Hospitals OT Security : Address the security risks of medical devices and promote effective cybersecurity procedures

The 2023 "Omnibus" or Consolidated Appropriations Act was signed into law on December 29, 2022. This act includes several provisions related to cybersecurity, including section 3305, titled "Ensuring Cybersecurity of Medical Devices". This provision amended the Federal Food, Drug, and Cosmetic Act (FD&C Act) by adding section 524B, which aims to ensure the cybersecurity of devices used in the medical industry.

The Omnibus amendments to the FD&C Act went into effect on March 29, 2023, and authorize the Food and Drug Administration (FDA) to require medical device manufacturers to take measures to include security by design or add cybersecurity protections to their products before they are brought to market. This is a significant development in the medical industry as it provides a framework for ensuring the security of medical devices that are vulnerable to cyber threats.

Under the new regulations, the requirements for cybersecurity design and best practices will apply to all future medical devices on the market, and the Government Accountability Office is tasked with gathering and reporting on challenges to the adoption and implementation of the legislation's requirements. The implementation of this regulation will require close collaboration between manufacturers, regulators, and other stakeholders in the medical industry to ensure that devices are designed and manufactured with security in mind.

Medical devices that are used to collect, store, or transmit sensitive patient data are at particular risk of cyber attacks. The new regulations will ensure that these devices are designed and manufactured with robust cybersecurity features to prevent unauthorized access or malicious attacks.

In addition to the new regulations, implementing the NIST Cybersecurity Framework can provide a comprehensive framework for medical device manufacturers to ensure that their products are designed and developed with cybersecurity in mind. This framework includes five functions: identify, protect, detect, respond, and recover, and provides guidance for implementing best practices to reduce cybersecurity risks.

Overall, the new regulations related to medical device cybersecurity are an important step towards improving the security of the medical industry. However, it will require ongoing collaboration and effort from all stakeholders to ensure that these devices are secure and protected against cyber threats.

What’s Changing in the Regulations?

The legislation's emphasis on cybersecurity design and best practices will apply to all future medical devices on the market, marking a significant shift in the industry's approach to medical device cybersecurity. The new regulations require device manufacturers to implement security measures before their products are brought to market, which is a significant change from the previous approach, which involved addressing security issues as they arose during the device lifecycle.

Device manufacturers must now submit a plan to the FDA within 90 days of the bill's enactment that outlines how they will monitor, detect, and remediate vulnerabilities and exploitation through vulnerability disclosures, information sharing, and incident response plans. They must also ensure that the devices they manufacture include secure by design features, offer updates and patches when software vulnerabilities are discovered and disclosed, and provide a full software bill of materials for all components in each device, including commercial/proprietary, open-source, and off-the-shelf or third-party software components.

The legislation also increases government requirements, including the task of the GAO with report writing and review, publication of guidance on the content of premarket submissions for management of cybersecurity in medical devices, provision of public resources on improving device cybersecurity, and issuance of a report by the Comptroller General of the U.S. to assess challenges for stakeholders in accessing federal support to address vulnerabilities across federal agencies.

Overall, the addition of section 524B creates a new category for device manufacturers to compete in - cybersecurity. The legislation will address specific security considerations for the industry and mark a step forward in the pursuit of outcome-based cybersecurity regulation. Nonetheless, it cannot alleviate the concerns surrounding currently deployed insecure devices and legacy technologies. The industry will have to continuously review and improve their cybersecurity procedures to ensure they are effective and aligned with the evolving threat landscape. Collaboration with industry partners and government agencies will also be crucial in sharing information about cybersecurity threats that affect IoT devices.

What’s Covered?

Indeed, the scope of the Omnibus legislation is vast, covering a wide range of medical devices, from traditional medical equipment to the internet of medical things (IoMT) devices. The inclusion of a broad range of devices is essential because medical devices that are interconnected or dependent on other devices or networks pose an increased risk of cybersecurity threats.

The types of medical devices at risk of cyber threats are numerous, including wearable health technologies, patient monitoring systems, insulin and pain management pumps administering medications, mobile telemetry devices, pacemakers, and cardiac defibrillators. By covering such a broad range of devices, the Omnibus legislation seeks to minimize the possibility of cyber attacks on any vulnerable devices.

However, the new regulations acknowledge that focusing solely on device security will not address all the cybersecurity concerns facing the healthcare sector. For instance, large networks that deploy many thousands of vendor devices at scale have other complexity issues that require attention to prevent worse case scenarios. These complexities include network security, zero trust, and network segmentation, among others. Therefore, while the new regulations are a significant step towards securing medical devices, it is necessary to ensure that healthcare networks are also secure by implementing best practices and robust cybersecurity measures.

