Do No Harm E-Book

Table of Contents

Cover

Title Page

Introduction

What Does This Book Cover?

Part I: Defining the Challenge

Chapter 1: The Darker Side of High Demand

Connected Medical Device Risks

Escalating Demand

By the Numbers

The Road to High Risk

Innovate or Die

In Summary

Notes

Chapter 2: The Internet of Medical Things in Depth

What Are Medical Things?

Historical IoMT Challenges

IoMT Technology

Current IoMT Challenges

In Summary

Notes

Chapter 3: It Is a Data-Centric World

The Volume of Health Data

Data

Is

That Important

This Is Data Aggregation?

Non-HIPAA Health Data?

Data Brokers

Big Data

Data Mining Automation

In Summary

Notes

Chapter 4: IoMT and Health Regulation

Health Regulation Basics

FDA to the Rescue?

The Veterans Affairs and UL 2900

In Summary

Notes

Chapter 5: Once More into the Breach

Grim Statistics

Breach Anatomy

In Summary

Notes

Chapter 6: Say Nothing of Privacy

Why Privacy Matters

Privacy History in the United States

The New Breed of Privacy Regulations

Technical and Operational Privacy Considerations

Privacy, Technology, and Security

The Manufacturer's Quandary

Bad Behavior

In Summary

Notes

Chapter 7: The Short Arm of the Law

Legal Issues with Hacking

Cybercrime Enforcement

Results of Legal Shortcomings

In Summary

Notes

Chapter 8: Threat Actors and Their Arsenal

The Threat Actors

The Deep, Dark Internet

Tools of the Trade

In Summary

Notes

Part II: Contextual Challenges and Solutions

Chapter 9: Enter Cybersecurity

What Is Cybersecurity?

Key Disciplines in Cybersecurity

In Summary

Notes

Chapter 10: Network Infrastructure and IoMT

In the Beginning

Networking Basics: The OSI Model

Mistake: The Flat Network

Alternate Network Defensive Strategies

Wireless Woes

In Summary

Notes

Chapter 11: Internet Services Challenges

Internet Services

Internet-Related Services Challenges

The Evolving Enterprise

In Summary

Notes

Chapter 12: IT Hygiene and Cybersecurity

The IoMT Blues

The Drudgery of Patching

Antivirus Is Enough, Right?

Misconfigurations Galore

In Summary

Notes

Chapter 13: Identity and Access Management

Minimal Identity Practices

Authentication

Privileged Access Management

Other I&AM Technologies

In Summary

Notes

Chapter 14: Threat and Vulnerability

Vulnerability Management

Vulnerability Management Strategies

Penetration Testing

New Tools of an Old Trade

In Summary

Note

Chapter 15: Data Protection

Data Governance

Data Loss Prevention

Enterprise Encryption

Data Tokenization

In Summary

Chapter 16: Incident Response and Forensics

Defining the Context

Incident Response

In Summary

Note

Chapter 17: A Matter of Life, Death, and Data

Organizational Structure

Risk Management

Mindset Challenges

Decision-Making

In Summary

Part III: Looking Forward

Chapter 18: Seeds of Change

The Shifting Legal Landscape

International Agreements

Technology Innovation

Leadership Shakeups

In Summary

Notes

Chapter 19: Doing Less Harm

What IoMT Manufacturers Can Do

What Covered Entities Can Do

Cybersecurity Innovators

What You Can Do

In Summary

Notes

Chapter 20: Changes We Need

International Cooperation

Covered Entities

More IoMT Security Assurances

In Summary

Note

Glossary

Index

Copyright

Dedication

About the Author

Acknowledgments

Preface

End User License Agreement

List of Tables

Chapter 6

Table 6-1: Relationship between IoT Violations and Privacy

Chapter 14

Table 14-1: CVSS v3.0 Ratings

List of Illustrations

Chapter 1

Figure 1-1: Example types of attacks against internet-connected medical devi...

