Healthcare Equipment and Devices Need a Security Prescription



What can be done to protect networks, servers, and mobile devices as well as medical equipment in this increasingly connected era of healthcare?

In May this year, the UK’s National Health Service (NHS) computer system was attacked by the Wannacry virus. The cyber-attack brought many doctors’ surgeries to a standstill, as patient records could not be accessed during appointments, nor could appointments to see a doctor be made. In hospitals, patients’ records could not be accessed, meaning procedures had to be postponed. Quickly, a report by the British Computer Society (BCS), the Chartered Institute of Information Technology issued a report identifying the lack of a cyber-attack protocol, lack of cyber security experts and “sufficiently secure and up-to-date software.”

The BCS published a blueprint plan of action for the NHS, focusing on IT and software. This is important of course, but still falls short of reflecting the state of today’s healthcare, namely mobile, connected devices, both medical equipment and other devices used by patients and doctors within the hospital environment.

Attack and Defend
IT security research specialist, the Ponemon Institute conducted a study for software design tool company, Synopsys (Medical Device Security: An Industry Under Attack and Unprepared to Defend) and found that 67 percent of medical device manufacturers believe an attack on one of their devices is likely over the next 12 months. This make sad reading, as last year, the institute published research that found 90 percent of healthcare organizations in the study experienced a data breach in the last two years, and 45 percent had more than five data breaches in that time. The 2016 study found that ransomware, malware, and denial of service (DoS) attacks were the biggest threats facing healthcare organizations.

Figure 1: Threats to medical data are numerous: malware, ransomware and denial of service are seen as the biggest ones (Picture - Synopsys).

Figure 1: Threats to medical data are numerous: malware, ransomware and denial of service are seen as the biggest ones (Picture - Synopsys).

“The security of medical devices is truly a life or death issue . . . it is urgent that the medical device industry make the security of its devices a high priority,” says Dr Larry Ponemon, Chairman and Founder of the Ponemon Institute.

Mike Ahmadi, Director of Global Critical Systems Security, Synopsys, adds “Any device that is network connected in a hospital is high risk for security-related attacks. What varies is the impact.” He believes that the company’s Software Integrity Group, with a portfolio of security testing tools, managed services to close testing gaps and conduct in-depth testing, and professional services offering specialized consulting, places the company in “a unique position to provide the tools necessary to solve many of the challenges faced by medical device manufacturers as well as the expertise and knowledge to implement an effective security program. . . .This means that a manufacturer can, in a relatively short period, deploy solutions rapidly to meet market demand and deliver a more cyber-resilient platform to the customer.”

Data-Related Threats
For Kirsten Bay, President and CEO, at Cyber adAPT, threats are data-related, usually so that it has to be bought back by the victims. As a ploy to get rich quick however, ransomware has a major flaw —so far none of the money paid by the victims has been collected, as doing so would lead police to the criminals!

Figure 2: Kirsten Bay, Cyber adapt: detection and encryption play a key role.

Figure 2: Kirsten Bay, Cyber adapt: detection and encryption play a key role.

Bay believes that the cyber-attacks can permeate to device level. For example, pacemakers and an attack could mean that critical care machines could be locked down. “The main defense is detection and encryption communications between devices,” she identifies. However, many connection points are open, Bay continues, pointing out that hospitals and medical centers largely operate open networks, with public Wi-Fi. Similarly, portable machines going from patient to patient, laptops and phones used by medical staff, right up to large equipment such as a Magnetic Resonance Imaging (MRI) scanner, are all largely unencrypted, she adds.

Cyber adAPT’s skwiid for mobile devices (skwiid Mobile) and for networks (skwiid-in-Network) relies on network traffic analysis. By examining, in real-time, the incoming and outgoing packets of data, it can identify anomalies to detect an attack in seconds and issue alarms. It uses deep packet inspection to look for changes, evidence that someone is trying to change the state of traffic. “The key in healthcare in particular,” observes Bay, “is to push back from creating latency in accessing data; this can slow down the interface. . .  the challenge in the medical field is not to inhibit the user experience.”

The detection platform is a hub, with the spokes of the hub being the Internet of Things (IoT), the network or mobile detection capability, or the Cloud. “Everything is a sensor,” explains Bay, “which pushes data back to the detection hub.” A probe passively captures traffic but does not interrupt. The secure tunnel created for data traffic does not impact latency or draw on a device’s battery, says Bay. It is designed to pull packets and pass quickly, looking for any state changes. If there are none, meta data is copied to the memory.

The first use case is being implemented in mobile workstations that go from room to room in hospitals, reports Bay. The next step is to scale the security to allow doctors to travel from one hospital to another.

Take Responsibility
In a connected world, with many endpoints, each part of the network needs to be robust. Medical Device Security: An Industry Under Attack and Unprepared to Defend reported that devices are difficult to secure due to factors such as accidental coding errors, lack of knowledge on secure coding, and time pressures for the development teams. Once in use, medical devices are rarely tested—nine percent of manufacturers and five percent of healthcare organizations test them annually and over half of healthcare organizations admitted that they did not test them at all.

Figure 3: Connected devices rely on open networks, which make them vulnerable. (Picture – Cyber adAPT)

Figure 3: Connected devices rely on open networks, which make them vulnerable. (Picture – Cyber adAPT)

Ahmadi concludes: “The [healthcare] industry needs to undergo a fundamental shift, building security into the software development lifecycle and across the software supply chain to ensure medical devices are not only safe, but also secure.”


hayes_caroline_115Caroline Hayes has been a journalist covering the electronics sector for more than 20 years. She has worked on several European titles, reporting on a variety of industries, including communications, broadcast and automotive.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
  • TwitThis

Tags: