After reading the recent Ponemon study of medical devices, it’s hard to escape the thought that the path we’re on will lead to a future where technology becomes both increasingly powerful and increasingly dangerous.
The statistics within the Ponemon report are both disturbing, and if you’ve talked to people in Healthcare IT security, not terribly surprising. According to the respondents in the study, only 9 percent of healthcare device manufacturers and 5 percent of healthcare delivery organizations (HDOs) say they test medical devices yearly, while 53 percent of HDOs and 43 percent of manufacturers do not test devices at all. Only 17 percent of device makers and 15 percent of HDOs are taking significant steps to prevent attacks. And only 22 percent of HDOs and 41 percent of device makers have an incident response plan in place in the event of an attack on vulnerable medical devices.
While this figure might imply that both HDOs and manufacturers see little risk in the use of these devices, that’s not borne out by the rest of their responses: 67 percent of device makers believe attacks on devices built by their organizations are likely and 56 percent of HDOs believe such attacks are likely.
Indeed, many device makers and HDOs are already aware of attacks taking place. Thirty-one percent of device makers and 40 percent of HDOs say they are aware of security incidents with connected medical devices. Among respondents who were aware of such incidents, 38 percent of those in HDOs say they are aware of inappropriate therapy/treatment delivered to the patient because of an insecure medical device and 39 percent of device makers confirm that attackers have taken control of medical devices.
Given the problems with insecure devices, who do manufacturers and HDOs believe is responsible for ensuring the security of these devices? While 41 percent of HDOs believe they have primary responsibility for the security of medical devices, almost one-third of both device makers and HDOs say no one person or function in their organizations has primary responsibility.
Within the disturbing statistics of this study we can find some important lessons. What is it that we need to do to get to a future where technology isn’t putting us at risk of life-threatening catastrophe?
Security is everyone’s responsibility
When everyone in an organization thinks that accountability for securing technology belongs to someone else, the reality is that there is no one taking responsibility. Security departments in this type of environment exist only as scapegoats; someone to act as cannon fodder or to take the blame when things inevitably go wrong.
Well-secured companies make everyone take part of the responsibility for security, making sure that everyone is equipped with enough knowledge, time and funding to do their job safely. In reality, this is often not the case, and you find yourself having to make the best out of far-less-than-ideal circumstances. In this case, it’s all the more important that everyone helps contribute to implementing and actively using multiple layers of protection.
Security must be planned from the beginning
Technology vendors and users alike should be practicing rigorous and ongoing risk assessment to secure their environments, and to decrease the risk of shipping or using insecure or even actively compromised devices. There are many resources available to help organizations begin this process, including this guide published by the National Institute of Standards and Technology (NIST).
Technology manufacturers should be designing devices from the outset with good privacy and security practices in mind: the seven foundational principles of Privacy by Design are laid out in this report. Once a solid framework is in place, secure coding practices can help ensure that fewer errors are introduced along the way.
Manufacturers and users must test devices
Quality assurance testing is a crucial part of ensuring not just a functional product but also a safe one. Those performing static as well as dynamic testing throughout the development process should not just focus on the absence of malicious or erroneous code, but on how one could use intended, benevolent functionality for malicious purposes.
Testing should not end when products are shipped out the door. User environments are rich with often-perplexing variables that may not have been considered by the manufacturers. Each organization – especially those using healthcare devices –should give new technology a thorough shakedown in a test environment to improve the chances of finding problems before they’re rolled out to their main network.
It is time to stop kicking the can down the road when it comes to creating and using secure connected devices. We all need to be part of the process of securing devices before putting them on our networks and, when necessary, rejecting those products that fail to meet basic security guidelines.
By Lysa Myers, Security Researcher, ESET
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker’s Hospital Review/Becker’s Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.