Networked Medical Devices: Security and Privacy Threats. Healthcare IT at a crossroads

Transcription

1 WHITE PAPER: NETWORKED MEDICAL DEVICES: SECURITY AND PRIVACY THREATS Networked Medical Devices: Security and Privacy Threats Healthcare IT at a crossroads

2 CONTENTS Introduction Converging risks External risks: cyber threats Internal risks: medical devices The government s role: integration and privacy mandates The CHIME member survey Participants and devices Experience and concerns Initiatives Survey summary Conclusions and recommendations References News articles Organizations and initiatives Additional resources More information

3 Introduction Healthcare information technology (IT) uses many of the same infrastructure elements, applications, off-the-shelf technologies, and processes used by enterprise IT in general. But healthcare networks are unique in two important respects. First, they contain and transmit information that is uniquely sensitive, and therefore governed by rigorous, industry-specific privacy and security regulations like the U.S. Health Insurance Portability and Accountability Act (HIPAA). Second, the complexity, number, and diversity of devices especially network-connected devices that make up this infrastructure expose healthcare networks to a broader range of security and privacy risks than typical network servers or endpoints. The problem of vulnerable devices on sensitive networks has been latent for years. But today three trends are converging to make it an immediate risk: Sharp rises in the volume, sophistication, and focus of malware, raising the likelihood of, and damage from, malware attacks and data breaches Medical devices that incorporate more off-the-shelf hardware and software, increasing their vulnerability to malware, hacking, and data theft New government incentives and mandates to share patient information electronically, simultaneous with severe penalties for any loss, diversion, or exposure In this paper, we will first outline the risks introduced by networked medical devices, and then present results from a 2010 survey by the College of Health Information Management Executives (CHIME) to gain the perspective of industry insiders. Finally, we will review some of the organizations, standards, and solutions available to help hospitals, diagnostic centers, and clinics assess and address issues introduced by networked medical devices. Converging risks The potential for networked medical devices to serve as a vector for cyber threats is on the rise because of changes in the cyber-threat environment, the special characteristics of medical devices, and a changing regulatory climate. External risks: cyber threats Cyber threats adapt to the opportunities and risks faced by their creators. The nuisance of amateur online vandalism has been eclipsed by new opportunities for professional criminals, created by high-bandwidth connections and an explosion of commercial and financial information and transactions on the Web. Today s Internet threats are increasingly: Global China is second only to the United States as a source of online threats, and Brazil, source of several high-profile attacks, has emerged as number three. Geographic variation in laws and enforcement complicates and slows prosecution of cybercrimes. Focused Recent cyber attacks often target individual organizations, using advance reconnaissance on social networks, custom-crafted spear phishing messages, multi-pronged attacks, and persistent data gathering over long periods. Web based All of the current top-ranked cyber attacks, including those that implant keystroke loggers and other information-gathering tools, exploit vulnerabilities in browsers and other popular applications. 1

4 Automated Crimeware toolkits accelerate the creation of custom exploits, including deployment of botnets to launch global automated attacks. More than 90,000 unique variants of one such kit appeared in 2009 alone. Financially driven Today s attacks focus on financial information about organizations and consumers. An underground online economy supports a brisk trade in stolen information: credit card information, for example, sells between $0.85 and $30.00, and bank account credentials from $15 to $ All organizations and consumers, not just hospitals and patients, face this threat environment. But the sensitivity of medical information, and the exposure of network-connected medical devices raise special risks in the healthcare industry. Internal risks: medical devices Enterprise networks may incorporate tens of thousands of endpoints, and while security and data protection are constant concerns, the consensus is that the risks are under control. What makes network-attached medical devices so different? The answer is that even though newly released medical devices operate more like computers, they are still treated as though they are different in ways that carry serious ramifications for security and data protection. The PC revolution has transformed instruments and devices of all kinds, and medical devices are no exception. Their increasing use of off-the-shelf hardware and software technologies unlocks significant user-interface, performance, and cost advantages. As devices grow more productive, hospitals use them to increase staff efficiencies and they proliferate throughout hospitals. These sophisticated devices are more likely to be connected to networks to create efficiencies and enable control, data communication, management, and integration exposing them to the full range of risks that afflict other network endpoints. But although medical devices share computers vulnerabilities, they can t be protected in the same ways: Responsibility for medical devices often resides with Biomedical (or Clinical) Engineering departments, whose mission and training focus on calibration and maintenance. Security and data protection are typically subordinated or shared with the IT organization, for which medical devices are secondary to maintaining core IT service levels. Long device lifecycles keep hardware, operating systems, communications protocols, and applications systems in service on medical devices long after they have disappeared from enterprise IT networks so devices remain vulnerable to exploits that are of no concern to desktops and laptops. Regulation has a paradoxical effect: the U.S. Federal Food and Drug Administration (FDA) and its counterparts outside the U.S. stipulate that medical device manufacturers, not owners, must control and validate device configuration, including security updates. This delays delivery of vulnerability patches to users, slows the pace of security and data-protection upgrades, and keeps third-party security solutions, no matter how effective, off PCs embedded in medical devices. 1. All data is from Symantec Corporation, Internet Security Threat Report XV, Cupertino, CA: April, symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_ en-us.pdf 2

