Kevin Fu,
head of the Archimedes Center
for Medical Device Security
at the University of Michigan
head of the Archimedes Center
for Medical Device Security
at the University of Michigan
Medical devices riddled with security vulnerabilities
June 20, 2013
by Carol Ko, Staff Writer
An uptick in cybercrimes has spurred the U.S. Food and Drug Administration to put the medical device industry on notice.
Medical devices that fail to satisfy the agency's newly drafted cybersecurity guidelines may soon be blocked from approval once the guidelines are finalized later in the year, according to the agency.
If finalized, this directive may have far-reaching consequences for medical manufacturers and how they design their products in the future.
Health IT experts say it's about time. Years ago in a laboratory experiment, Kevin Fu, head of the Archimedes Center for Medical Device Security at the University of Michigan, demonstrated how he could hack into a combination heart defibrillator and pacemaker to induce potentially fatal electric jolts.
There's no need to panic just yet — such a threat is currently only theoretical. But experts say these vulnerabilities demonstrate how far behind the medical industry is on cybersecurity measures that have long been standard in the consumer electronic space.
DOTmed Business News tracked Fu down so we could get his thoughts on the FDA directive, potential worst-case scenarios, device security, and projections for the future.
DMBN: First off, I know it's difficult to quantify the number of security breaches that happen, but can you point to any source that says these incidents are increasing?
KF: I was one of the first people to submit a report through the Medwatch 3500 process on an AED external defibrillator — it was the only one they received that year. Now I'm told they're receiving reports a couple of times a month.
And just recently there was just one person who discovered they were able to obtain the administrative passwords of over 50 medical devices, giving them complete control over each device including its function, its software and its behavior.
DMBN: What sort of cyber attacks have happened in the past?
KF: All the incidents I'm aware of are malware that accidentally get into a medical device. For instance, in my lab we have a pharmaceutical compounder, a device that creates nutrients taken intravenously. And it happens to run Windows XP, a piece of software that is ten years old and riddled with security vulnerabilities, yet it's still being deployed. Think of our outdated home PC software that got hit with malware — we've probably replaced them ten years ago. But guess what? They're still in hospitals.
DMBN: Do you think malware will eventually evolve to intentionally target medical devices?
KF: I hope that doesn't come to pass. It's pretty clear to me we're a nation of homes and we don't have locks on our doors, but so far there hasn't been any problem. But you know what? If you leave your house unlocked, eventually there's going to be a problem, so we should think about how to reduce the chance that our doors are going to be opened.
DMBN: Are there certain devices that are more vulnerable than others to hacking?
KF: The good news is that higher consequence devices seem to have better security. So for instance, in the implantable device community, many companies have some of the better engineering practices for security because they're so high consequence.
On the other hand, while devices like MRI machines, mammography, and other radiological imaging may be lower consequence, in my experience they also tend to be more vulnerable because they tend to be running commercial, off-the-shelf software like Windows XP — software that has accumulated ten years of security flaws that have not been patched.
DMBN: So you'd say imaging equipment is particularly vulnerable?
KF: It varies. It depends on how good they are at keeping their software up to date with known vulnerabilities, so it really depends on their patching strategy. But patching alone is not good enough.
I would say we're in the very early stages of developing protections. In IT systems that have better security they're worrying about something called a zero day worm — that's when you have zero warning before a vulnerability becomes exploited. In other words, even patching won't help. There are already instances of this in general purpose computing.
But right now in the medical community, we're not even in that stage — we're still worrying about whether we get a patch out in ten years. The medical community has a long way to go before it can consider itself up to consumer-grade security.
DMBN: Do you think the FDA guidelines are effective?
KF: Let me first state what they do best. They do a good job of highlighting key items such as hazard analysis and traceability matrices — techniques to identify risks and make sure you have a mechanism to mitigate the risks.
On the other hand, one of the problems with the draft is, it's not totally clear some of their suggestions will lead to better outcomes. For example, hidden passwords. We all know what happens when we're told to change our passwords once a year — we put it on a sticky note and put it in our desk drawer.
So I don't think having hidden passwords is going to be an effective strategy. But the general guidance for better security at the design stage of the device is going to produce a meaningful difference in the safety of these devices.
DMBN: Some of these suggestions seem surprisingly basic — like having password protection, for example.
KF: Many of these things are basic — there are some manufacturers doing some pioneering work in security but there are more manufactures that are somewhat in the dark and are looking for some indicators from FDA on what they're going to look for.
But there are certain subtleties on the passwords front, however, and some pretty good reasons for not having passwords on certain devices — a pacemaker for example. When I log in to my email, if I take three times and screw up, I don't mind if my email gets locked out for an hour. If I get my password wrong in my medical device that's implanted, I'd obviously like to get in. It creates a very challenging design space.
DMBN: What are some of the challenges manufacturers will face with these new guidelines?
