Prioritizing controls and detection can buy IT teams time when medical devices are attacked

Regulatory controls can provide a false sense of security, but there's a way to get ahead of cyber adversaries, said panelists at the HIMSS24 Healthcare Cybersecurity Forum.
By Andrea Fox
06:45 AM

From left, session moderator Desjardins and panelists Angle and Johnson

Photo: HIMSS Media

ORLANDO – During the HIMSS24 panel discussion "Securing the Modern Connected Hospital," James Angle, product manager of information security at Trinity Health, and hacktivist for hire Kevin Johnson, chief executive officer at Secure Ideas, encouraged healthcare cybersecurity leaders to gain an edge on cyber adversaries that seek to compromise vulnerable medical devices by knowing when to patch medical devices, focusing on configurations and prioritizing monitoring for these inevitable attacks.

Dr. Benoit Desjardins, professor of radiology and medicine at the University of Pennsylvania, moderated the discussion on the cybersecurity maintenance of internet of things (IoT) devices. The conversation also dove into how the regulatory landscape can ease or confound healthcare's cyber defenders, ending with a healthy debate on the current direction of device cyber control regulatory oversight.

Advice on patching and detection strategies

"The day you buy a new medical device, it's a legacy device," said Angle. "The day you put it into service, treat it like a legacy device, because if it's not out of date when you put it into service, it's going to be shortly thereafter."

Meanwhile, new vulnerabilities are discovered each day, and certain devices cannot be taken offline without causing patient harm.

No organization will ever be 100% complete on their device patching needs, but Angle said the best way to catch up is when devices have to be taken out of service.

"Every medical device has a maintenance period where they have to have maintenance done on it and be taken out of service," he said. "It's either quarterly, monthly, annually, semiannual – but it has to be done. That's the time you catch up." 

Johnson added that the rest of the time, healthcare organizations should treat medical devices like "hand grenades."

"It just means that you have to pay attention to what compensating controls you have in place," he said. "Because somebody like me is going to come around, see that device, and evaluate how we can laterally move because of it. So, if you pay attention to compensating controls, if you pay attention to monitoring and extrusion detection and things like that, you'll be in better shape."

The white hat hacker advises healthcare organizations on their offensive strategies:

"What you want to do is you want to focus on detecting when I get in, slowing me down as much as possible so that as I try to get through the tarpit to get to your organization, you have time to react."

Angle added, "The other advantage to monitoring like that and identifying it and making it difficult is if your hospital is really hard to hack into and this other hospital is not, guess where [the hacker is] going?" 

Hackers opt for easier targets with higher rewards, they both agreed. 

"So, you're looking at making it difficult, and like [Johnson] said, you're not going to stop them," said Angle. "Somebody's going to make a mistake, somebody's going to do something, and they're going to find a way; make it as difficult as possible," he advised.

Minus 72 hours, but still accounting

When Desjardins asked how unintended regulatory consequences have adverse effects on hospital network attacks, Angle flagged the requirement to report an incident to the Department of Homeland Security within 72 hours as a sticky wicket. 

"That's right in the middle of when you're trying to respond to it and you're up to your neck in alligators," he said as he described the position IT leaders find themselves in when their organizations are victim to a cyberattack.

"And DHS now decides to get into your business because if you call them, they're going to be there, and they're going to take resources away from your response so that they can feel good about getting their reports on time," Angle said, noting that he worked for the agency previously.

"You will hear them say, 'Well, we wouldn't do that.' Don't believe it; they will," he asserted. 

While hampering a healthcare organization's response is not what Congress intended, he said, "that's what's going to happen."

Johnson added that "it is very unlikely that you know what the heck happened" by 72 hours. 

"You don't know how impacted the systems are, especially as we find more and more that the ransomware attack is actually an exit strategy."

Johnson said that while cybercriminals want money, they also want to cover their tracks.

"As somebody who has done incident response for hospital chains, for medical devices, for all this kind of stuff, do you know how difficult it is to get indicators of compromise, logs and TTPs out of that system if it's encrypted?"

Device security in premarket approvals

Desjardins also asked about U.S. Food and Drug Administration medical device premarket approval submission requirements that went into effect late last year. He noted that the new cybersecurity provisions not only require manufacturers to outline a device's security, they also need to provide a post-market cybersecurity program and a "bond" – a software bill of materials. 

Since the goal is "to essentially make sure that any new device introduced to the FDA would be secure," Desjardins asked if the legislative action has made any impact.

Angle suggested that what the FDA released as premarket guidance lacks teeth. 

"If you look at that guidance, the header on every single page says, 'This is not enforceable'; it's just guidance. It's nice to say, we want you to do this to secure your devices, but there's no enforcement mechanism," he said.

Regulations have not made Johnson's job more difficult, the hacktivist said.

"The regulations have actually made my job easier because a lot of hospitals and organizations will deploy these devices and assume a level of control, a level of security that doesn't actually exist," said Johnson.

"We now have seen hospital chains, hospital groups … that have weakened their security because the FDA is going to enforce it for them. They deploy systems and they assume the vendor is doing the right thing, which makes sense – security is a cost," he continued. 

"They actually lower the amount of security they put in place."

When asked if there should be an effort to create more regulations for legacy medical devices, Angle was equally circumspect.

"The problem: unintended consequences," he said, explaining that most health systems have "tens of thousands of medical devices." 

Updates can cost a fortune, and smaller hospitals would not have the funding to keep up with such a requirement, he said.

"I don't think regulation is the answer," Johnson added.

"I think the real answer is contracts. The only way you're going to effectively get vendors to do stuff, hit them where it hurts, the money you pay them – if you can hold them accountable," he said.

FDA guidance is strengthening device security controls 

One attendee, a speaker scheduled later in the forum, disagreed with the characterization of recent IoT regulatory efforts, arguing that the FDA's premarket guidance is changing how medical devices are regulated.

After thanking the panel for the presentation, Dr. Christian Dameff, medical director of cybersecurity for UC San Diego Health, asked the audience by a show of hands which attendees were from medical device manufacturers.

Then he said: "Keep your hand up if you think that the FDA's medical device cybersecurity guidance is guidance and you don't care about it. Please keep your hand up if you don't use that to inform your decision-making," he asked.

All hands went down.

"I wish to just say that I think there's a fundamental mischaracterization of the FDA's premarket guidance that you've expressed on the stage today," Dameff said. 

"And the reason being, is although it's printed on the page as guidance, it has absolutely fundamentally changed how medical device manufacturers see cybersecurity and how they have implemented new controls and will continue to," he said.

"Because at the end of the day, although it's going to take some time, they're in a much better space than they are now, and they are rejecting devices for approval based solely on cybersecurity controls. That they have never done in history," Dameff continued. 

Johnson responded that daily he finds "brand new devices that have met the FDA approval running on hospital networks that are more insecure than if you were running Windows XP connected to the internet."

He said that when testing medical devices, he's still finding the same ports open.

"I'm not saying the vendors don't care. … I am saying that that guidance has not been effectively moving the needle to better protect patients," he clarified.

Johnson continued, "The reality is the devices are still insecure, patients are still at risk, and I am regularly actively exploiting organizations via those medical devices, even ones that have been deployed and built this year."

"That's not possible because those devices haven't even hit the market yet," Dameff rebuked. 

"You clearly do not understand this, and it's actually really frustrating," he said, as the forum moderator, Erik Decker, Intermountain Health's chief information security officer and co-chair of the HHS 405(d) Task Group, was already at the podium and closed the session.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.