Authors : Veronica Schmitt and Nina Alli

We have observed the state of cyber-security in terms of healthcare and medical devices. We have been part of these industries as patients, dealing with digital forensics and incidents within these industries, as biohackers and researchers. We have seen the threat landscape and have been involved with many conversations with decisions makers. This article has been the product of long conversations between us. The push to write these articles were that there has been enough talk and it has now become abundantly clear that the landscape involved with healthcare and medical device cyber-security is misunderstood. The state of cyber-security in healthcare and medical devices are doomed to fail unless we take the time to clearly define and understand these systems.

When it comes to applying cyber-security practices in a hospital setting we often make the mistake of falling into the trap of hardening the outside perimeter, leaving the core exposed to weaknesses and vulnerabilities, with the belief that the network within a healthcare setting remains the responsibility of that institution. Hospital cyber-security personnel need to clearly understand what devices they are implementing on their network and in which manner they should be implemented. We assume that once a device is on the network it will not be penetrable from the outside. We forget that the insider threat is still the most pertinent and dangerous adversary any organization can face. However, if you have an understanding of how a device functions and what that devices are capable of doing you can implement them into a zero trust network, where all devices are potentially seen as dangerous unless it meets a set of specified controls to be allowed access to the network. Segmentation and sand-boxing of medical devices are often neglected and forgotten.  

The question is why are we getting things so wrong? 

Well we are getting it wrong because we expect that the rules of cyber-security are universal and the same across all operating systems, devices and communications protocols. We make the assumption that we can have one golden recipe for cyber-security which can be applied the same across the board. This is idealistic and the things fairy tales are made off. The success of a cyber-security approach is to understand the systems and the landscape you wish to attack. We are at war and should apply military tactics to this problem, we should gather the intelligence and knowledge about our assets and where we are the weakness and derive a plan that caters specifically to that. 

There are different kinds of devices within the healthcare and medical setting. In my previous article (shorturl.at/uyRW2), these were defined as endpoints and embedded devices. In my opinion when we start getting a clear understanding of the type of device we are dealing with we can adequately do a security guided approach. When one starts working through the Manufacturer Disclosure Statement for Medical Device Security (MDS2) form and the multiple Food and Drug Administration (FDA) guidances it becomes clear that these have been adapted from end-point National Institute on Standards and Technology (NIST) related standards and security approaches. Handling an endpoint that is managing electronic health care data versus security of an insulin pump are two vastly different approaches. Why are the guidelines that are followed and the forms that are filled in all use the same approaches for an end point versus an embedded device. The FDA guidance is simply just that a guideline of things we should have in medical devices, however most of these are not applicable to medical devices and focus more on the software. 

The MD2 form is an example where we have taken cyber security controls which are applicable to endpoints and trying to force medical devices to conform to these. Most of these forms end with “N/A” noted because the information is not applicable to medical devices. For a healthcare establishment or medical manufacturer to do a risk analysis they need to clearly understand their threat landscape. The feedback that I have gotten is to make use of the Microsoft Threat Intelligence tool which is designed for organizations with end-point systems to identify their Threat Landscape. This leads to the question: how are we expecting accurate results when we are using theories and approaches not designed for healthcare and medical environments taking into account their unique challenges and constraints. Do we understand the landscape if we are not applying the right tests? There is a light at the end of the tunnel, and before you ask, it is not a train. Omada Health has created a healthcare and medical orientated risk analysis and threat modelling tool which has been designed for these industries. Their INCLUDES NO DIRT approach is a huge step in the right direction and a breath of fresh air. You can find their nodirt approach at https://www.omadahealth.com/hubfs/nodirt.pdf.

The time is here that we as cyber security professionals take the time to understand the landscape, to define the devices and take each category and design security standards and controls that are both applicable and appropriate for that type of device. The time is here for change, to have the equivalent of a NIST or IEEE standard specifically for healthcare devices, medical devices, and embedded devices. These devices range from operating systems, communication protocols, logging in hardware and software design. We cannot realistically believe that one set of rules and requirements will work for these devices when they do not function in the same capacity. Let’s design a better approach to securing healthcare and human lives. 

In the medical field there are specializations and each have their unique approaches. There will be points where they cross over and intersect. We should approach securing healthcare and medical devices in this manner, each “specialization” of devices should be treated as a unique affliction and their remedy should be unique to their ailments and where those portions cross over the treatment might be the same. Lets define, standardize and redefine our approach to this affliction.

We superimpose ideas from other industries without considering the unique constraints faced by these industries. The notion behind this endeavor is noble and just, the execution requires assistance. We believe that this would better be established at NIST, where the organization and its knowledge can better serve the constituents of the medical device industry. Lending its expertise to devise improved controls, metrics, standards, laws, rules, and regulations that will guide and advise the work being done.

This change in course would allow cyber-security to meet people where they are at, educating and engaging each other in the current body of work in medical devices. 

Resources to look at:

Controls: https://www.greenlight.guru/blog/document-controls-medical-device-companies

Twitter: https://twitter.com/medicaldevices?lang=en

SBOM vs MDS2: https://www.cybermdx.com/blog/how-mds2-data-can-inform-smarter-medical-device-workflows