnerabilities are discovered every day and certain devices cannot be taken offline without causing harm to the patient.
No organization will ever be 100% complete on their device patching needs, but Angle said the best way to catch up is when devices need to be retired.
“Every medical device has a maintenance period where it needs to be serviced and taken out of service,” he said. “It’s quarterly, monthly, annually or semi-annually, but it has to be done. That’s when you catch up.”
Johnson added that healthcare organizations should treat medical devices like “hand grenades” the rest of the time.
“It just means you have to pay attention to the compensating controls you have,” he said. “Because someone like me will come along, look at that device and evaluate how it allows us to move laterally. So if you pay attention to compensatory controls, if you pay attention to monitoring and extrusion detection and things like that, you’ll be in a better be in good condition.”
The white hat hacker advises healthcare organizations on their offensive strategies:
“What you want to do is you want to focus on detecting when I’m coming in and slowing me down as much as possible so that if I try to get through the tarp to get into your organization, you have time to respond.”
“The other benefit of monitoring and identifying it this way and making it difficult is, if your hospital is really hard to hack and this other hospital isn’t, guess where it goes?” Added corner.
Hackers opt for easier targets with higher rewards, they both agreed.
“So you try to make it hard, and like (Johnson) said, you’re not going to stop them,” Angle said. “Someone’s going to make a mistake, someone’s going to do something, and they’re going to find a way; make it as difficult as possible,” he advised.
Min 72 hours, but still accounting
When Desjardins asked how unintended consequences of the regulations adversely affect attacks on hospital networks, Angle labeled the requirement to report an incident to the Department of Homeland Security within 72 hours as a sticky wicket.
“That’s exactly the moment you try to respond to it and you’re up to your neck in alligators,” he said, describing the position IT leaders find themselves in when their organizations fall victim to a cyberattack.
“And DHS now decides to get into your business because if you call them, they will be there and they will take resources away from your response so they can feel good about getting their reports on time,” he says. Angle said, noting that he previously worked for the agency.
“You’ll hear them say, ‘Well, we wouldn’t do that.’ Don’t believe it; they will,” he claimed.
While hampering a health care organization’s response is not what Congress intended, he said, “That’s what’s going to happen.”
Johnson added that “it’s very unlikely you’ll know what the hell happened” after 72 hours.
“You don’t know what impact the systems are having, especially as we increasingly discover that the ransomware attack is actually an exit strategy.”
Johnson said that while cybercriminals want money, they also want to cover their tracks.
“As someone who has done incident response for hospital chains, for medical devices, for all these types of things, do you know how difficult it is to get indicators of compromise, logs and TTPs out of that system when it’s encrypted?”
Device security in pre-market approvals
Desjardins also asked about the U.S. Food and Drug Administration Medical Device Approval Submission Requirements which came into effect at the end of last year. He noted that the new cybersecurity provisions not only require manufacturers to map out a device’s security, but they must also provide a post-market cybersecurity program and a “bond” — a software bill of materials.
Because the goal is “to essentially ensure that any new device introduced to the FDA would be safe,” Desjardins asked whether the legislative action has had any impact.
Angle suggested that what the FDA has released as pre-market guidance has no teeth.
“If you look at those guidelines, the headline on every single page says, ‘This is unenforceable;’ it’s just a guideline. It’s nice to say we want you to do this to secure your devices, but there’s no enforcement mechanism,” he said.
Regulations have not made Johnson’s job harder, the hacktivist said.
“The regulations have actually made my job easier because many hospitals and organizations will deploy these devices and adopt a level of control, a level of security that doesn’t really exist,” Johnson said.
“We’ve now seen hospital chains, hospital groups… that have weakened their safety because the FDA is going to enforce it for them. They deploy systems and assume the supplier is doing the right thing, which makes sense – security is a cost,” he continued.
“They’re actually reducing the amount of security they put in place.”
When asked whether an effort should be made to create more regulations for older medical devices, Angle was equally circumspect.
“The problem: unintended consequences,” he said, explaining that most health care systems have “tens of thousands of medical devices.”
Updates can cost a fortune and smaller hospitals would not have the funding to meet such a requirement, he said.
“I don’t think regulation is the answer,” Johnson added.
“I think the real answer is contracts. The only way you can effectively get suppliers to do things, hit them where it hurts, the money you pay them, is if you can hold them accountable,” he said.
FDA guidelines strengthen device security controls
One participant, a speaker later in the forum, disagreed with the characterization of recent IoT regulatory efforts, arguing that the FDA’s premarket guidance changes the way medical devices are regulated.
After thanking the panel for the presentation, Dr. Christian Dameff, medical director of cybersecurity for UC San Diego Health, asked the audience by show of hands which attendees were from medical device manufacturers.
He then said, “Keep your hand up if you think the FDA’s medical device cybersecurity guidelines are guidance and you don’t care. Keep your hand up if you don’t use it to inform your decision-making.” he asked.
All hands went down.
“I just want to say that I think there is a fundamental mischaracterization of the FDA pre-market guidance that you expressed on stage today,” Dameff said.
“And the reason for that is that even though it’s on the page as guidance, it has absolutely fundamentally changed how medical device manufacturers view cybersecurity and how they have implemented and will continue to implement new controls,” he said.
“Because ultimately, although it will take some time, they will be in a much better situation than they are now, rejecting devices for approval based solely on cybersecurity controls. They have never done that in history,” Dameff continued.
Johnson responded that every day he encounters “brand new devices that meet FDA clearance, running on hospital networks that are more insecure than if you were using Windows XP with an Internet connection.”
He said he still finds the same ports open when testing medical devices.
“I’m not saying that the vendors don’t care… I’m saying that that guidance has not been effective in better protecting patients,” he clarified.
Johnson continued, “The reality is that the devices are still unsafe, patients are still at risk, and I regularly find myself actively exploiting organizations through these medical devices, even the ones deployed and built this year.”
“That’s not possible because those devices aren’t even on the market yet,” Dameff chided.
“You clearly don’t understand this, and it’s actually very frustrating,” he said, with forum moderator Erik Decker, Intermountain Health’s Chief Information Security Officer and co-chair of the HHS 405(d) Task Group, already present at the meeting. stage and closed the session.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.