5 The government s role: integration and privacy mandates The unique status of medical devices excludes them from routine PC protections a situation that has persisted for years. But regulatory changes are forcing nearterm security and protection decisions that sometimes conflict. The U.S. federal government and other organizations are attempting to cut duplication, errors, and costs by integrating patient information from many sources into a single electronic record available to legitimate parties. At the same time, privacy provisions require that access to this information be convincingly blocked from all other parties. The healthcare community is well aware of HIPAA requirements to protect patient information. But unless medical devices can be secured, HIPAA protections are difficult to reconcile with incentives for Electronic Medical Records under the Health Information Technology for Economic and Clinical Health Act (HITECH Act) provisions of the American Recovery and Reinvestment Act of 2009 (ARRA). The CHIME member survey The College of Health Information Management Executives is an organization that supports Chief Information Officers (CIOs) and other senior leaders in healthcare IT. Considering the spread of medical devices, the difficulty of protecting them and their information, and the emerging potential conflict between digitization and security of medical records, CHIME surveyed its members concerns about cyber threats originating from, targeting, or propagated through network-connected medical devices in an online survey conducted during August and September Participants and devices The 53 survey participants were predominantly director- or C-level executives at large U.S. hospitals (median 551 beds). As seen in Figure 1, most of these organizations have well over 1,000 medical devices. Almost 23 percent are network connected; an additional 8 percent are network capable but not yet connected. Wired connections outnumber wireless three to two. Figure 1 also reveals that the concentration of both total and networked medical devices for example, devices per bed is much higher at larger hospitals. Figure 1: Medical devices in use at survey participants hospitals. Networked and network-ready devices constitute more than 30 percent of the total. 2 2 CHIME members are predominantly Healthcare IT executives; as a result, Figure 1 may underestimate the number of medical devices at hospitals where IT does not manage them, or manages them jointly with Biomedical Engineering. 3

6 In 45 percent of these organizations, the Biomedical (or Clinical) Engineering department alone manages medical devices, and in 45 percent they either share management responsibility with IT (38 percent), or have consolidated Biomedical Engineering and IT into a single group (7 percent). In only 6 percent of cases does IT alone manage the devices; in 4 percent an outside group is responsible. Figure 2: Responsibility for managing medical devices is typically assigned to the Biomedical/Clinical Engineering department alone, or shared with IT. Experience and concerns Malware attacks on medical devices are more than a theoretical concern for survey participants: more than a third of them had experienced a virus or other malware on a medical device in the year preceding the survey, and a third of that group experienced multiple incidents. Figure 3: More than one-third of survey participants reported a cyber attack in the preceding year. They also saw firsthand how difficult malware is to contain: in more than half of the reported outbreaks, infections spread beyond a single device to a few devices, a floor or department, or the entire hospital. 4

7 Figure 4: More than half of reported outbreaks extended beyond a single device Further, as shown in Figure 5, 47 percent of participants see malware threats as a steady-state phenomenon but 17 percent see them on the rise. Figure 5: The majority of survey participants see malware attacks as steady or rising year upon year. Steady or rising, the threat is serious. Two-thirds of participants rate cyber risks from medical devices the same or greater than from general hospital IT. Their areas of greatest concern are: Key risks: hacker penetration, privacy breach, virus infection, and virus propagation Most sensitive devices: infusion pumps, imaging devices, bedside monitors Most serious impacts: patient care, clinical productivity, clinical and IT remediation burdens 5

8 Figure 6: Security concerns run the gamut of medical devices. These are the top 7 of 14 device types. Initiatives To date, network security initiatives account for most of the protection against malware and information loss: secure Virtual Local Area Network architectures protected from the outside by firewalls and demilitarized zones. Almost half of the participants use two or more external protective measures in addition to protections provided by the device manufacturer. Figure 7a illustrates the distribution of protective measures, and Figure 7b shows their concentration. Figure 7: a) Surveyed hospitals use network-based defenses to protect medical devices. b) Almost half use two or more forms of network protection. One of the most important measures for protecting any computing system or medical device is a disciplined management and upgrade process. Devicemanagement solutions are an essential part of any security and privacy initiative. More than 80 percent of surveyed hospitals used one or more automated solutions which are often bundled into suites to help them manage medical devices from purchase through decommissioning. About half use more than one solution. Figure 8 shows the solutions they use. 6

