Medical Device Security Guidance Released by FDA as Threats Multiply

To help advance the state of medical device cyber-security the U.S Food and Drug Administration is providing new guidance to help improve health care cyber-security in 2017.

Health care cyber-security

2016 was not a good year for health care cyber security, with a 63 percent year-over-year increase in major attacks, according to security firm TrapX. The situation has not escaped the notice of the U.S Government, with the Food and Drug Administration(FDA) issuing a 30-page report on Cyber-security in Medical Devices, on Dec. 28, 2016.

"Protecting medical devices from ever-shifting cyber-security threats requires an all-out lifecycle approach that begins with early product development and extends throughout the product's lifespan," Suzanne Schwartz, FDA associate director for science and strategic partnerships, wrote in a blog post.

Among the core elements of the FDA guidance for medical device security is understanding the risks and potential vulnerabilities of devices. Additionally the FDA recommends that organizations have a process in place to work with security researchers to receive and act on information related to potential vulnerabilities. The FDA also suggests that organizations deploy software patches quickly, before they can be exploited.

Moshe Ben-Simon, co-founder and vice president of services at TrapX has a mixed outlook on the FDA guidance and how it can help to improve security in the health care market.

"As guidance it takes the industry in the right direction," Ben-Simon told eWEEK. "The challenge is that the existing installed base of medical devices and the infrastructure that support them cannot be remediated in a period measured in other than years."

The scope of the medical device cyber-security challenge is large, with approximately 6,500 medical device manufacturers and perhaps millions of medical devices within the installed base. Ben-Simon commented that many medical devices are installed on a long projected financial and operating life, but the manufacturers don't plan on ever upgrading the internal embedded processors and making major structural changes to the devices.

"In contrast, the hospitals cannot afford to end-of-life these older devices. They want the manufacturer to offer a no or low cost upgrade so they can be more cyber resilient," Ben-Simon said. "To complicate matters, beyond the purview of the FDA, the basic weakness in the networks that host the medical devices is perhaps worse and definitely part of the problem."

In June 2016, TrapX released a report on an attack against medical devices dubbed 'MEDJACK 2'. In this attack, hackers scan networks looking for potentially vulnerable medical device in an attempt to deploy various forms of malware and ransomware.

Ben-Simon noted that the FDA guidance for medical device cyber-security could potentially help to prevent MEDJACK attacks in the long term.

"The challenge is that without mandatory compliance, neither the medical device manufacturers nor the hospitals can afford to invest in upgrading the massive installed base of devices," Ben-Simon said.

Ben-Simon noted that MEDJACK can only be detected when attackers move laterally from the infected medical devices across a network and most hospitals do not have the technology to identify attacker safe havens. In the meantime, Ben-Simon said that TrapX continues detect MEDJACK in just about every health care institution in which it has close involvement.

Overall 2016 was a challenging year for security in the medical community. TrapX's 2016 health care Cyber Breach Research Report found a 63 percent year-over-year increase in attacks against health care institutions in the U.S.

"The rapid emergence of ransomware nationally happened at a faster pace than anyone expected within health care," Ben-Simon said.

There were attacks against health care organizations in 2015 as well, including large breaches at Anthem, Premera and Excellus Blue Cross/Blue Shield. Ben-Simon noted that in 2015 a few massive institutions were impacted by the theft of over 100 million health care records.

"The 2016 research and analysis was a big wake up in that it shows a broadening of attacks from the largest institutions to a broad mid-section," Ben-Simon said. "This broad mid-section includes not only hospitals, but large physician practices, cancer treatment centers, urology center, MRI/CT scan centers, surgical centers, skilled nursing facilities (SNFs) and diagnostic laboratories."

"Attackers are exploiting their market opportunity quickly, finding the weakest points on which to land and expand, and they are reaching out to do so using new tools like ransomware to improve their return on investment," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.