©2017 ECRI INSTITUTE

Medical Devices Cybersecurity?Introduction to the Cybersecurity

Landscape in Healthcare

Marc Schlessinger, RRT, MBA, FACHE

Senior Associate

Applied Solutions Group

May 5 & 6, 2017

©2017 ECRI INSTITUTE

Evolution of the Connected Medical Device

Self contained

device per bed

space

Interoperable

therapy/diagnosis system

with data exchange to

various information systems.

©2017 ECRI INSTITUTE

Cybersecurity Landscape in Healthcare

Medical devices are increasingly used with a network connection to enhance

safety and workflow

Documentation

Data transfer

Software updates

Troubleshooting

Calibration

More connected more vulnerabilities

©2017 ECRI INSTITUTE

What is different about healthcare when it

comes to cybersecurity?

100’s of device manufacturers

Long useful life

10+ year old device is not

uncommon

Clinical limitations

Life critical functions

Large attack surface

Patient and visitor access to areas with

sensitive devices

Emergency situations

Device needs to be available right now!

©2017 ECRI INSTITUTE©2017 ECRI INSTITUTE

Medical Device HackingWhat do we know today?

©2017 ECRI INSTITUTE

Medical Device HackingWhat do we know today?

NO EVIDENCE OF PATIENT HARM

Several device vulnerabilities have been identified by security

researchers Hard coded passwords

Remote device access/control

Disruption of device communication to other systems

Modification of some device configurations

How serious are these vulnerabilities?

©2017 ECRI INSTITUTE

Cybersecurity Vulnerabilities of Hospira Symbiq Infusion SystemFDA Safety Communication (July 31, 2015)

Remote ability to control an infusion pump

“We strongly encourage that health care facilities transition to alternative

infusion systems, and discontinue use of these pumps.” - FDA

©2017 ECRI INSTITUTE

What if a device was compromised…

Disabled communication to other information systems

Impact normal workflow

e.g., data does not flow to the patient’s EHR

Disabled the device

Availability of the device to perform its intended function may be limited

Possibly mitigated by a back up unit

As a vector to attack the organization’s network

Compromised wireless network credentials

Compromised enterprise network

©2017 ECRI INSTITUTE

What if a device was compromised…

Alter the intended operation of the device

Change device configuration or settings

Difficult, extended device access required – there are easier ways to hurt

people

Steal PHI

Confidential patient information lost

Loss of trust in the organization

Financial impacts, fines

©2017 ECRI INSTITUTE©2017 ECRI INSTITUTE

Healthcare Facility Action Plan How to Address Cybersecurity?

©2017 ECRI INSTITUTE

Problem of Legacy Devices

Long useful life of a medical device legacy systems

Finding XP as a part of medical equipment is common

Some devices may not have up-to-date security capabilities

Available security patches are likely limited

Document which legacy devices are connected to the network and what

data do they hold -> address the risk accordingly

©2017 ECRI INSTITUTE

Securing Medical DevicesA Significant Resource Drain

Equipment management

Patch management

Staff security training

Vulnerability scanning

Risk management

RFP language to include security features

Device Integration Test Lab

©2017 ECRI INSTITUTE

Equipment ManagementStart with Documentation!

Identify Which devices are connected to the network?

Document Software versions

Network configuration settings

IP Addresses

MAC Addresses

Prioritize Does the device hold PHI?

Life critical functionality – what happens if you cannot use the device?

©2017 ECRI INSTITUTE

Patch ManagementChallenges in Updating Medical Devices

How to ensure that medical devices are up to date with the latest security

patches?

Develop a policy for updating your medical devices

Challenges:

Lagging security patches – at best 2-3 months behind

Often hands on update required

Equipment down time -> impact patient care

Disconnect between FDA and the manufacturer

Security patches do not need a new 510(k)

©2017 ECRI INSTITUTE

Staff Security Training

Ensure appropriate security training is in place

Phishing scams

Identifying suspect emails, do not click on all email links

USBs can spread viruses and cause device

malfunction

ECRI Top 10 Hazard 2015

USB use policy – Block USB use if merited

Passwords do matter!

Promote the importance of strong passwords

Password sharing

□ Passwords do not belong on a post-it-note by the nurses station

BYOD – Bring your own device

Establish a policy on how to deal with BYOD

©2017 ECRI INSTITUTE

Vulnerability Scanning

Standard network tool to identify known vulnerabilities

Commonplace for IT assets

Limited to known vulnerabilities

Medical devices – Can I scan it?

Not always

Network scanning took out a facility’s telemetry system

Scanning for medical devices may be best done during the day shift, so

in case something does go wrong there is sufficient staffing to address

it.

©2017 ECRI INSTITUTE

Risk ManagementWhat to do with my networked medical devices?

Identify existing vulnerabilities

Develop compensating controls to minimize risk

e.g., block commonly used communication ports

Human resources to address network security needs e.g., CISO

Consider the adoption of ANSI/AAMI/IEC 80001-1:2010

©2017 ECRI INSTITUTE

ANSI/AAMI/IEC 80001-1:2010Application of risk management for IT Networks incorporating medical devices

Standard for healthcare facilities

How to implement a risk management system to address

networked devices

Downsides…

Expensive and difficult to implement

©2017 ECRI INSTITUTE

RFP language to include security features

Include language about common security features

Buying a system based on Windows XP with a lot of known vulnerabilities

is not necessarily the best idea

MDS2 – Manufacturer Disclosure Statement for Medical Device

Security Require it!

VA Directive 6550 for Pre-procurement Assessment

©2017 ECRI INSTITUTE

Device Integration Test Lab

Clinical engineering test and validate every patch and update prior to release

Ensure all systems are functioning as intended

Lab would include medical device and test server Expensive!

Some very high end/large hospitals

have this capability.

©2017 ECRI INSTITUTE©2017 ECRI INSTITUTE

Regulatory Issues

©2017 ECRI INSTITUTE

Regulatory PerspectiveFDA and cybersecurity

FDA’s evolving approach to cybersecurity

Cybersecurity is a consideration during new 510(k) submissions

according to FDA officials

Incentivize sharing of vulnerability information

Curb the “silent fixes”

Content of premarket submissions for management of cybersecurity in

medical devices (10/2014)

Guidance for manufacturers on how to address and identify cybersecurity during

design and development

Guidance for preparing premarket submissions

©2017 ECRI INSTITUTE

Regulatory PerspectiveFDA and cybersecurity

FDA’s evolving approach to cybersecurity

Postmarket Management of Cybersecurity in Medical Devices (Draft 01/2016)

Managing postmarket cybersecurity vulnerabilities for medical devices

□ Promote good behavior among manufacturers

How about the already cleared devices that might be vulnerable?

©2017 ECRI INSTITUTE

Why are we doing this?

Ransomware – The New Normal

Most recent public occurrences

MedStar Health (03/2016)

Methodist Hospital (03/2016)

Hollywood Presbyterian (02/2016)

Low Risk High Reward

©2017 ECRI INSTITUTE

Download the ECRI Infographic

Cybercrime: The Healthcare Epidemic of the 21st Century at:

https://www.ecri.org/Pages/cybersecurity-

infographic.aspxhttps://www.ecri.org/Pages/cybersecurity-infographic.aspx

©2017 ECRI INSTITUTE

©2017 ECRI INSTITUTE

Questions?

Marc Schlessinger Senior AssociateApplied Solutions(610) 825-6000 ext. 5420mschlessinger@ecri.org