9 Figure 8: Hospitals use a full range of automated solutions to manage medical devices throughout their lifecycles from purchase through end of life. Survey summary A midsize to large U.S. hospital relies on more than a thousand medical devices, managed by Biomedical Engineering, either alone or jointly with IT. About one-third of the devices are exposed to malware or data loss through network connections. More than one-third of surveyed hospitals experienced one or more virus or malware incidents in the past year and half of these spread beyond the point of entry. Responsible executives see the cyber-risk rates as steady but serious; they worry most about hackers and privacy breaches on their networks, the security of patient-connect devices, and impacts on patient care. They use one or more network-based defenses to protect their devices, networks, and patient information, count on automated tools to manage devices throughout their lifecycles, and would generally welcome security and vulnerability rating services for medical devices. Conclusions and recommendations With HITECH incentives built into ARRA, and EMR initiatives generating organizational support, now is the best time to extend the IT security envelope to include medical devices. IEC :2010 Application of risk management for ITnetworks incorporating medical devices outlines a risk-management approach that aligns well with the organization and processes of most hospitals. Education of both responsible departments and those affected by the changes is an important component of any solution. The following section offers links to resources that offer background information, standards and regulatory frameworks, and software solutions governing device and network security, access control, lifecycle management, and data protection. 7

10 References News articles These articles report individual attacks on networked medical devices and security trends in healthcare environments: Wirth, A. Cyber Crimes Pose Growing Threat to Medical Devices, Biomedical Instrumentation and Technology (BI&T), Jan/Feb 2011, Volume 45, Number 1. Keen, Cynthia E. Conficker worm highlights PACS cybersecurity issues, AuntMinnie. com, (online) June 2, 2009, accessed: February 1, Massachusetts Medical Devices Journal LLC. Medical devices next on hackers target list? MassDevice.com, (online) April 5, 2010, accessed: December 7, Massachusetts Medical Devices Journal LLC. Confickered! Medical devices and digital medical records are getting hacked, MassDevice.com, (online) May 8, 2009, accessed: December 7, Organizations and initiatives The Healthcare Information and Management Systems Society (HIMSS) and the National Electrical Manufacturers Association (NEMA) address privacy issues related to medical devices as part of the Manufacturer Disclosure Statement for Medical Device Security joint initiative (MDS 2 ). Note that MDS 2 disclosures are not catalogued and are provided to customers by request only. National Electrical Manufacturers Association, Manufacturer Disclosure Statement for Medical Device Security (MDS 2 ), NEMA.org, (online) September 29, 2008, accessed: January 24, Healthcare Information and Management Systems Society, Medical Device Security, HIMSS.org, (online), accessed: January 24, The Patient Care Device Domain working group of Integrating the Healthcare Enterprise deals primarily with clinical topics, such as alarm communication, message syntax, and so on, but also addresses security, privacy, and configuration management. Integrating the Healthcare Enterprise, IHE Patient Care Device, IHE.net, (online) 2010, accessed: January 24,

11 The Clinical Engineering/IT (CE-IT) Community of the Association for the Advancement of Medical Instrumentation (AAMI), American College of Clinical Engineering (ACCE), and the Healthcare Information and Management Systems Society (HIMSS) is working to bridge the gap between traditionally device-focused clinical engineering and traditionally network-focused IT. Additional resources These resources offer recommendations for connecting, isolating, and securing networked medical devices and IT infrastructure in healthcare environments. U.S. Food and Drug Administration, Reminder from FDA: Cybersecurity for Networked Medical Devices Is a Shared Responsibility, FDA.gov, (online) November 4, 2009, accessed: January 24, United States Computer Emergency Readiness Team, Cyber Security Tips, US-CERT. gov, (online), accessed: January 24, Center for Engineering & Occupational Safety and Health (CEOSH) and U.S. Department of Veterans Affairs), Medical Device Isolation Architecture Guide, HIMSS. org, (online) April 30, 2004, accessed: January 24, Healthcare Information Technology Standards Panel, Technical Note 905: Device Connectivity, HITSP.org, (online) January 25, 2010, accessed: January 24, Cooper, Todd and Eagles, Sherman, Aiming for Patient Safety in the Networked Healthcare Environment, AAMI.org, (online) 2010, accessed: January 24,

12 More information Visit our website To speak with a Product Specialist in the U.S. Call toll-free 1 (800) To speak with a Product Specialist outside the U.S. For specific country offices and contact numbers, please visit our website. About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Headquartered in Mountain View, Calif., Symantec has operations in 40 countries. More information is available at Symantec World Headquarters 350 Ellis Street Mountain View, CA USA +1 (650) (800) Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 6/