By Peter Arant   /   Feb 4th, 2020

Medical Device Cybersecurity Risks Prompt US Government Safety Notices

When it comes to cybersecurity in healthcare, protecting patient data is a key objective. In today’s connected world, medical device cybersecurity is critical as cyber threats to connected medical devices now pose the dual risk of exposing Protected Health Information (PHI) and endangering patient safety.

Medical Device Cybersecurity Risks Evolve

Recently, the federal government issued safety notices concerning medical monitoring devices manufactured by GE Healthcare Systems. The notices concern vulnerabilities in certain GE Healthcare Clinical Information Central Stations and Telemetry Servers used to collect and display data from multiple patient monitoring devices. The vulnerabilities at issue could “allow an attacker to remotely take control of the medical device and to silence alarms, generate false alarms and interfere with alarms of patient monitors connected to these devices.”

The safety notices were issued by both the US Food and Drug Administration as well as Homeland Security’s Industrial Control Systems—Cyber Emergency Response Team (ICS-CERT). The notices follow GE Healthcare’s own warnings of the issue back in November 2019.

According to GE Healthcare, the vulnerabilities, if exploited, could permit an attacker to:

  • Make changes at the operating system level of the device with effects such as rendering the device unusable, otherwise interfere with the function of the device, and/or
  • Make certain changes to alarm settings on connected patient monitors, and/or
  • Utilize services used for remote viewing and control of multiple devices on the network to access the clinical user interface and make changes to device settings and alarm limits, which could result in missed or unnecessary alarms or silencing of some alarms.

Successful exploits could not only allow unauthorized access to patient data, but also interfere with active patient monitoring. According to the company, the danger is higher if the devices and systems are connected to improperly configured Mission Critical (MC) and/or Information Exchange (IX) networks.

For more information on how to close these medical device cybersecurity vulnerabilities, as well as guidance on remediation, visit GE Healthcare’s information page. There have been no reported incidents concerning the vulnerabilities which were originally brought to GE Healthcare’s attention by CyberMDX.

As for addressing the problem, GE Healthcare plans to issue updates/patches. It also recommends that providers ensure MC and IX networks are properly configured and isolated from other hospital networks.

Medical Device Security is One of the Top Five Threats

Concerns surrounding the security of connected medical devices continue to increase. The publication “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” provides a list of the five biggest cybersecurity threats facing healthcare. The publication, which was developed by HHS and individuals across the healthcare industry, lists attacks against medical devices as one these threats.

The HICP publication also provides examples of security practices that can reduce medical device cybersecurity risks:

  • Implement security operations practices for devices, including hardening, patching, monitoring, and threat detection capabilities
  • Ensure access controls for clinical and vendor support staff, including remote access, monitoring of vendor access, multifactor authentication, and minimum necessary or least privilege
  • Require strong information security assurance practices, such as security risk assessments of new devices and validation of vendor practices on networks or facilities
  • Require pre-procurement security requirements for vendors
  • Establish and maintain communication with medical device manufacturer’s product security teams
  • Use a template for contract language with medical device manufacturers and others

In addition, the FDA has extensive information and resources on medical device security on its website.

How to Reduce Medical Device Cybersecurity Risks

What can hospitals and other providers do to improve their approach to medical device cybersecurity? The first thing to recognize is that a wide range of security controls are necessary. Medical device security isn’t just about technical measures like patch management and network segmentation. It’s also about non-technical measures like vendor management and properly assessing the risks posed by these devices. Be sure your approach to medical device security includes a comprehensive and well-defined list of controls to address identified threats.

Security threats to connected medical device aren’t going anywhere. The safety notices concerning the GE Healthcare devices are a good reminder of that. To date, the FDA has not identified any incidents involving patient injuries or death from cybersecurity incidents. However, given the number of connected medical devices and their critical importance to patient safety, these threats must be taken seriously. For additional information, read Fixing the Medical Device Security Gap and HIPAA Security Rule: 5 Common Shortcomings to learn the technical, physical and administrative controls to combat these vulnerabilities

Contact us if you need help identifying and closing HIPAA compliance gaps or reducing cybersecurity risks.

About the Author

Peter Arant

Peter is a Senior Security Consultant with LMG Security and holds his J.D. from the University of Montana School of law. He specializes in conducting risk assessments, policy and procedure development, cyber insurance policy review, HIPAA compliance, GDPR compliance, and other compliance services. Prior to joining LMG, Peter managed his own law practice, helping clients with regulatory compliance, technology, privacy and security.  He received the Montana State Bar Association’s Frank I. Haskell Award in 2015 for his publication, “Understanding Data Breach Liability: The Basics Every Attorney Should Know.”