Last week, the U.S. Food and Drug Administration advised hospitals not to use Hospira’s Symbiq infusion system, concluding that a security vulnerability enables hackers to take remote control of the system. The agency issued the advisory some 10 days after the Department of Homeland Security warned of the vulnerability in the pump.
My view is that this will be the first of many advisories.
For years, manufacturers of medical devices depended on the “kindness of strangers,” assuming that devices would never be targeted by bad actors. EKG machines, IV pumps, and radiology workstations are all computers, often running unpatched old operating systems, ancient Java virtual machines, and old web servers that no one should currently have deployed in production.
In the short term, hospitals must do their best to isolate medical devices from the internet and from other computing devices that could infect them. At BIDMC, we have three wireless networks:
- A guest network for patients and families
- A secure network for clinicians and staff
- A device network for medical devices that is not connected to the internet or the other two networks.
Further, we use firewalls around medical devices to prevent them from communicating to outside parties.
Over the past few years, I’ve asked medical device manufacturers to give me a precise map of the network ports and protocols used by their devices so that I can build a “pinpoint” firewall — only allowing the minimum necessary transactions from/to the device. Many manufacturers do not seem to know the minimum necessary communication requirements for their products.
A few years ago, BIDMC had a reportable breach when a medical device manufacturer removed our hospital-provided security protections in order to update a device from the Internet. It took about 30 seconds for the unprotected device to become infected and transmit data over the Internet. The Office of Civil Rights adjudicated that it was the manufacturer, not BIDMC, which was responsible for the breach. We were advised to follow any visiting manufacturer reps around the hospital to ensure that they do not remove hospital provided security protections in the future.
Some manufacturers have claimed that adding operating system patches, intrusion detection/prevention and other cybersecurity defenses will require them to recertify their devices with the FDA.
That is simply not true. The FDA has issued guidance declaring it the responsibility of the manufacturers to secure their devices. No recertification will ever be needed for adding new protections.
In the short term, CIOs need to build “zero day” defenses, creating an electronic fence around vulnerable devices. In the medium term, manufacturers must update their products. In the long term, medical devices must be designed from the ground up with security as a foundational component.
Whenever I write about a topic, I avoid hyperbole. In this case, the threat is real. I have experienced it myself, and CIOs must act.
My advice, after securing your own perimeter — get the CTOs of your medical devices on the phone and ask them for their security roadmap. If they do not have one, plan to change your vendor. We’re already doing that with some devices because attention to this issue by some manufacturers has been insufficient.