1

Incoming! Medical Device Cybersecurity Alerts on the Rise

Session 291, February 14, 2019

Juuso Leinonen, Senior Project Engineer, ECRI Institute

Chad Waters, Senior Cybersecurity Engineer, ECRI Institute

2

Juuso Leinonen

Has no real or apparent conflicts of interest to report.

Chad Waters

Has no real or apparent conflicts of interest to report.

Conflict of Interest

3

• ECRI Institute – Medical device cybersecurity overview

• Rising number of medical device security alerts

• Challenges in responding to security alerts

• Methods to prioritize medical device alerts

• Recommendations

Agenda

4

1. Identify measurable changes in vendor reporting

of software and cybersecurity recalls and field

correction notices

2. Define key challenges faced by healthcare IT

and clinical engineering departments in

responding to cybersecurity recalls and notices

3. Formulate practical approaches to enable

facilities to effectively address threats and

vulnerabilities with medical devices

Learning Objectives

5

• Independent, not-for-

profit research institute

• Mission:

– Improve patient safety,

cost effectiveness, and

quality of healthcare

ECRI Institute

7

ECRI’s Top Ten Health Technology Hazards

8

2019 - #1. Hackers Can Exploit, Remote Access to Systems, Disrupting

Healthcare delivery

2018 - #1. Ransomware and Other Cybersecurity Threats

2017 - #6. Software Management Gaps Put Patients, and Patient

Data, at Risk

2016 - #10. Misuse of USB Ports Can Cause Medical Devices to

Malfunction

2015 - #9. Cybersecurity: Insufficient Protections for Medical Devices

and Systems

9

#1 Ransomware and Other Cybersecurity Threats to Healthcare Delivery Can Endanger Patients

10

Top 10 Health Technology Hazards 2019

10

11

ECRI – Medical Device Cybersecurity

• Increased member interest in cybersecurity

• Increase in problem reports related to cybersecurity

• Increase in vendor notifications about cybersecurity

12

Alerts Tracker - Recall Management System

13

050

100150200250300350400450

Medical Device IT Alerts

ECRI AlertsTracker Database

14

0

10

20

30

40

2014 2015 2016 2017 2018

Medical Device Cybersecurity Alerts

ECRI AlertsTracker Database

15

Cybersecurity Alerts Process

• Triage incoming security notifications

– ICS-CERT

– Vendor Security Bulletins

– ECRI member hospitals

– Security researchers

• ECRI Medical Device Security Team determines whether additional clarification or guidance is needed

– No- Publish as it is through ECRI Alerts Tracker

– Yes- Initiate problem report investigation to determine additional useful context or practical recommendations

• Distribute security notifications through ECRI Alerts Tracker

16

Challenges in responding to security alerts

• Difficult to identify medical devices that are impacted

– Incomplete inventory is common

• Insufficient details recorded in the asset management system about software versions, operating systems, and networking

• Inventory may be lacking standardized product and manufacturer names

– One alert can impact entire product lines of medical devices

17

• Who is responsible for implementing the remediation?

– Medical device vendor

– Clinical Engineering (CE)

– IT

• CE and IT collaboration continues to be a challenge

Challenges in responding to security alerts

18

• Is update / patch available to address the security concern?

– Yes, available

• Is vendor assistance required to apply the mitigation?

– Assistance from vendor field service technician often required

• What is the clinical workflow impact?

– Equipment downtime estimate

– Alternative device availability can reduce impact

Challenges in responding to security alerts

19

• Is update available to address the security concern?

– Not available

• What is the vendor timeline for remediation?

– Sometimes included in the security notice

– Can be several months

• Is a temporary mitigation / compensating controls required?

– Scalability is an issue with custom compensating controls

Challenges in responding to security alerts

20

Challenges in responding to security alerts

• How to effectively categorize the impact and likelihood associated with an alert?

– Standard framework can aid in the assessment

21

How to prioritize medical device security alerts?

22

Common Vulnerability Scoring System (v3.0)• CVSS scores indicate the severity of a potential vulnerability

• Range from 0-10 in increasing severity, scored based on the following attributes

Rating CVSS Score

Low 0.1 - 3.9

Medium 4.0 - 6.9

High 7.0 - 8.9

Critical 9.0 - 10.0

23

• 2018 analysis

– 30 medical device related advisories

– 14 different medical device vendors

– 130 different CVEs

• Some vulnerabilities with only CVSS 2.0 score

– 34 CVEs in a single advisory

– Some advisories contained groups of devices / product lines

ICS–CERT Analysis

24

0

10

20

30

40

50

Low Medium High Critical

Vulnerability Severity (CVSS)

25

0

20

40

60

80

100

Adjacent Local Network Physical

Attack Vector

26

0

20

40

60

80

100

120

Confidentiality Integrity Availability

Classification of Vulnerabilities

High Low None

27

47

81

Attack Complexity

High Low

28

Assess the Risk - Likelihood

• Very high— Threat is almost certain, or more than 100 events occur per year

• High— Threat is highly likely, or 10 to 100 events occur per year

• Moderate— Threat is somewhat likely, or 1 to 10 events occur per year

• Low— Threat is unlikely, or an event occurs once every 1-10 years

• Very low— Threat is highly unlikely, or an event occurs less than once every 10 years

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

29

Assess the Risk - Impact

• Very high — Multiple severe or catastrophic effects

• High — Severe or catastrophic:

– severe degradation of organization mission capability, loss of ability to perform a core function, major damage to assets, major financial loss, significant harm to individuals involving death or threat to life

• Moderate — Serious adverse effect:

– significant degradation in mission capability, without loss of ability to perform core functions; significant damage to assets; significant financial loss; significant but non-life-threatening harm to individuals

• Low — Limited adverse effect:

– degradation in mission capability such that the organization can perform core functions, but the effectiveness of those functions is reduced; minor damage; financial loss; minor harm to individuals

• Very low — Negligible

30

Healthcare Specific Impacts

• Patient safety risks

– Delay to patient care, can result in patient harm

• PHI / sensitive information breaches

• Financial risks

• Risks to reputation

Impact Environment of Use

Device

Criticality

Available Alternative

Devices

Amount of PHI

on Device (no.

of records)

High

High risk, including OR,

ICU, trauma Life-sustaining

No clinically viable

alternative 5,000+

Moderate

Medical/surgical floors, ED,

labor and delivery,

radiotherapy , oncology Therapeutic

Available alternative

devices have significant

drawbacks 500-4,999

Low Physical therapy, radiology Diagnostic

Available alternative

devices are largely

equivalent 1-499

Very low

Physician office, long-term

care Elective Readily available 0

Impact Factors for Medical Devices

Overall Likelihood Impact

Very Low Low Moderate High Very High

Very high Very low risk Low risk Moderate risk High risk Very high risk

High Very low risk Low risk Moderate risk High risk Very high risk

Moderate Very low risk Low risk Moderate risk Moderate risk High risk

Low Very low risk Low risk Low risk Low risk Moderate risk

Very low Very low risk Very low risk Very low risk Low risk Low risk

Source: National Institute of Standards and Technology (NIST). Guide for conducting risk assessments. NIST

Special Publication 800-30, Rev 1. 2012 Sep. Available from:

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf.

Risk Matrix

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf

33

Recommendations

• Ensure complete inventory of medical devices and related systems

– Leverage a standard acceptance inspection for medical devices for the initial record

– Conduct review of records during periodic preventive maintenance

– Review accurate records during any repair

34

• Software/firmware versions

• Operating system

• IP address

• MAC address

• Network configuration such as DHCP (Dynamic Host Configuration Protocol)/static wireless configuration

• Nature of data stored or transmitted (and magnitude of that data)

• Authentication, authorization, and auditing methods

• System owner

• Criticality of care (life supporting, therapy delivery, diagnostic)

• Age (product life cycle)

Recommended Inventory Data Points

35

Recommendations

• Designate a project owner/champion for medical device security alerts

– May be in Clinical Engineering and/or IT

– Emerging role of Medical Device Security Specialist

• Establish a process to review and respond to medical device security alerts

– Where to get the alerts?

• ICS-CERT, Vendor, ISAOs, ECRI

– Who to contact with the manufacturer?

• Establish a list of medical device security contacts

36

• Assess impact and likelihood to aid in prioritization of security alerts

• Characterize downtime impact to clinical workflow

• Establish standardized scalable compensating controls when e.g., update is not available

• Consider running table-top and hands-on training exercises with scenarios that include unavailable network-connected medical devices or systems

Recommendations

37

Summary

• Medical device cybersecurity was ranked as #1 Health Technology Hazard by ECRI for 2019

• Medical device cybersecurity alerts are on the rise

• Paramount to allocate sufficient resources and establish processes to manage the rising medical device security alerts

38

Questions?

Chad WatersSenior Cybersecurity Engineer / Senior Project OfficerECRI Institute cwaters@ecri.org

Juuso LeinonenSenior Project EngineerECRI Institute jleinonen@ecri.org

mailto:cwaters@ecri.orgmailto:jleinonen@ecri.org