In-depth interview with Chris Manning, Associate Director and Matthew Freilich, Senior Manager from Protiviti's Security and Privacy practise.
December 3, 2019
In this series, I’m talking to our cybersecurity leaders and experts who are speaking on our webinars and are in the market working with organisations, addressing these challenges. For more information, you can visit protiviti.com/security, where our webinars and other content are available.
I'm happy to introduce my guests today. They are Christopher Manning, an associate director with our Security and Privacy group, based in Atlanta, and Matthew Freilich. Matthew is a senior manager with our Security and Privacy group, and he is based in Philadelphia. Chris, it's great to speak with you today.
Medical devices are something that is starting to impact all of us. This happens in a lot more ways than people typically expect because medical devices are quickly becoming part of the treatment of common ailments, and of treating issues that previously required different types of medical intervention.
So, as an example, most people have become familiar with the idea and the concept of dealing with chronic pain, and things like opioids are in the news quite a bit. The medical device manufacturers have been trying to tackle these types of issues from their side as well, so that rather than someone having to take something like painkillers for chronic pain for their entire life or for prolonged periods of time, they’re making devices, like neurostimulators, which can be used to work with the nervous system to help try and mitigate pain from a different perspective, so you don’t always have some pharmaceutical pumping through your blood. Instead, you have an implanted device or a device that you carry with you that is used to help mitigate that kind of pain. And as time goes on, the expectation, at least the way that I see it, is that we’re probably going to see these medical devices become more and more pervasive in everyday life.
Yes. Absolutely, Kevin. From a healthcare provider or hospital – or what’s often referred to as a healthcare delivery organisation, or HDO – one of the biggest things that I’m seeing is a lot of interest from board of directors and audit committees related to patient safety issues. So, as you start thinking about pacemakers, or other items that are either sustaining life, or diagnosing things that are very serious, or treating things from an attacker perspective, like Matthew mentioned, there’s folks like that are able to gain access to these key devices and, essentially, deliver things incorrectly or stop operations. That could be a very, very serious issue regarding not only diagnosing something but also the health and long-term safety of that patient – their life. Those are the things that a lot of the hospitals are trying to understand at this point, and trying to quantify the risks to those patients.
Then, I would say secondly, there’s always been the data security issues that are commonly around. We hear about, almost every day in the newspapers, data breaches related to credit cards or patient records – things like that. A lot of these devices do store what we consider electronic protected health information. So, if someone’s able to gain access to that device, they can then steal those records as well for profit, for use in other ways. So, patient safety is the biggest, second to the data security and privacy as well.
I think one of the biggest myths out there, and Matthew can touch upon this as well, is that the devices are built securely. When someone’s putting some type of computer or hardware into your chest that's going to help maintain your heart rhythm, you would have that assumption that that piece of hardware would be built securely and would be resilient to attacks, and unfortunately, you find out that that’s just simply not the case. There are all types of different vulnerabilities that are out there that affect these types of devices, just like they affect other computers. It’s a race to stay ahead of the folks who are trying to be malicious in these attacks, and prevent that from happening.
One of the other things I think I would comment on from this perspective is that the FDA is very big on regulating food and drug, obviously, in the United States. One of the myths is that the FDA is very rigorous – it goes through and does technical analysis or technical testing on these devices, detects them before they get into the environment and purchased by hospitals and used on patients – and that’s simply not the case. The FDA does have some pretty strenuous guidelines on cybersecurity, some recommendations in that space, but they are not going out in doing testing on these devices to validate them before they’re being used on patients. They’re really relying on the medical device manufacturers to do that, and to hire companies who have a lot of experience in doing this, like Protiviti, to go through and make sure that they’re secure and safe before they’re used on patients.
Sure. I think that – and Chris touched on this – one of the things that I think is important to drive home is that people seem to have this idea that no one will attack or go after medical devices, because we all would adhere to some kind of basic moral standard or code that would prevent people from doing so. I think we can see, from the types of things we started to see in the wild, that medical devices do get attacked, not from like a highly specific targeted perspective, but in the same way that we’ve seen organisations targeted by ransomware and things of that nature. Medical devices are not outside of the purview of these kinds of attacks as well.
A lot of these systems, especially the ones that are part of more complicated processes, typically are systems that are built on Windows, built on Linux, built on these foundational operating systems that have been attacked by folks for a long time. And when these types of devices are put on some kind of network or when manufacturers develop them so that they can be attached or connected to via Bluetooth or Wi-Fi or ZigBee and Z-Wave, when they have the ability to interact with other systems, somebody is going to be curious and pry, and see what kinds of things they can do by poking around, attacking those devices. I think that’s kind of the same sense that with BART, as an example, being hit from a public transit perspective, where their systems were attacked by ransomware. Medical devices can fall to these same types of issues.
So, I think that we need to be very aware of the fact that even though these are highly specialised devices in a lot of cases, and they’re designed to provide infusion pump therapy and things of that nature, they can still sometimes just be attacked and can cause serious issues, both for the people using them, the hospitals that they’re with, and then also for the manufacturers who are trying to figure out the best ways that they can try and defend and protect these types of devices.
I would say that they break down into two basic categories. The first one is getting clarity around regulatory requirements. There are regulators in the U.S., in Canada, in the European Union that have varying requirements which can make navigating the security testing and documentation pretty difficult, especially if it's an organisation’s first time going through that process. The second one is clients understanding the number of attack vectors and the resourcefulness of the threat actors and what those threat actors are.