KF: I don't think all manufactures will have to redesign — I know some manufactures are already taking these steps but are hesitant to speak up and say they're doing that.
My suspicion is that they don't want to draw attention to themselves to become a target. Although they're trying to do the best job they can, security is like insurance — things can always go wrong. Still, there are steps you can take to reduce the likelihood of a catastrophic event at the early design stages.
DMBN: What are some of the steps manufacturers can take in the design stage to strengthen cybersecurity?
KF: So a lot of them will seem kind of boring — one is, for instance, identifying a threat model. What exactly is the threat you're going to be designing against? If you're going to hook up a medical device occasionally to the internet, is your threat a potential virus that can get in on a 30-second window? If a manufacturer skips this basic step, they will create mechanisms that are more like snake oil, without clear benefit.
You can say, slap on some encryption or a password. Well that's nice, but does that address a specific potential vulnerability or potential threat? These problems are really more for the engineers to work out on the whiteboards in their design groups, but there's a big managerial component as well.
DMBN: Can you elaborate on that? What managerial issues hinder cybersecurity?
KF: It's what's known as a diffusion of responsibility. When it comes to security there's often quite a bit of finger pointing. The hospital might say, 'well, the manufacturer won't provide us with a device that we can secure.' The manufacturer might say, 'well, the hospital isn't willing to pay for it.' The FDA addresses both groups in their guidelines.
The manufacturers are the only ones who can change the design space — and they've now received notice from the FDA about the importance of cybersecurity at that early design phase.
The hospitals, on the other hand, have been given the advice that they need to start reporting. If you don't report, there is no way for regulators to make risk-based decisions — the statistics will be much more meaningful that way.
DMBN: But medical device malfunctions are universally underreported right now, right?
KF: Yes, that's true. But if you look in the FDA databases as of a year ago they have zero security reports — even though if you go to any hospital and you ask the head of IT they will tell you about the malware getting into their devices. It simply was not reaching the desks of the people able to evaluate the risks at the national level.
DMBN: In an ideal world, how do you think devices will be secured by cyber attacks in the future?
KF: I have a 164 year research plan to solve this, I kid you not! One hundred and sixty-five years ago Ignatius Semmelweis suggested that physicians should wash their hands when working with patients to avoid mortality and morbidity. People thought it was heresy. How dare you question the cleanliness of a physician's hands! And we still have hand-washing problems today.
So I don't think the cybersecurity question is going away any time soon, but I'm optimistic that the best way of solving these problems is being upfront about the vulnerabilities in the early design stages.
In the long term, I see cybersecurity as a real enabler to give manufacturers, hospitals and patients the confidence to treat diseases that today we consider not treatable.
Medical devices that fail to satisfy the agency's newly drafted cybersecurity guidelines may soon be blocked from approval once the guidelines are finalized later in the year, according to the agency.
If finalized, this directive may have far-reaching consequences for medical manufacturers and how they design their products in the future.
Health IT experts say it's about time. Years ago in a laboratory experiment, Kevin Fu, head of the Archimedes Center for Medical Device Security at the University of Michigan, demonstrated how he could hack into a combination heart defibrillator and pacemaker to induce potentially fatal electric jolts.
There's no need to panic just yet — such a threat is currently only theoretical. But experts say these vulnerabilities demonstrate how far behind the medical industry is on cybersecurity measures that have long been standard in the consumer electronic space.
DOTmed Business News tracked Fu down so we could get his thoughts on the FDA directive, potential worst-case scenarios, device security, and projections for the future.
DMBN: First off, I know it's difficult to quantify the number of security breaches that happen, but can you point to any source that says these incidents are increasing?
KF: I was one of the first people to submit a report through the Medwatch 3500 process on an AED external defibrillator — it was the only one they received that year. Now I'm told they're receiving reports a couple of times a month.
And just recently there was just one person who discovered they were able to obtain the administrative passwords of over 50 medical devices, giving them complete control over each device including its function, its software and its behavior.
DMBN: What sort of cyber attacks have happened in the past?
KF: All the incidents I'm aware of are malware that accidentally get into a medical device. For instance, in my lab we have a pharmaceutical compounder, a device that creates nutrients taken intravenously. And it happens to run Windows XP, a piece of software that is ten years old and riddled with security vulnerabilities, yet it's still being deployed. Think of our outdated home PC software that got hit with malware — we've probably replaced them ten years ago. But guess what? They're still in hospitals.
DMBN: Do you think malware will eventually evolve to intentionally target medical devices?
KF: I hope that doesn't come to pass. It's pretty clear to me we're a nation of homes and we don't have locks on our doors, but so far there hasn't been any problem. But you know what? If you leave your house unlocked, eventually there's going to be a problem, so we should think about how to reduce the chance that our doors are going to be opened.
DMBN: Are there certain devices that are more vulnerable than others to hacking?
