Medical devices are part of the Internet of Things (IoT). They are a threat to patient privacy and, now, patient safety. The department of Health and Human Services and the Healthcare Industry Cybersecurity Task Force have agreed medical devices are a primary threat vector for malicious cybersecurity attackers and unintended malware incidents like Notpetya & Wannacry. It’s not if you will be breached, but when, and have you prepared?
The FDA, HHS and DHS met in September 2019 to discuss how to inform the public on the risks of medical devices. They discussed the current malware exploiting medical devices and IoT: BlueKeep, Deja Blue, EternalBlue and Urgent/11. All possess similar characteristics to Wannacry. Urgent/11 targets the operating system VxWorks and has been installed on over 2 billion medical and IoT devices.
This session will explain which devices are the most vulnerable and why. What is the current information regarding legislation and initiatives, effective procedures, and technical mitigations related to medical device vulnerabilities? How can Governance improve departmental collaboration and reduce the HDO’s risk exposure?
Patients have experienced adverse events or harms because of an insecure medical device (Ponemon Study on Medical Devices). Forty percent of HDOs and 31 percent of device makers are aware that due to an insecure medical device, patients experienced an adverse event or harm. According to data in the study while these respondents are aware that patients were affected, they do not know what the event or harm was (44 percent and 40 percent of respondents, respectively).
- IoT will be create catastrophic breaches – 82%
- Cyber extortion (ransomware) will increase – 67%
- Security posture will worsen – 54%
- Executives don’t believe cybersecurity strategic – 64%
- Executive boards are not briefed on cybersecurity – 68%
FDA, under HHS, is working feverishly to get ahead of the problem of cybersecurity in healthcare medical devices. They recently released the Medical Device Safety Action Plan but falling painfully short as the OIG reported in September 2018.
- Explore regulatory options to streamline and modernize timely implementation of post market mitigations
- Spur innovation towards safer medical devices
- Advance medical device cybersecurity
- Integrate the Center for Devices and Radiological Health’s (CDRH’s) premarket and post market offices and activities to advance the use of a Total Product Life Cycle (TPLC) approach to device safety
There is Hope:
The discovery of the flaws in the Medtronic cardiac implantable electrophysiology devices (CIEDs) pacemaker programmers is a bright spot for both the FDA and ethical hackers. Security researchers Billy Rios and Jonathan Butts disclosed the potentially life-threatening vulnerabilities in the machines to Medtronic in early January 2017.
After going back and forth with the company for months, Rios and Butts turned their research over to the FDA, which conducted its own analysis which got a shout-out from FDA Commissioner Scott Gottlieb at the time.
Medical devices attached to patients which are connected to the Internet. The HHS, FDA, DHS and NIST all agree medical devices are a #1 threat vector for malicious cybersecurity attackers and unintended malware incidents like Notpetya & Wannacry.
Each hospital bed has an average of 13 devices. They are designed for remote access to support medical device manufacturer maintenance and support. The passwords are often default and the devices cannot support anti-malware software. They are the weakest link in the chain.
It’s not if you will be breached, it’s when and have you prepared? Exfiltration of e-PHI is on the rise, and now, so is the risk to patient safety.
Which devices are the most vulnerable and why? What is the current information regarding legislation and initiatives, effective administrative procedures and technical mitigations related to medical device vulnerabilities? How can Governance improve departmental collaboration and reduce the HDO’s risk exposure?
Come learn more about this Wicked Problem and the guidance the Department of Health and Human Services has just released as the Best Practices for mitigating medical device cybersecurity threats across small, medium and large organizations.
February 6, 2020
CEU: 1.0 – Information Protection: Access, Disclosure, Archival, Privacy and Security
Ty Greenhalgh, HCISPP, Cyber Tygr CEO
Ty Greenhalgh has been dedicated to the healthcare information technology and information management industry for over 30 years. He is an ISC2-certified healthcare information security and privacy practitioner (HCISPP) and cybersecurity officer. His experience has leveraged advanced disruptive technology solutions to assist healthcare organizations in overcoming seemingly insurmountable challenges. Mr. Greenhalgh is an active member in several groups and associations, such as Healthcare and Public Health Sector Coordinating Council’s Joint Cybersecurity Workgroup, the National Initiative for Cybersecurity Education (NICE) Workforce Development Workgroup, and the North Carolina Health Information and Communications Alliance (NCHICA) Biomedical Taskforce. While employed with 3M Health Information Systems for over 25 years, he worked in a variety of capacities supporting the advancement of disruptive health information management technologies, achieved landmark results, the highest performance evaluation reviews possible and numerous awards. An early pioneer of the electronic medical record (EMR), the Henry Ford Health System awarded the “Most Innovative Technology of the Year” to Mr. Greenhalgh, in conjunction with the AHIMA, for groundbreaking work in developing one of the first EMR systems to contain automated HIM workflow and electronic signature.