Medical Devices

A cybersecurity expert offers a comprehensive and in-depth look into an emerging area of healthcare security, and offers tips for healthcare execs on what they can do and where they can look for answers.

Medical devices must be managed from a security perspective, but also from an operational perspective. Using analytics to establish behavior baselines helps support risk assessments, find malfunctions and enhance staff productivity.

The health system's IT arm says the network, focused on real-world evidence, will help with curated clinical data sharing among providers, pharmaceutical researchers, device manufacturers, policymakers and others.

Building the right technology ecosystem with advanced printing technologies can help healthcare organizations both save ‘clicks’ for providers and improve care delivery.

It’s the operating system that runs the elevator, the HVAC system, medical equipment, and even the router that connects everything else in a hospital to the outside world. Wind River Systems’ VxWorks real time operating system powers these devices and more. But pervasive vulnerabilities in versions going back over a decade have recently been discovered. The vulnerability is within the TCP/IP (IPnet) stack, which exists in a wide range of older IoT devices. However, according to Wind River Systems’ FAQ, the latest release of VxWorks is not affected. Wind River has recommended that organizations deploying devices with impacted versions of VxWorks patch immediately and said it has fully tested patches to address the TCP/IP (IPnet) stack vulnerabilities. WHY IT MATTERS Researchers at Armis, who call VxWorks "the most widely used operating system you may never (have) heard about," have discovered 11 vulnerabilities, six of them critical, that affect Wind River VxWorks versions since version 6.5 – and are collectively referring to them as "URGENT/11."  Wind River notes that certain releases, including its latest release, are not affected. Six of the 11 vulnerabilities are remote code execution vulnerabilities. Other vulnerabilities include denial of service vulnerabilities. The significance of the RCE vulnerabilities is that successful exploitation could allow a hacker to remotely take over the impacted devices. Successful exploitation of other vulnerabilities could lead to leakage of information, denial of service, and logical flaws.  Additionally, these vulnerabilities can be exploited by an unauthenticated remote attacker. "The potential for compromise of critical devices and equipment especially in manufacturing and healthcare is a big concern," said Ben Seri, vice president of research at Armis. VxWorks and operating systems with similar vulnerabilities are the lightweight and powerful systems that drive many mission critical and specific-use devices. These devices range from perimeter-level ones like routers and firewalls to medical equipment which sit inside secured networks like connected medical devices. The consequences of any of them being brought to outside control could directly impact everything from the routine functioning of a hospital’s basic facilities to life-critical operations. Wind River has issued patches and is working on mitigation with customers, but as Wired has pointed out, addressing such widespread IoT updates can be a long process. On Tuesday, the U.S. Department of Homeland Security put out a Cybersecurity and Infrastructure Security Agency ICS Advisory that explained the vulnerability in detail and offered mitigation information. THE LARGER TREND The healthcare industry has been recognized as both target-rich and easy pickings. Any new vulnerability to something so deep-seated in a hospital’s network architecture should reinforce the need to be willing to spend big on investments to security. This is doubly true with the relatively new class of IoT devices which are currently expanding inside hospitals at a meteoric pace. While this is hardly the first instance of a connected IoT medical device getting hacked, any news of new vulnerabilities makes for a call to action on security. ON THE RECORD "URGENT/11 could allow attackers to remotely exploit and take over mission critical devices, bypassing traditional perimeter and device security," said Yevgeny Dibrov, CEO and co-founder of Armis. "Every business with these devices needs to ensure they are protected. The vulnerabilities in these unmanaged and IoT devices can be leveraged to manipulate data, disrupt physical world equipment, and put people’s lives at risk." "Wind River’s dedicated security incident response team worked closely with Armis to ensure customers were notified and provided patches and mitigation options," said Arlen Baker, Wind River's chief security architect, in a blog post. This shared, collaborative process was designed and executed to help device makers mitigate potential risks to their users. We thank the security researchers for their role in helping us discover these vulnerabilities in the IPnet networking stack." Benjamin Harris is a Maine-based freelance writer and former new media producer for HIMSS Media. Twitter: @BenzoHarris.

