Med-Tech Innovation News spoke to Joe Carson, chief security scientist and advisory CISO, Thycotic, to highlight the steps that can be taken by organisations against ransomware.
Tell us what the Thycotic solution can provide to medical device manufacturers?
A lot of smart devices run on commercial or proprietary operating systems. These devices need servicing at regular intervals to keep them operating at their peak. In practice this involves an IT technician connecting remotely to the device via the Internet. It may be necessary, for example, to upgrade the software, add users, provision security patches or change the configuration. Any one of these parameters could, if left unprotected, expose the device to unauthorised outsiders with malicious motives. Thycotic manages access privileges to medical devices and supporting equipment, applying strict security controls so that entry is restricted to approved IT and maintenance technicians only.
What sort of threats do device manufacturers face?
Building security into devices at the design stage can incur extra costs and delay time to market.
If devices do not have security built into them at the design stage, they must be made secure afterwards which ultimately makes the task harder.
Threats against smart medical devices may include DDoS attacks or ransomware. Effects may range from preventing it from functioning properly to a breach of highly sensitive patient information. Another threat is poisoning the data to render it unreliable. Being able to vouch for the safety and integrity of patient health information is critical.
For this reason, manufacturers need to bear in mind likely use cases for their products from the outset. Aspects such as how often will the devices be connected to the internet; how will they be accessed and what kinds of data will be stored on them need to be taken into consideration. If the device is a life-saving one obviously the consequences of it encountering a security threat are potentially very serious.
Manufacturers should focus on protecting the integrity of the device itself, maximising uptime and safeguarding the accuracy of data collected. The only ways to guarantee this are to build device security in by design and to enforce strict control of access privileges.
What steps can they take to guard against such threats?
First, make sure smart medical devices have built-in resilience. Are they able, for example, to continue operating equally well in standalone mode as when online?
Second, to prevent unauthorised device access or malicious configuration changes organisations should adopt the principle of least privilege. This means that access is strictly managed and secured so that entry rights are reserved for authorised users only.
Third, apply data privacy controls. This means encrypting all data communications to and from the device as well as how it is stored.
How much of an effect should Industry 4.0 affect the thinking of device manufacturers – particularly in factory assembly?
Industry 4.0 is all about introducing more automation, more intelligence into the manufacturing process. Medical device manufacturers are adopting Industry 4.0 processes because ultimately it will allow them to introduce greater consistency and reliability into their products - this is especially important if those products are made with security resilience built in. Applied correctly these built in security measures should help those businesses accelerate their digital transformation strategies as well.
How much of a threat is ransomware to smart medical devices?
Recently, there was a case in Germany where a hospital suffered a ransomware attack. A patient due to have life-saving surgery at the facility had to be diverted to another hospital 20 miles away, as a result of the delay the patient died. This illustrates how, in extreme circumstances, ransomware threats against medical facilities can literally be a matter of life and death.
Smart medical devices are designed to interact with humans. So, if someone clicks on the wrong thing it might be all a ransomware attack needs to help it spread around the network. The problem with ransomware is it’s no longer simply renders whatever it touches unavailable to the user. It’s about extortion. Often sensitive data will be extracted before the ransomware is released, creating two problems in a single hit.
I can think of two projects I worked on personally where a ransomware attack would have been a critical threat to life. The first one was a medicals records digitalisation assignment. It involved the conversion of paper-based medical records into digital format. The process meant doctors could access patient records in hours rather than the days or weeks it took previously. The ability to help medical staff save time has life-saving potential. By contrast a ransomware attack can add up to long delays - delays that patients can ill-afford.
A second project involved finding a means to transfer patient vital sign data from an ambulance while en route to hospital emergency room. The idea was to allow Emergency Room doctors to start analysing the data to figure out what they were dealing with and to prep for the patient’s arrival. All too often projects of this nature focus on the speed and efficiency of data transfer rather than security. If this is the case when ransomware strikes the Emergency Room patients will need to be re-routed and you will lose any efficiency that you gain. So, it’s always about striking the right balance between speed and security.
Ransomware is arguably the biggest threat to medical devices. It has the potential to shut down not just a hospital or a device manufacturer but ultimately people’s lives.
Anything else you’d like to add?
In many respects when medical devices are attacked the hospitals are merely collateral damage. The cybercriminals are not interested in hospitals per se. In many cases the hospitals just happen to share networks with other targets such as Universities and medical research laboratories.
Fortunately, providing adequate security does not require investing in advanced technology with loads of bells and whistles. It just needs a few basic steps. It starts with applying basic security hygiene, identifying where the more serious risks lie and applying best practice methods to mitigate them. Something as simple as the timely patching of devices and constant vigilance of secure access privileges is all it takes.
Getting the basics right will be enough to stop the majority of cyber-attacks. The aim should be to reduce the risks for as many connected medical devices as possible, regardless of whether they have security built in or not.