It’s chilling to think that a heart monitor, blood gas analyzer or MRI scanner could be infected with malware, but the threat is very real. Malware called MEDJACK (short for “medical device hijack”) was recently found on equipment at 10 U.K. hospitals.
First discovered in 2015, MEDJACK attacks medical devices in order to gain access to a healthcare organization’s network and steal patient information and other sensitive data. The authors of the malware have continued to refine their techniques, specifically targeting devices with older, unsecure operating systems to create botnet connections and backdoors into the victim’s network. Endpoint security software was unable to detect the attacks.
MEDJACK is symptomatic of a growing crisis in healthcare as more devices are connected to networks. Historically, medical devices only transmitted information to a display on the device itself. Today, that same information is captured in Electronic Health Records (EHRs) and remotely accessed by clinicians on PCs and mobile devices. The medical devices themselves have become more than just tools for diagnosis, treatment and monitoring. They are computers that are part of a larger ecosystem of servers, data storage, network interfaces and software.
But while organizations routinely patch and update systems within the IT infrastructure, those best practices typically aren’t followed in the healthcare environment. Medical devices are still viewed as “machines” rather than IT endpoints. That makes them easy targets for hackers, who can earn top dollar on the black market for health information. According to the Verizon 2016 Data Breach Investigations Report, the healthcare sector is 30 percent more likely than the financial services sector to have sensitive information assets stolen.
Although medical devices are regulated by the Food and Drug Administration (FDA), there are no specific rules related to cybersecurity. A manufacturer must notify the FDA prior to going to market with a new or modified device and, depending on how the device is classified, document its safety and effectiveness. However, the FDA has issued only nonbinding “guidance” regarding cybersecurity issues that manufacturers should “consider” during design, development and premarket notification.
On December 28, 2016, the FDA issued another nonbinding guidance document entitled “Postmarket Management of Cybersecurity in Medical Devices.” That document notes that mitigating cybersecurity threats “typically requires continual maintenance throughout the product lifecycle” and that manufacturers should “monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices.” Such security patches and updates do not require FDA review or recertification of the device.
Critics have complained that the documents offer only standard cybersecurity recommendations and that nonbinding guidance will not force the industry to change. Proponents of the documents say that the guidance should encourage manufacturers to follow cybersecurity best practices — failure to do so would have serious implications in a lawsuit. The FDA has said that while the guidance is nonbinding it interprets regulations that are binding.
Because most medical devices have a five-year development cycles and a useful life of 10 to 20 years, any cybersecurity efforts by manufacturers will be slow to take effect. In the meantime, hospitals and other healthcare organizations should recognize that most medical devices were not designed with cybersecurity in mind, and take steps to secure any equipment that connects to the data network. Although hackers are using unsecure devices to gain access to healthcare data, a compromised device could malfunction or produce inaccurate results, putting patient lives at risk.
by Frank Hughes, Healthcare Practice Manager