Medical devices – a forgotten backdoor in medical cybersecurity?

• Medical devices are connected to hospital networks – but are rarely patched or updated.
• That means medical devices can act as a point of cybersecurity weakness for hospitals.
• Any weak point will do for hackers – the less protected, the better.

Healthcare management is a particularly exciting area for the development of new tech – particularly with the likes of generative AI incoming. But if the Covid pandemic has taught us anything, it’s that healthcare is part of our critical national infrastructure.

In the UK, that’s particularly so, as the NHS (National Health Service, celebrating 75 years of operation this week) is an integrated, national system of socialized healthcare, free at the point of need, funded through a payroll deduction rather than through health insurance.

That means that a lot of healthcare units, hospitals and clinics are connected through the same IT system. Which in turn means that any weak spots in the system’s cybersecurity need to be addressed regularly, to avoid giving hackers the run of the nation’s medical data.

Which is why so many CISOs at so many health boards in the UK – and globally – are initially terrified when it’s pointed out to them that some of the static medical devices in their facilities are easy-access points of entry for hackers.

We sat down with Keith Christie-Smith, Strategic Accounts Director (Government, Healthcare & Defence) at Claroty, a company that specializes in securing the extended Internet of Things (XIoT) from precisely these kinds of attack, to learn exactly what’s up with the on-site medical devices that are every physician’s friend.

THQ:

What gives with the cyber-threat of medical devices? Excuse our tech-speak.

KC-S:

OK, well last year, there was a major asset discovery exercise in the NHS – which is obviously necessary from a cybersecurity standpoint. You can’t secure what you don’t know you have. So to have a full understanding of assets, networks and capabilities was practically priceless.

Once you can see everything, you can provide a comprehensive cybersecurity strategy.

THQ:

Call us pessimistic, but it feels like there’s a “but” coming.

KC-S:

Well, it turns out that in terms of cybersecurity, the UK is very far behind lots of other regions – in fact, most other regions that we sell into. The DSPT (Data Security and Protection Toolkit) that the UK used to assess the NHS is a self-assessment form. There’s no way of tracking how the NHS trusts are scoring themselves, and no guarantee of consistency across the board. Anyone can answer questions on a form, but being able to show their levels of protection digitally is probably the next step we need to see.

THQ:

So the UK health service assessed itself for cybersecurity… on the honor system?

KC-S:

Very much so. The toolkit’s an Excel spreadsheet, you go, you fill it in, and you score how you feel you’ve done.

THQ:

How terribly… British. By which we mean polite.

KC-S:

Yyyyeah. And in a lot of cases, trusts aren’t aware that tools like ours even exist. They’re answering the asset-discovery questions based on what they perceive the market or the tools to be today.

Medical devices and the danger of out-of-date systems.

THQ:

OK, so it’s potentially a deeply flawed knowledge-base, and we won’t know otherwise until there’s more structured data on the situation.

Forgive us if this sounds like we’re coming to it from a basic place, but in terms of medical devices, their purpose is first and foremost their medical functionality, right? How are they any kind of cyber-vulnerability point? We’re not suggesting hackers can manipulate the actions of pieces of diagnostic equipment, right? Produce false positives or negatives?

KC-S:

That would be a huge vulnerability point. You could actually argue it’s the bigger danger – if hackers did that, they could have a big impact on patient care, patient safety, but also on the general running of the facility.

But what usually happens with medical devices is that they’re in use for on average five times longer than standard IT assets.

If you think of a desktop or laptop, you may replace that every three to five years, depending on their performance from a healthcare perspective, medical devices are in service for anything up to five times that. Some medical devices are very expensive, like MRIs, CT scanners, robotic systems, etc. So for organizations like the NHS, resource constraints mean trusts are looking to sweat those assets as much as possible.

What happens then is these platforms or the solutions are being managed on a platform delivered by Microsoft or Linux, or one of the other major operating systems. And those operating systems get very out of date. Even if you have your laptop for three or five years, you’re probably going to end up with an out-of-date operating system. That same principle applies from a healthcare perspective.

You end up with very old operating systems, and lots of vulnerabilities and risk associated with leveraging those because they’re out of support from the actual manufacturers. But not only that. These medical devices run applications from the manufacturers – Siemens, Healthineers, GE, etc. But you get vulnerabilities in their applications as well.

Where these devices are in use for so long, you end up over time accruing risk and vulnerabilities because of the length of service of those devices. And there’s obviously pushback from the vendors to replace them. But in some cases, the medical devices are still performing a function, they’re even within their usable lifespan. So trusts don’t want to replace them until they’ve been sweated out of their usefulness.

That means you end up in this gray area where the devices aren’t supported. And you end up with lots of vulnerabilities. And that’s what’s really driving a lot of the risk that we see across our customers in the NHS.

The point then is to mitigate and minimize the risk impact to those devices as much as possible.

The lack of upgrades to medical devices.

THQ:

With laptops or desktops, there’s an understood process: you get updates, you get security patches, you get updates in your security programs to make sure they’re as up-to-date as possible, so they can deal with the latest security threat. And all this happens much more regularly than once across the three-to-five-year lifespan of the machine. With medical devices, that’s not so much the practice?

KC-S:

No, it’s not, unfortunately. Medical devices need to be patched for the most part by the vendors themselves, or a third party potentially. In most cases, there’s a cost associated with doing that, so you end up with these devices with lots of risk. And given the resource constraints under which trusts operate, there may not be the budget to actually go in to patch them.

But there’s also in some cases a reluctance from the vendors to do that. Part of what we offer is evidence based on that, which gives trusts the ability, using that data, to provide the vendors with the vulnerabilities that they’re seeing, so that they can help drive those vendors to deliver patches.

THQ:

Presumably, with medical devices, the vulnerabilities aren’t necessarily seen or logged with anything like as much regularity as they would be in a standard business or domestic laptop. In that case you get warnings that something’s gone wrong. Whereas in medical devices, if they go wrong, they just go wrong, without particularly any ability to warn their trusts that that’s happening, or why. And so if the vulnerability is relatively invisible, where’s the justification for the trusts to spend the money on getting them updated or patched.

KC-S:

Exactly, you’ve hit the nail on the head. Visibility of the vulnerability really is the key – you need to understand the assets, the make, model, serial number, and software versions of those assets, to then do correlation against vulnerability databases to actually show you what vulnerabilities you have.

Without particular tools, that’s impossible.

You also have the added complexity in healthcare that you should never be scanning medical devices. Those devices are providing patient care, and in some cases, keeping patients alive, right. So if you do what’s called an active scan, where you’re profiling and scanning a device to get that information, that could impact patient care and patient safety.

All the medical device manufacturers advocate that you should never scan their devices.

That means you’re reduced to what’s called a passive scanning approach, which involves listening to the network traffic, understanding all the protocols that these devices utilize, to pull through the relevant metrics into a platform, so you can do that vulnerability correlation with device asset information, without needing to ever touch the device.

That’s why you need specialized healthcare products to be able to do that. Then you need to understand the devices, the communication that they’re doing, the protocols that they’re using, so that you can do that deep packet inspection of the traffic to pull those metrics into the platform. Only once you’ve got all that data in a platform, can you do that correlation around vulnerabilities and then ultimately show the risk associated to those devices.

Medical devices – the backbone of any good medical center – even in Springfield.

 

In Part 2 of this article, we’ll look at the specific dangers posed by unpatched medical devices – and what can be done to properly mitigate them, in light of vendor-resistance to check them regularly.