Safeguard Medical Devices: New H-ISAC Guidance on Cusp of FDA Rule

Hacked devices are a danger to patients worldwide

In particular, the American Hospital Association cited FDA warnings that some insulin pumps could be at risk of attack from hackers. This isn’t exactly unprecedented news: In 2011, the issue got headlines when a researcher at the Black Hat USA conference demonstrated how wireless insulin pumps could be remotely hacked in a way that could cause patient deaths.

But given the exponential growth of HCIT devices — especially diabetes management technology, as noted in FitchSolutions’ 2023 mid-year report on key medical device themes and market trends — the dangers could accelerate. 

“This is a major concern for the country, and other countries as well,” Dr. Mark Jarrett, Senior Health Advisor for Northwell Health told WNYW-TV New York, saying there’s a “life-threatening risk” to patients. 

Legacy technologies most at risk

There are tremendous clinical and financial benefits to be gained from the integration of devices that perform remote patient monitoring, deliver medication, and provide virtual care. 

But given that the new FDA law, however, does not apply to the millions of medical devices already in use — that is, legacy technologies that lack essential security updates or encryption protocols — so a large cyberattack surface exists, which can have implications across the healthcare ecosystem. 

“We have been living with that risk and will continue to live with that risk,” Vikrant Arora, the Chief Information Security Officer at the Hospital for Special Surgery (HSS), also told WNYW. 

Incident response contingency plans

Unlike many other smaller hospitals, however — those that lack departments to monitor and upgrade systems, and those with  financial instabilities that could lead to closure — HHS has multiple contingency plans. 

“In case a device is compromised, there’s a playbook on how to respond to the incident without impacting patient care significantly,” Arora said. 

Those protocols are in line with recommendations from the Health Information Sharing and Analysis Center (H-ISAC). H-ISAC’s new white paper, Improving Medical Device Security by Moving From Shared to Defined Responsibility includes pivotal guidance surrounding the complex update, patch, and vulnerability management processes. 

Communicating key recommendations 

In the past, a significant challenge was that groups like healthcare delivery organizations and medical device manufacturers assumed that tasks such as hardening, access control, and vulnerability management would be handled by the other party, resulting in unaddressed vulnerabilities. 

H-ISAC’s guidance includes a more defined approach, advocating more communication and teamwork to establish a responsible/accountable/consulted/informed (RACI) matrix. 

Key recommendations include: 

• Define task responsibilities among stakeholders to reduce the overall risk of failure 

• Use a responsibility assignment matrix to define task obligations for all parties supporting medical devices (H-ISAC provides a suggested comprehensive and customizable template)

• Continually update — and communicate the updates — to matrixes 

• Gain an understanding of the responsibility distribution of operating software solutions from "black box" medical devices to cloud services

A lack of security can cost money — and lives

The H-ISAC report follows a CISA advisory about unsupported or end-of-life software. While lack of capital investment in new equipment is understandable, especially for cash-strapped organizations facing skyrocketing operating costs after the pandemic, history shows that the effects of not addressing potential security threats could be critical. 

Ransomware attacks target vulnerabilities

In 2017, North Korean nation-state hackers exploited a Windows vulnerability (called EternalBlue) in the WannaCry ransomware attacks. Although Microsoft patched the vulnerability, unsupported editions, such as Windows XP and Windows 8, were vulnerable. 

It’s estimated that 90% of the U.K.'s National Health Service (NHS) employed Windows XP, an operating system that Microsoft stopped updating in 2014. The WannaCry attacks forced NHS facilities to cancel thousands of appointments and scheduled operations — with financial implications of an estimated £92 million. 

The danger of default passwords

Despite high-profile attacks, IDC recently noted that “it is not uncommon for medical devices to still have their default passwords and settings, which can be easily discovered in manuals posted online by threat actors.” 

The CISA report notes that the use of fixed or default passwords and credentials is “dangerous and significantly elevates risk to national security, national economic security, and national public health and safety.” The U.S. government agency also issued the same advisory for the use of single-factor authentication for remote or administrative access to systems that support the operation of “designated Critical Infrastructure and National Critical Functions (NCF).” 

Prevent, secure, and empower

Akamai can help with those concerns:

• Prevent employee account takeovers and data breaches with Akamai MFA, our phish-proof multi-factor authentication (MFA). 

• Secure your hybrid workforce while improving access with Akamai Enterprise Application Access

• Empower your healthcare IT teams with a prevention-first approach instead of an alert-only approach — no matter whether devices are legacy or brand-new – with a Zero Trust security model: the most comprehensive approach of all when devices that were probably never intended to be connected to anything now must connect to almost everything.

Prevention really can be the best medicine (in more ways than one!) in healthcare.