KF: The good news is that higher consequence devices seem to have better security. So for instance, in the implantable device community, many companies have some of the better engineering practices for security because they're so high consequence.
On the other hand, while devices like MRI machines, mammography, and other radiological imaging may be lower consequence, in my experience they also tend to be more vulnerable because they tend to be running commercial, off-the-shelf software like Windows XP — software that has accumulated ten years of security flaws that have not been patched.
DMBN: So you'd say imaging equipment is particularly vulnerable?
KF: It varies. It depends on how good they are at keeping their software up to date with known vulnerabilities, so it really depends on their patching strategy. But patching alone is not good enough.
I would say we're in the very early stages of developing protections. In IT systems that have better security they're worrying about something called a zero day worm — that's when you have zero warning before a vulnerability becomes exploited. In other words, even patching won't help. There are already instances of this in general purpose computing.
But right now in the medical community, we're not even in that stage — we're still worrying about whether we get a patch out in ten years. The medical community has a long way to go before it can consider itself up to consumer-grade security.
DMBN: Do you think the FDA guidelines are effective?
KF: Let me first state what they do best. They do a good job of highlighting key items such as hazard analysis and traceability matrices — techniques to identify risks and make sure you have a mechanism to mitigate the risks.
On the other hand, one of the problems with the draft is, it's not totally clear some of their suggestions will lead to better outcomes. For example, hidden passwords. We all know what happens when we're told to change our passwords once a year — we put it on a sticky note and put it in our desk drawer.
So I don't think having hidden passwords is going to be an effective strategy. But the general guidance for better security at the design stage of the device is going to produce a meaningful difference in the safety of these devices.
DMBN: Some of these suggestions seem surprisingly basic — like having password protection, for example.
KF: Many of these things are basic — there are some manufacturers doing some pioneering work in security but there are more manufactures that are somewhat in the dark and are looking for some indicators from FDA on what they're going to look for.
But there are certain subtleties on the passwords front, however, and some pretty good reasons for not having passwords on certain devices — a pacemaker for example. When I log in to my email, if I take three times and screw up, I don't mind if my email gets locked out for an hour. If I get my password wrong in my medical device that's implanted, I'd obviously like to get in. It creates a very challenging design space.
DMBN: What are some of the challenges manufacturers will face with these new guidelines?
KF: I don't think all manufactures will have to redesign — I know some manufactures are already taking these steps but are hesitant to speak up and say they're doing that.
My suspicion is that they don't want to draw attention to themselves to become a target. Although they're trying to do the best job they can, security is like insurance — things can always go wrong. Still, there are steps you can take to reduce the likelihood of a catastrophic event at the early design stages.
DMBN: What are some of the steps manufacturers can take in the design stage to strengthen cybersecurity?
KF: So a lot of them will seem kind of boring — one is, for instance, identifying a threat model. What exactly is the threat you're going to be designing against? If you're going to hook up a medical device occasionally to the internet, is your threat a potential virus that can get in on a 30-second window? If a manufacturer skips this basic step, they will create mechanisms that are more like snake oil, without clear benefit.
You can say, slap on some encryption or a password. Well that's nice, but does that address a specific potential vulnerability or potential threat? These problems are really more for the engineers to work out on the whiteboards in their design groups, but there's a big managerial component as well.
DMBN: Can you elaborate on that? What managerial issues hinder cybersecurity?
KF: It's what's known as a diffusion of responsibility. When it comes to security there's often quite a bit of finger pointing. The hospital might say, 'well, the manufacturer won't provide us with a device that we can secure.' The manufacturer might say, 'well, the hospital isn't willing to pay for it.' The FDA addresses both groups in their guidelines.
The manufacturers are the only ones who can change the design space — and they've now received notice from the FDA about the importance of cybersecurity at that early design phase.
The hospitals, on the other hand, have been given the advice that they need to start reporting. If you don't report, there is no way for regulators to make risk-based decisions — the statistics will be much more meaningful that way.
DMBN: But medical device malfunctions are universally underreported right now, right?
KF: Yes, that's true. But if you look in the FDA databases as of a year ago they have zero security reports — even though if you go to any hospital and you ask the head of IT they will tell you about the malware getting into their devices. It simply was not reaching the desks of the people able to evaluate the risks at the national level.
DMBN: In an ideal world, how do you think devices will be secured by cyber attacks in the future?
KF: I have a 164 year research plan to solve this, I kid you not! One hundred and sixty-five years ago Ignatius Semmelweis suggested that physicians should wash their hands when working with patients to avoid mortality and morbidity. People thought it was heresy. How dare you question the cleanliness of a physician's hands! And we still have hand-washing problems today.
So I don't think the cybersecurity question is going away any time soon, but I'm optimistic that the best way of solving these problems is being upfront about the vulnerabilities in the early design stages.
In the long term, I see cybersecurity as a real enabler to give manufacturers, hospitals and patients the confidence to treat diseases that today we consider not treatable.