In summary, the Omnibus legislation provides broad-ranging measures to improve the cybersecurity of medical devices. It requires device manufacturers to include security measures before bringing products to market, to submit plans to monitor, detect, and remediate vulnerabilities, and offer updates and patches when software vulnerabilities are discovered. However, it is crucial to recognize that cybersecurity is an ongoing process, and all stakeholders in the healthcare sector must work together to ensure that medical devices and networks are secure.

What’s at Risk in Healthcare?

Some of the critical vulnerabilities found in medical devices include weak passwords, unencrypted communications, outdated software, lack of proper authentication, and inadequate logging and monitoring. The report also revealed that many of these vulnerabilities were due to hardcoded credentials, meaning that default usernames and passwords were built into the devices and could not be changed, leaving them vulnerable to exploitation.

In addition to the vulnerabilities in medical devices themselves, the interconnected nature of healthcare networks means that an attack on one device could have far-reaching consequences throughout the network. For example, a successful ransomware attack on a hospital's electronic health record system could disrupt patient care and potentially put lives at risk.

The new legislation regarding cybersecurity for medical devices is a step in the right direction, but it is important to recognize that it is just one piece of the puzzle in securing the healthcare sector. There is still much work to be done to address the broader cybersecurity challenges facing the industry, including legacy technologies, network security, and employee awareness and training. However, the increased focus on device security is a positive development that could lead to safer and more secure medical devices for patients.

• 75% of infusion pumps studied had at least one vulnerability or threw up at least one security alert
• Imaging devices, such as X-Ray, MRI and CT scanners were particularly vulnerable, with 51% of all X-Ray machines exposed to high-severity Common Vulnerabilities and Exposures (CVE-2019-11687)
• 44% of CT scanners and 31% of MRI machines were exposed to a high-severity CVE
• 20% of common imaging devices were running an unsupported version of Windows

HHS Guidance for Implementing the NIST CSF

The US Department of Health and Human Safety (HHS) released the "Health Care and Public Health Sector Cybersecurity Framework Implementation Guide" in March 2023. The guide aims to assist healthcare providers and facilities in implementing the NIST Cybersecurity Framework (CSF), but it is not mandatory. HHS believes that organizations need practical solutions to tackle cybersecurity issues, and that boards and executives want more transparency about how cybersecurity management decisions are made. The HHS guidance covers five critical areas for boards to consider.

The HHS has released a guide to assist healthcare providers with implementing the NIST Cybersecurity Framework. According to the HHS, healthcare organizations need a practical approach for addressing cybersecurity challenges, and boards and executive management require better insight into how cybersecurity management decisions are made. The guide covers five key categories for boards to consider:

Treating cybersecurity as an enterprise-wide risk management issue;

Understanding the legal implications of cyber risk specific to the company;

Ensuring adequate access to cybersecurity expertise and allocating regular and adequate time on the board meeting agenda for discussions about cyber-risk management;

Setting the expectation that management will establish an enterprise-wide cyber-risk management framework; and

Including identification of which risks to avoid, accept, mitigate, or transfer through insurance, along with specific plans associated with each approach, in discussions of cyber risks between the board and organizational management.

Monitoring and visibility are critical for reducing the time attackers have to stay undetected and limit the damage they can cause in medical and healthcare systems, networks, and environments. These measures are also crucial for performing root cause analysis to determine whether an issue is caused by a cyber threat actor, equipment malfunction, misconfiguration, or a ransomware situation. With medical device manufacturers themselves acknowledging that managing a growing set of tools and technologies is a top security challenge, it is more important than ever to have visibility into these systems. This challenge is partly attributed to the lack of high-level ownership.

To build a mature security program, a trusted and responsible cybersecurity leader should consider the following four factors:

Network Status: Having a real-time status map of the inventory of machines and computers communicating in the environment is crucial to protect and investigate any mishap or accident to understand the root cause of a cyber incident.

Product Vulnerabilities: Not all vulnerabilities have the same impact on the integrity and availability of systems. Some vulnerabilities are limited in scope, while others have additional compensating controls that mitigate their severity.

Threat Actor Capabilities: Primary attack surfaces for medical devices are default credentials over SSH. Once attackers gain entry, they can check the underlying operating system to decide which payload to install on the system, often for botnet attacks.

Data-Rich, Information-Poor: Behavioral analysis and anomaly detection can augment threat intelligence and overall security postures. Continuous monitoring and analytics can help security leaders diagnose the root cause of unexpected operational changes and deviations from baseline behavior.

To obtain a comprehensive understanding of how OT / ITO security services is assisting hospitals operations worldwide, schedule a demonstration with one of our system engineers to discover how we can assist you.