Figure 1-2: Number of healthcare data breaches of 500 or more records

Chapter 2

Figure 2-1: The interconnection of IoMT technologies

Chapter 3

Figure 3-1: Relationship of data science to enablement technologies

Chapter 5

Figure 5-1: Number of exposed records 2005 to 2019

Figure 5-2: Average per record cost in a breach

Figure 5-3: 2019 PHI breached systems data

Figure 5-4: The cyber kill chain in a nutshell

Chapter 6

Figure 6-1: Example of a scytale

Figure 6-2: Top 7 reported types of identity theft and numbers (2019)

Figure 6-3: Some key privacy laws affecting the United States

Chapter 7

Figure 7-1: Comparison between traditional crime and cybercrime

Figure 7-2: Top 10 Countries generating cybercrime

Chapter 8

Figure 8-1: Development of malware in millions

Chapter 10

Figure 10-1: Network communication via the OSI model

Guide

Cover Page

Table of Contents

Begin Reading

Pages

i

xxi

xxii

xxiii

xxiv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

171

172

173

174

175

176

177

178

179

180

181

182

183

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

ii

iii

iv

v

xviii

xix

xx

377

Do No Harm

Protecting Connected Medical Devices, Healthcare, and Data from Hackers and Adversarial Nation States

Introduction

Along with the expanding challenges of the COVID-19 pandemic was another pandemic hitting our hospitals and healthcare systems in the United States—ransomware. Ransomware is software that cybercriminals use to render a computer or machine unusable. They then demand a ransom for a code that will (ideally) enable the compromised organization to disable the software and restore the machine to a usable state. The vulnerabilities and the weaknesses inherent in internet-connected medical devices helps to enable these cybercriminals.

This book is about the relationships between vulnerable internet-connected medical devices, cybercriminals, and nation-state actors and how they not only take advantage of exceptionally vulnerable devices, but also profit from it.

But the story relating to insecure medical devices is much deeper than this. It is the story of American innovation and ingenuity—a story where cybersecurity often takes a back seat to the needs of saving human lives. That story, through no particular person's or organization's fault, has started to leave our hospitals in a more vulnerable state than ever before. Through the pandemic, the fundamental flawed state of many internet-connected medical devices, along with insufficient global legal protections, has allowed organized crime and nation-state actors to collect trillions of dollars.

If you care about your data, your privacy, and why the situation is so dire from a cybersecurity perspective, this book is worth reading. It also offers a glimpse inside the perspective of a Chief Information Security Officer regarding the security and privacy of our data as a result of the decisions we have collectively made.

This book leans heavily on the cybersecurity perspective, as that is the perspective I know best. It does dive into the technical aspects of internet-connected medical devices, but then it jumps into law, big data, and other global challenges and ties them together in an overarching story about hospitals, data, and cybercriminals.

This book touches heavily on the technical aspects of protecting internet-connected medical devices, but its scope is much broader than that. It provides a larger legal, privacy, and threat landscape perspective, which completely shapes the context for why having insecure medical devices presents a challenge for today's hospitals.

What Does This Book Cover?

This book covers a broad range of subjects in and around the protection of data and the challenges related to IoMT.

Chapter 1

: The Darker Side of High Demand

  This chapter sets the stage for why internet-connected medical devices are so insecure. It explores some of the chief drivers for today's healthcare and why healthcare tends not be overly focused on cybersecurity, historically speaking.

Chapter 2

: The Internet of Medical Things in Depth

  This chapter dives into the technical side of internet-connected medical devices. It defines what is and is not an internet-connected medical device, and explores the larger context of those devices and how they fit together with other technologies.

Chapter 3

: It Is a Data-Centric World

  This chapter explores many of the different facets of what is and is not medical data. The definition is often blurrier than we might expect, and the ramifications can be large—especially once big data is part of the overarching picture. The ramifications and risks are often not what they may seem.

Chapter 4

: IoMT and Health Regulation

  This chapter covers how HIPAA and other regulations relate to the deluge of data created as a result of internet-connected medical devices. It also looks at the enforcement mechanisms related to HIPAA through the Office of Civil Rights.

