Medical Device Cyber-Vulnerability Casts a Cloud Over Growing Use

HL: So much of what healthcare faces in this cybersecurity crisis is a crisis of education. Many breaches seem to be traceable to social engineering. What interesting or novel efforts exist to improve the education effort?

Carmody: Security is a harsh discipline and not kind to amateurs. If I’m a financial analyst at some firm and I work with spreadsheets all day, and my organization’s security posture depends on me to also be a security analyst and not open potentially malicious spreadsheets, then it’s game over. Are we surprised with the results of trying to make everyone a security expert? Education can only go so far. Security can’t be hard for people just trying to get their own job done.

HL: As the internet of things proliferates, economic forces that prevent medical devices from being secure by design are going to be a bigger and bigger problem. What carrots or sticks can be brought to bear on medical device manufacturers to assure security despite those economic forces?

Carmody: We need a healthcare supply chain, shift left strategy, where lawmakers and regulators require [that] healthcare technology vendors’ technology must be secure by design. We need the upstream tech supply chain to supply technology to those vendors that is secure by design and can be integrated securely and easily. We need arbiters of security that can assess, at scale, the adequacy of security that removes the burden from the consumers (hospitals, clinicians, and patients). Lastly, when things go wrong, we should notice, and liability should be shared by the producers of the technology, not just the consumers of technology.

HL: Are the breach reporting systems defined by HIPAA up to the mission? As HIPAA continues to evolve, are there things you would do to fix those systems?

Carmody: HIPAA largely punishes the consumer of healthcare technology debt, where problems manifest, not the producer who controls the amount of security debt in products they make. Therefore, HIPAA exerts limited upstream economic pressure on healthcare tech vendors who optimize to satisfy the letter of the law such as encrypting only Protected Health Information (PHI) data versus command data.

The HIPAA Security Rule has been in effect for over 14 years, but a 2019 study from CynergisTek reports the healthcare industry has only managed to achieve 72% compliance with it, which may seem like a good score, but one that doesn’t measure risk or actual security. Data show that breaches are increasing. In other words, we’re not any better at security.

HL: What lessons have you learned from the COVID-19 pandemic about what’s working, what isn’t, and how the health tech industry is rising to the challenge, with so many more lives on the line?

Carmody: At a time when healthcare is critically focused on pandemic response is also the time that they are the most vulnerable to threats. Hospitals, which operate on thin margins, cut IT staff to stay afloat while revenues dropped, but still needed to deliver care to COVID patients. Data show that adversaries took advantage.

The healthcare industry has made tremendous progress and that must be acknowledged. The issuance of multiple guidance documents from international regulatory bodies and industry leaders, and the voluntary engagement by device vendors and security researchers at the DEF CON BioHacking Village, are signs that times are changing. However, the tension between healthcare and security is rooted in the fact that healthcare’s first job is to deliver healthcare. Therefore, technologies built to serve healthcare are built primarily to deliver on healthcare features, not security features, like monitoring, that would help connect security events with patient outcomes. As a result, the healthcare industry accrues security debt, yet paradoxically, healthcare must also deliver healthcare securely because any lack of security threatens the ability of the healthcare ecosystem to function. This tension must be resolved for any additional progress to occur.