Why You Need Cybersecurity (Even If You Think You Don't)

By Stephanie Preston, Cyber Embedded Systems Engineer, Battelle

Does your medical device present a threat to hospital network security? If you haven’t baked cybersecurity into your device design, the answer may be yes.

Cyber threats to the medical community are growing in frequency and severity. The Identity Threat Resources Center (ITRC) reports that U.S. data breaches increased by 27.5% in 2014 compared to 2013, with attacks on the medical/healthcare sector leading the list for the third year in a row at 42.5% of identified breaches. What does this have to do with medical devices? Many medical devices today are connected to provider networks, providing tremendous benefits for patients and healthcare workers. They may also, however, provide a back door for hackers into secure medical facility networks.

There is growing awareness of cybersecurity in the medical device industry. Much of the attention has been on the potential for hackers to hurt patients directly, say by hacking into and tampering with a connected insulin pump or pacemaker. Other devices may hold sensitive patient data. The need to protect patient health and safety and sensitive data stored on a device are obvious. But these types of attacks, while holding dramatic potential, are fortunately rare in the cyber world. The real gold mine lies in gaining access to a hospital or medical center network — and your medical device may be just the entry point hackers are looking for.

Hospitals store tens to hundreds of thousands of records containing sensitive financial, medical, and identity information, making them a tempting target for cyber thieves. Hackers who gain entry into hospital networks also have the opportunity to generate wide-scale disruption of operations. Hospitals and healthcare centers are responding appropriately by tightening up their network security, making them more difficult targets for opportunistic hackers.

But as the networks themselves get harder to breach, hackers look for alternate entry points. Every device attached to the hospital network is a potential “pivot point” into the network for hackers. Plugging an unsecured device into a secure hospital network is the equivalent of locking the front door but leaving the side window wide open. This means that all developers of connected medical devices need to consider cybersecurity, even if the device by itself does not seem to offer a motivation for hackers.

Cybersecurity experts categorize hackers by their primary motivations, skills and resources. Different types of hackers will have different objectives for breaking into a medical network and will require different cybersecurity measures.

• Professional Mercenaries are in it for the money: They are typically looking for financial or identity records that they can use themselves or sell to someone else. Hospitals and medical centers have lots of data with potential commercial value, from social security numbers to credit card numbers to private patient information. In some cases, mercenaries will sell this data to organized crime rings that buy it on an established black market. In other cases, hackers may simply hold data hostage for ransom.

• Malicious Insiders are employees or contractors with special access or knowledge that allows them to crack networks from the inside. They may exploit their inside knowledge for either financial gain (e.g., selling sensitive information) or personal reasons (e.g., a disgruntled employee “getting back” at an employer for a perceived slight). An unhappy employee, for example, may want to hurt their employer’s reputation or cause financial damage by introducing a virus that disrupts operations and puts patients at risk.

• Principled Idealists, sometimes called “hacktivists”, are agenda-driven, often trying to further a political or ideological cause. Hacktivists may use Trojans, malware, or denial-of-service attacks to disrupt a facility’s operations. They may be trying to make a statement about the healthcare system as a whole, or disrupt a specific center they are ideologically opposed to, such as a women’s health center offering abortions.

• The Cyber-Warrior is a state agent operating for national interests, generally stealing sensitive information or engaging in cyber warfare. While these types of attacks are probably rare in the medical community, rogue states could try to hack into hospital networks to get sensitive information on a patient of interest or simply to disrupt operations and generate chaos or fear.

Hackers who seek to gain access to a hospital network could potentially be in any of these categories, but the vast majority of cybersecurity attacks in the medical community are likely to be from Professional Mercenaries. One especially pernicious type of attack that is growing increasingly common is the ransom attack. In some cases, hackers have placed encryption on sensitive data within the hospital network and then demanded money in exchange for a password to unencrypt the data. Medical centers under this type of attack may suddenly find all of their patient information encrypted, making it impossible to access records such as patient prescription information, pathology reports, diagnostics, and other information critical for providing patient care. In other cases, hackers may steal sensitive information like employee social security numbers or credit card numbers and threaten to make them public unless a ransom is paid. International hacking rings are notoriously difficult to trace, and impacted facilities have generally found that they have no choice but to pay, especially if patient health and safety depends on the encrypted records. As long as this strategy provides a payout for hackers, we are likely to continue to see more of these types of attacks.

When a medical provider has been shut down by a cybersecurity attack, whether from a hacker holding data for ransom or a disgruntled employee seeking to damage their reputation, they will need to audit their cybersecurity risks and put new measures in place to secure their network. If a medical device is found to be the weak link that was used to hack into the network, medical device developers could also find themselves at financial risk. Liability issues related to cybersecurity are still evolving, but in order to protect themselves, manufacturers of connected devices should be able to demonstrate that they have put reasonable cybersecurity measures in place. Beyond the issue of liability, medical facilities are unlikely to want to purchase a device that has been implicated in a security breach until the security loopholes have been fixed.

Medical device developers need to incorporate cybersecurity into their development and risk management plans to protect themselves and their clients and users. Because of the potential for connected devices to be used as pivot points into larger networks, even devices that do not present potential risks to patient health and safety need to be secure. A comprehensive security risk management plan needs to address three critical aspects of cybersecurity:

1. Secure design (baking cybersecurity into hardware and software development from the start)
2. Vulnerability assessment (characterizing, modeling, and measuring existing threats)
3. Anti-tampering and anti-counterfeiting measures

By putting these protocols into place, developers can protect facilities and patients from potential harm and minimize their own legal and financial risks. Traditional medical software and hardware developers will not have the necessary security training to correctly design for cybersecurity. Companies should plan to incorporate a skilled security expert into their device design or validation.

However, most device developers will not need to have a full time security expert on staff. Outsourcing will allow companies to select the right security experts for each specific project without the expense of hiring new full time staff. For example, Battelle now offers DeviceSecure Services for the medical device community. Cybersecurity experts at Battelle use a comprehensive threat modeling process to help developers determine what risks and vulnerabilities exist in their devices and how these risks can be mitigated.

It is impossible to fully protect against all possible threats presented by a highly motivated, skilled, and determined hacker. But the vast majority of cybercrimes are crimes of opportunity. The job for the medical device manufacturer is to ensure that their device is not the weak link in the network. By integrating cybersecurity into their development processes, device developers can protect themselves, their client facilities, and their patients from potential cyber threats.

About The Author
Stephanie Preston graduated from Ohio State University with a bachelor's degree in computer and electrical engineering in 2009. She currently works for Battelle on the Cyber Innovations – Mission Focused Tools team, where she focuses on firmware reverse engineering (x86, x86_64, MIPS, 8051) as well as application development (C/C++). She also serves as the team’s intellectual property steward.

Stephanie is a registered engineer in training (EIT) in the state of Ohio and holds a Global Information Assurance Certification (GIAC) Security Essentials certification and a Certified Ethical Hacker (CEH) certification. She also serves as an adjunct faculty member at the Ohio State University College of Computer Engineering, teaching low level system programming (C/x86).