Wim Remes, EMEA manager of strategic services at Rapid7, explores the issue of unsupported hardware in healthcare settings
Digital technology is driving innovation and improving medical care, but at the same time, medical devices connected to hospital networks can have software vulnerabilities that expose them to attacks by cyber criminals.
In healthcare, cyber security can potentially be a matter of life or death. And, with more and more devices connected to the internet, the risk is real
In healthcare, cyber security can potentially be a matter of life or death. And, with more and more devices connected to the internet, the risk is real.
One issue is outdated and unsupported equipment. Just a few weeks ago, a number of software vulnerabilities were found in end-of-life versions of automated medicine supply cabinets that could have been exploited even by an attacker with a limited skillset. The affected versions are no longer supported by their manufacturers, so no software patch was provided to fix the security gaps.
Other industries are also forced to rely on unsupported hardware and products, so healthcare is in fact no exception. The crucial difference is that in healthcare, patients’ lives depend on the equipment.
There is a plethora of reasons why a healthcare organisation may end up having to run devices and software that are no longer supported. For example, budget constraints or the expertise of non-technical staff may lead to technologies being deployed beyond the lifecycle recommended by the manufacturer. Additionally, the complexity of the IT environment, combined with the need for more or less continuous availability of systems, means that even when patches are available, it can be almost impossible to deploy them.
However, there are some things that can be done to mitigate the security problem.
Healthcare networks are rife with bespoke communication constructions that could be replaced with an agreed-upon standard between vendors, with security as a core requirement
The first lever a healthcare organisation can use is to better manage the supply chain. As more devices become connected, how an equipment supplier manages the security of its devices – especially in the long term – should be a key factor in purchasing decisions. Hospitals and healthcare organisations need to demand from their partners that they commit to security. The simple truth is, if the customers don’t ask for it, the supplier won’t make it happen. This is especially true for larger organisations as they have the most purchasing power.
As healthcare organisations choose the technology to deploy, it is also important they strive to fully understand the components this technology will depend on. A device that requires a specific version of Windows, which will be end-of-life after a third of the device’s prospective lifetime has passed, is a liability waiting to happen. Buyers need to make sure there are assurances for, at the very least, the prospected lifetime.
Maintaining outdated equipment is often an economic choice. You will be hard pressed to find an executive that will approve the replacement of a multi-million-pound scanning device, or all insulin pumps, based on a security vulnerability report. The cost related to that decision is insurmountable for most healthcare organisations.
Moreover, the security of a system is always down to its weakest link. There will always be insecure equipment, so its presence should be accounted for in the architecture and design of the IT system from the beginning, instead of becoming an unpleasant surprise down the road.
It will take all parties working together, keeping the safety of patients in mind, to meaningfully minimise the risks the healthcare industry currently faces
While security should start with basics such as network segmentation and monitoring, something even more important can be done.
One of the biggest challenges with medical devices is that their key functionality - from a security point of view - is gathering, transporting and storing patient data. There are some standards, such as HL7, for healthcare data transportation, but they don’t even cover data security. For example, the HL7 standard specifically states that confidentiality and integrity are to be handled on the protocol layer.
If we accept that most remote vulnerabilities are to be found at, or near, the interfaces that are exposed, we also know where to address them. Healthcare networks are rife with bespoke communication constructions that could be replaced with an agreed-upon standard between vendors, with security as a core requirement for the new standard. When it comes to people’s lives and people’s health, vendors should have no incentive to push their own standard.
However, that doesn’t clear the manufacturers of medical devices of their responsibility: It is clear that healthcare deserves a security-centric approach that separates core functionality from ‘nice-to-have’ features.
There are a number of reasons why healthcare systems may not be as secure as they could be; complex systems, budget constraints, and lack of ongoing support from vendors are just some of them. It will take all parties working together, keeping the safety of patients in mind, to meaningfully minimise the risks the healthcare industry currently faces.
Until we all unanimously recognise long-term security as a core requirement for healthcare technologies, and build and manage products and systems accordingly, we will only be secure until the next vulnerability is found
Thanks to heightened awareness, we are already seeing more and more stakeholders, including vendors, users, and regulators, prioritising the need for security in healthcare solutions. Progress can and is being made.
Until we all unanimously recognise long-term security as a core requirement for healthcare technologies, and build and manage products and systems accordingly, we will only be secure until the next vulnerability is found.
The time to act is now.
