#RSAC: Security of Networked Medical Devices must Accommodate Real-World Medical Practice

Written by

Infusion pumps are one of the most ubiquitous medical devices in the United States, but even as they provide patients with nutrients and medication, they also provide hackers with a potential entry point into hospital networks.

Nathan Lesser, Deputy Director of the National Cybersecurity Center of Excellence (NCCoE), has been working with healthcare organizations to study how best to secure networked medical devices like infusion pumps without impeding the work of doctors and nurses.

In a talk at the 2016 RSA conference in San Francisco, Lesser described the value of health data to criminals.

“Estimates put the street value of patient information at somewhere between six and ten times that of financial information,” he said. “The risks are scary. They’re big. They’re bad.”

Medical infusion pumps comprise two parts: a delivery controller and a communications subsystem. The devices live on a network to allow them to relay alarms to a nursing station, provide real-time data, and even update medical records.

Not only can hackers disrupt the actions of a pump itself, Lesser said, but they can also use the pump to attack other services – and even to gain access to patients’ medical records.

Lesser says it’s important for NCCoE and healthcare organizations to share information and insight in both directions. Hospitals, he said, often omit basic security measures not out of ignorance, but because they want nothing to impede their established procedures for delivering healthcare.

He described how a neurosurgeon talked him through a hospital’s securely encrypted system for moving MRI images around the network. It sounded great, Lesser said, until the doctor revealed that he doesn’t actually use the encrypted system because it’s too slow. Instead, technicians text him unsecured images.

 “We have to understand how they’re thinking through this,” Lesser said. “If we’re not thinking about how systems are used and implemented in the real world, frankly we’re not helping anybody.”

The NCCoE’s research is made more difficult by the fact devices vary in their vulnerabilities, and institutions have individual, ingrained, and sometimes idiosyncratic policies and practices. There’s no way to impose a clean, one-size-fits-all solution.

“We can’t say, ‘Let’s pretend hospitals don’t have anything already, and we’re only going to give them things that are good,’” he said.

Lesser continues to actively solicit input from hospitals to help find ways to better protect medical devices and the patients who use them. In addition, because medical devices can’t just be pulled off-line in the event of a breach or a newly identified vulnerability, he’s working to address both current and future problems.

“Vulnerabilities that exist today are not nearly as interesting to people we’re trying to interdict as the vulnerabilities that will exist tomorrow,” he said. “How do we put in measures to address unknown and future vulnerabilities? The security research community has to think beyond today.”

While existing medical devices will no doubt create a long legacy of vulnerability issues, Lesser says the NCCoE is also thinking about how to make new equipment safer.

“There’s an environment out there that we need to secure,” he said. “As part of that we have to think about that equipment pipeline, and how can we bake in security.”

What’s hot on Infosecurity Magazine?