Understanding those threat actors is important because those threat actors come in many forms. There are the profit- and crime motive-based ones such as counterfeiters or ransomware operators. You have hobbyists, some biohackers who are the intended owners of devices that want to understand, “What is this device doing that’s monitoring me or providing me with some kind of therapy?” You have security researchers that want to break these devices down as much as possible, understand the ins and outs of them, oftentimes with the intent of trying to make these devices more secure by letting these manufacturers know what the issues are, but sometimes, there are less scrupulous individuals that exist as well, but those are definitely in the minority. Then, even things like governments and intelligence agencies that want to surveil or track people or systems so that they can target specific individuals for just monitoring or whatever it may be.
The second subcomponent of that is around the education and security testing of these devices and the engineers that work on them. A lot of these companies have unbelievably smart engineering talent, but they haven’t been necessarily exposed to the security side of the house. So, once these engineers have an opportunity to understand how attackers think, how they break down security barriers, and how some basic security frameworks can be applied, a lot of progress can be made to make these devices more secure.
Yes, Kevin, I think they’re facing a lot of different types of challenges. One of the ones that kind of sticks out as a key factor on not only diagnosing this problem but also eventually solving it is trying to figure out whose ultimate responsibility it is around medical device security. Usually, within healthcare delivery organisations, or HDOs, there's a division of the business, a department that is related to clinical engineering or biomedical engineering. There’s usually information technology. There’s usually a cybersecurity group. There are all these different teams that have roles and responsibilities related to the security and information related to devices, whether they’re computing devices or medical devices.
And when you start talking about the security of those and you start looking at the various devices we’re talking about, sometimes there’s some gray area that comes up. So, if you think about a pacemaker model, there’s not only responsibility for the HDO, for the biomed folks who are configuring those devices, who are interfacing with the clinicians on those configurations, who are also talking to the manufacturers so that folks who are reselling some of those devices, they want to talk to those individuals about their responsibilities on things like patching the devices if there’s a security patch that comes up. It gets even more complicated when you extrapolate that from just one specific end device and then you start having things like these giant MRI machines that are connected to, maybe, stand-alone workstations or servers, hospital networks. So, then, you’re bringing in, also, the networking team.
So, the name of the game with medical device security at healthcare providers is, it’s really a team sport. There are so many different actors and so many different players on the field here who have individual roles or responsibilities, but they have to play nice with the other teams, and they have to communicate a lot. They have to make sure that everyone’s doing their part, and that no one’s being the weakest link in that chain.
So, a lot of the coaching that we provide is external consultants coming in to review the processes in setting up governance groups and committees between these various departments to really start talking about that. So, even going to the beginning, when clinicians are planning on the device that they need, and setting requirements for those different devices, if they want infusion pumps, do they want them to have wireless capabilities? Do they want them to host patient information?
So, connecting the clinicians, the procurement group is going through in contracting with these medical device manufacturers and trying to get them to understand. We do want to put some contractual language in there about information security controls and eventual updates, and then connecting those back to the biomedical clinical engineering group, IT, information security, and possibly even risk management and legal as well. So, it’s always one of the things that we have an interesting time figuring out all the different teams which should be involved, and what their preexisting relationships are, and how they need to set some prejudices aside to work together and really kind of complete the whole chain here.
Chris, Matt, this has been a great discussion. Again, thanks for joining me. Again, I want to also make a reminder here to please visit protiviti.com/security for more information on medical device security, our other webinars on this topic and other content we have and a broad range of cybersecurity issues.
So, Chris and Matt, as we close out our discussion here, I wanted to ask each of you – Matthew, I’ll have you answer this first: With regard to this field of medical device security, what are you most curious about right now? I ask that in the context of thinking about what’s coming, or change that you see, in the next three, five, even 10 years?
So, there are a lot of emerging technologies that are on the horizon, and I think that’s because of the capabilities of chip manufacturing, the different types of wireless technologies that are coming about, and the fact that we all have these really powerful portable computers that we now use as cell phones. Just the pervasiveness of these types of devices is going to skyrocket.
I think it’s important for both manufacturers, as well as hospitals and even individuals, to understand that we’re going to have to make sure that we treat these types of devices and the capabilities that they have with some extra due diligence when we want to have them and use them, because they can ultimately provide us with a better life. But if we want to make that life as fulfilling and provide even the least amount of worry, I think we all have to participate with understanding and demanding security, both from our manufacturers as well as from the people that provide us with the installation of these devices, either in or on our person.
I’m really excited to see where this goes from an HDO perspective, Kevin – the majority of hospitals and healthcare systems that we go in to help them with this problem, and we go in to help them assess the risks to patient safety into data security around these devices. We’re finding really systemic problems in the management of these medical devices as assets within the organisations – things like, hospitals aren’t even able to provide us a full inventory of the devices they own or lease. The ones that they do have on some type of inventory or list, they’re unable to articulate if those devices have the ability to store patient information or if they’re connected to the hospital network or other devices. So, they’re essentially lacking the information to even have the ability to start making risk prioritisation and risk decisions from a cybersecurity perspective related to these devices. So, I’m really hoping that this awareness catches on, that HDOs start to understand that in order to make ourselves more secure, we need to start tracking that information. We need to start communicating with the manufacturers. We need to start working as a team internally and working with folks like Protiviti.
You have experience in these areas to really quantify that risk and make some steps going forward so that, like Matthew mentioned, we can take advantage of these devices to do wonderful things that they’re doing out there in terms of diagnosis and treatment, just really amazing things in helping individuals who need it, and staying away from the headlines of these data breaches or these potential impacts to devices that are affecting the livelihood of folks. So, from the HDO perspective, I think it’s a little bit more of a governance exercise, but something that is very important to focus on here in the future.