Chapter 5

: Once More into the Breach

  This chapter focuses on the actions of cybercriminals once they take initial steps into an organization. It covers why cybersecurity is so difficult with the vulnerabilities that internet-connected medical devices have and how attackers take advantage of those vulnerabilities.

Chapter 6

: Say Nothing of Privacy

  This chapter explores the history and evolution of privacy and how that privacy relates to both HIPAA data and the proliferation of data relating to internet-connected medical devices. It also brings surprising ties to big data and the challenges to the data market.

Chapter 7

: The Short Arm of the Law

  This chapter explores the global legal landscape and the related enforcement challenges and how that landscape only amplifies the challenges related to vulnerable internet-connected medical devices.

Chapter 8

: Threat Actors and Their Arsenal

  This chapter explores, at a high level, the various threat actors, some of the characteristics of their arsenal, and why they are so effective at their tradecraft.

Chapter 9

: Enter Cybersecurity

  This chapter provides an in-depth introduction to what cybersecurity is. It explores some of the basic tradecraft of cybersecurity and related disciplines.

Chapter 10

: Network Infrastructure and IoMT

  This chapter explores what a network is, how it is set up, and some basic network architectures and tools that can be used to protect internet-connected medical devices from harm.

Chapter 11

: Internet Services Challenges

  This chapter reviews some of the basic services of the internet and how those services relate to internet-connected medical devices.

Chapter 12

: IT Hygiene and Cybersecurity

  This chapter describes the basics of IT hygiene, what it is, and why it is important. IT hygiene is also something that is not possible with internet-connected medical devices, which brings increased risks to those devices.

Chapter 13

: Identity and Access Management

  This chapter explores the complex world of identity and access management. It touches on the technology, the governance, the challenges that many internet-connected medical devices have, and how internet connected medical devices affect the security posture of organizations.

Chapter 14

: Threat and Vulnerability

  This chapter explores the various tools and techniques related to discovering vulnerabilities within an environment and the associated challenges with internet-connected medical devices.

Chapter 15

: Data Protection

  This chapter explores some basic data protection strategies, governance, and tools related to protecting data. It has ties back to privacy, big data, IT, and other considerations.

Chapter 16

: Incident Response and Forensics

  This chapter explores incident response and forensics from a disciplinary perspective and how internet-connected medical devices can be a challenge to the two disciplines.

Chapter 17

: A Matter of Life, Death, and Data

  This chapter takes a step back from the details of cybersecurity to examine how all of the cybersecurity considerations fit into the bigger governance frameworks and why decision-making can be so challenging.

Chapter 18

: Seeds of Change

  This chapter explores some of the changes we need to better protect internet-connected medical devices. It explores everything from decision-making processes to hospitals, supply and demand, and so on.

Chapter 19

: Doing Less Harm

  This chapter covers some strategies that we can focus on to optimize the overall balance between competing needs related to securing internet-connected medical devices.

Chapter 20

: Changes We Need

  Despite the many we have talked about, there are still fundamental changes that need to take place in order to better protect hospitals, data, and internet-connected medical devices.

How to Contact the Publisher

If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

To submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

How to Contact the Author

We appreciate your input and questions about this book! Email me at [email protected].

Part IDefining the Challenge

If we step back and look at the big picture related to insecure internet-connected medical devices, the concerns are primarily around risks to healthcare organizations and risk to data. Fortunately, there have been very few deaths related to these insecure devices, but as adoption of internet-connected medical devices continues to rise, so will the associated risks. If COVID-19 has taught us one thing, it is that tragedy for some is an opportunity for others. From a cybersecurity perspective, it is important to understand who these actors are, what they are motivated by, and how can we stop, or at least reduce, the number and/or effectiveness of these attacks.

Before we can do this, it is extremely helpful to understand why poor security on internet-connected medical devices is such a challenge for IT and cybersecurity practitioners and why the devices have so many challenges to begin with. Looking at poor security as an origin story provides us with the context for understanding how to proceed. The world of IT, and especially internet-connected medical devices, is filled with a complex interrelation of social, technological, and economic challenges. It is important to understand this complex relationship if we are to devise a strategy for best protecting the devices, our hospitals, and the associated data.

