Imagine a senior government official with a pacemaker and the chilling scenarios that could play out if a hacker could overcome this device’s defenses.
It sounds like something ripped out of a movie script, but it’s slowly creeping closer to reality. There were concerns that former vice-president Dick Cheney’s pacemaker could be hacked. And it turns out those concerns were not unfounded. Last year, for instance, the FDA recalled a half a million pacemakers due to security concerns.
Does sleek equal weak?
The problem with medical devices is that their security presents numerous challenges for doctors and hospitals. The medical establishment’s difficulties, however, present opportunities for MSPs who are willing to enter the market. To understand the problem, though, you need to look at the industry as a whole.
Smarter MSP caught up with Shelby Kobes, president of Minnesota-based Kobes Security, which specializes in medical device security. Kobes has sounded the alarm for years about lax security in the medical industry, pointing to vulnerabilities associated with pacemakers, defibrillators, and dialysis machines. He wrote his masters thesis about the topic back in 2013, and since then, he says, the problems have only gotten worse.
“Fundamentally, medical devices run the same as any other, but where you run into challenges with them is that many times there is a limited capacity to deal with security,” Kobes explains. A small, sleek medical device is only built to perform a specific function, which, in the case of a pacemaker, is to regulate a heartbeat.
“There is not a lot of extra space or computing ability or hardware to throw on a complicated security design,” Kobes explains. If you want to encrypt it, you need a rather robust, strong processor. Due its size, that type of processor can’t be put in an insulin pump or a pacemaker easily.
“The biggest restraint is power consumption. Manufacturers try to make these devices a certain size, so they make them simple. It’s good for performance function, but not so good for complex security,” Kobes says.
Government oversight missing
Kobes states that lax government oversight is another problem. They’ve not put forth rules requiring baseline security standards. While Kobes doesn’t discount the threat to high-ranking officials with medical devices, he looks at the real danger coming from sloppy data protection.
One of the larger concerns is how hospitals store their information on a larger scale. “Can hackers get into the data and get access to records? And, are they selling that information?” Kobes asks.
Hospitals make attractive targets, and there have been numerous incidents where ransomware has caused some hospitals to pay. “Hospitals are trusted, people go because they feel safe Isn’t that what terrorism goes after? Because of that, we need to make sure this isn’t the next attack surface,” Kobes states.
A petri dish of problems
Another issue impacting device security is the “culture of medicine” as a whole. “The culture around them is to provide health to a patient, not to provide security… you have to strike a balance somewhere. Patients are understandably willing to sacrifice device security for their health,” Kobes says.
Hospital labs were designed to treat human viruses, not computer viruses. And that thinking jeopardizes hospitals to this day. When it comes to security, some hospitals have their acts together, but most don’t. All too often, hospitals don’t even know which IoT devices are in the network, Kobes explains.
“Do they know what information the devices hold and what they don’t? Do they have an idea of what vendors are walking into their hospitals each day and performing services? Vendors move in and out at will, and that is a big vulnerability,” Kobe says.
Kobe recommends solid baselines that if a device gets employed in a hospital, it must meet certain standards, but notes that it doesn’t happen.
“The problem is that hospitals were designed to treat patients and that is what we want,” Kobes says. Add to that, doctors do risky things all day long: replace a stent, operate in someone’s brain, poke around in a colon, riskier things than hardly anyone else could even imagine. “With all that risk all day you then go to these doctors and say `your laptop isn’t secure,’ and they just look at you and say `uh, okay.’”
And when hospitals do have a skilled IT team in place, they are often walled off from the rest of the establishment. When a CT machine goes down, usually the biomedical people are called.
“But it takes biomedical, IT, and building operations,” Kobes says. Hospitals need to take the approach of a traffic accident where EMS is called to secure the patient, police are called to clear the road, and fire department to offer back-up. They need the same coordinated plan for security and that it is just as important, if not more important, than device security.
The opportunity for MSPs
“It is getting too unwieldy for a hospital to manage all this information in different servers and platforms in their own environment, there are server rooms in the basements of hospitals that are gigantic, and I can’t imagine them keeping that up,” Kobes shares. Soon more and more hospitals will reach deals with MSPs to manage their data. Allowing MSPs to focus on data security, so hospitals can focus on healthcare.
Some MSPs are already managing hospital data and devices, but the trend may be just beginning.
Photo: Tridsanu Thope/Shutterstock