According to the CBSi B2B Cybersecurity Study, Asia Pacific 2018, one of the biggest challenges faced by an organisation’s cybersecurity framework is aligning cybersecurity with business priorities. Jega Ponnudurai, Industry General Manager, Healthcare & Life Sciences, Asia, DXC Technology, recommended that healthcare organisations tackle this challenge by linking the costs and benefits of cybersecurity to the value of regulatory compliance.  This is especially critical for certain segments which are more linked to patient safety and patient data confidentiality and calls for more investment on security frameworks within application parameters. These segments include clinical documentation, pharmacy and medication management, tests and investigations and critical care support systems. Ponnudurai, who has more than 25 years of experience in the telecommunication and healthcare industries, shares his insights on the cybersecurity threat and risk landscape in Asia Pacific.  Most common cybersecurity threats/risks to healthcare organisations in APAC Specific to healthcare organisations, issues like Electronic Medical Record (EMR) data leakage, especially sensitive operational (like billing disputes, patient dissatisfaction) and clinical (like sensitive diseases HIV/STD etc.) data with the purpose to malign private/public health settings or get hold of VIP patient data are some of the cybersecurity threats/risks these organisations face. However, Ponnudurai explained that they had not come across cases where a security threat on data leakage has ended in ransom demand but it could happen.  Network and workplace-related security threats are no different from those of other industries – these include ransomware, endpoint attacks, phishing and many others. Key lessons from a series of healthcare-related data breaches/leaks in Singapore Some of the key lessons learnt are the importance of having security, not only from the outside but also from within an organisation. There is also a need for independent cybersecurity auditors to be put in place and such audits to be carried out more frequently.  “Internet separation models and the design of data security zones is becoming more and more pertinent in terms of de-risking data in rest,” said Ponnudurai. There also needs to be a diligent scoping of cloud data assets and for cross-application landscapes, data security/accessibility should be governed/designed by information area at a corporate level, not at an individual application level.  From within an organisation, human (contractor or internal employee) inflicted local threats needs to be closely controlled and monitored. Blind spots in the management of cybersecurity threats/risks One of the areas/aspects that is usually overlooked by healthcare organisations in the management of cybersecurity threats/risks is application security in clinical applications. Most large healthcare organisations have a mesh of clinical and operational systems – Patient Administrative System (PAS), EMR, Finance, Billing, Ancillary systems for pharmacies/laboratories, Radiology Information System (RIS)/ Picture Archive and Communication System (PACS) etc. Often these systems need to exchange information – and security breaches are potent in a) data in motion, such as interfaces and message queues and more importantly b) context switching, such as accessing an application logic/data/screen from another application.  “A robust Development, Security and Operations (DevSecOps) Strategy should be imbibed early in the life-cycle for health application design,” Ponnudurai added. Managing increased cybersecurity threats with reduced budgets and lack of trained experts Chief Information Security Officers (CISOs) or Chief Information Officers (CIOs) are constrained by reduced budgets and lack of trained professionals to deal with the ever-increasing cybersecurity threats and incidents and Ponnudurai’s suggestion to tackle the issue is to study the impact of cybersecurity breaches, both from a financial and personal trauma (for the impacted parties) perspective. The concern of most healthcare providers about cybersecurity has resulted in their hesitation to venture into cloud-based services. This, in turn has a direct cost impact in the running of a healthcare service provider. Increasingly, cloud adoption should be backed up by cyber defense and orchestration strategies including intelligent security operations and continuous threat monitoring using a leveraged Security Operations Centre (SOC) model which reduces upfront capital expenditure (CapEx). This provides best-of-class protection at a spread out cash-flow, he concluded. For more information on DXC's security services and solutions, visit their website here.

Tristan van Doormaal, a neurosurgeon at UMC Utrecht in the Netherlands, details how augmented reality and virtual reality can help patients understand their condition better and train residents in different approaches to surgery.

Julio Vivero, business partner at GMV, says medical devices and data privacy are two huge cybersecurity issues the healthcare industry is facing, and a one-size-fits-all approach is not the solution.

Norway Health Tech CEO Kathrine Myhre, winner of the HIMSS Europe Future50 award, says lessons from oil and gas industry successes along with Norway's pioneering culture help fuel the drive to maximize the healthcare system's potential.