As you read this first part of this book, keep the bigger picture in your head in order to more fully understand how we ended up where we are today. We have legal requirements that are not always followed by manufacturers, which creates both challenges and victories for protecting our healthcare, our data, and occasionally our lives.

CHAPTER 1The Darker Side of High Demand

“First, do no harm” is attributed to the ancient Greek physician Hippocrates. It is part of the Hippocratic oath. The reality is that every day, doctors and hospitals need to make decisions about how to best help patients under the existing conditions. If doctors need to operate, they may harm the patient by making an incision—sometimes to save a patient's life. This is a calculated and acceptable harm from a moral perspective.

What isn't always as obvious to hospitals is the harm introduced by using an internet-connected medical device. In many cases, such as in hospitals, the doctors may have limited input about which devices are chosen for their environment. These devices have critical medical value not only for the hospital or doctor's office, but also from the patient's point of view. They are at the forefront of today's medical transformations. Often the harm that is introduced is unknown, unseen, or downplayed—if it is assessed at all.

This chapter explores, at a high level, the state of internet-connected medical devices and how those devices are impacting hospitals and unfortunately, and indirectly, human life. More importantly, this chapter covers the overall trends related to hospitals, partially as a result of internet-connected medical devices and how businesses evolved to the state they are in today. First, we need to understand the risks that internet-connected medical devices pose.

Connected Medical Device Risks

What exactly are the risks related to internet-connected medical devices? The hit TV show Homeland popularized the idea of an attacker assassinating someone by taking over a pacemaker. While this is not beyond the realm of possibility, the most common forms of attack utilizing internet-connected medical devices are ransomware and distributed denial of service attacks (DDOS).1 In the former case, the attacker takes over a system (often with malware, but sometimes with a password) and prevents (often through the use of encryption) the end user from using the system. In latter case, the attacker will own the device and use it to attack other sites.

Ransomware

Ransomware is essentially software that prevents systems from running. Criminals require that the owners pay to be able to gain access to their own systems. Imagine you had pictures of your family on your home computer and you could no longer access them unless you paid a fee. Now imagine critical medical systems rendered inoperable instead of family pictures. To make matters worse, once attackers are inside of systems, they often leave behind a way to gain access to them over and over again—meaning they are more susceptible to future attacks. This trend has only increased in the time of COVID. Obviously, the attackers do not care about the lives of others enough to not do the attacks.

Ransomware has been evolving tremendously over the last few years, and the number of the ransom demands has gone up significantly from a few years ago. In 2019 alone, 764 healthcare providers in the United States were hit with ransomware.2 One might be tempted to think that the attackers would not go after hospitals in a time of a global pandemic, but while this is the case for some attackers, the reality is that ransomware attacks are on the rise since COVID-19 hit.3 What is worse is that while ransom demands used to be a few hundred dollars, now they are growing and are often more than a million dollars. With so much to gain, it is no wonder that ransomware demands are on the rise. Clearly, hospitals have a great deal of risk related to ransomware.

The effect that ransomware has had on hospitals is crippling. The attackers are well aware that COVID-19 has severely stretched the resources at hospitals. They know that this is a life-and-death situation, which makes hospitals even more likely to pay the ransom,4 especially the smaller hospitals that may not have as mature of an IT and/or security program in place to protect their environments from the ravages of ransomware.5 Essentially, they are easier targets. Sadly, even larger, more mature organizations are susceptible to ransomware attacks, but can sometimes respond to them more effectively.

September 10, 2020, unfortunately marks a grim milestone for ransomware—the first indirect death. A patient was rerouted from Duesseldorf University Hospital in Germany as 30 of its internal servers were hit with ransomware. As a result of the subsequent delay getting the much needed medical treatment, the patient died.6 This particular attack was aimed at Heinrich Heine University and mistakenly hit the hospital because it is part of the same network. In this case, the perpetrators provided the keys to decrypt the systems and withdrew their extortion demands, but despite that, the hospital's systems were disrupted for a week.7

That was not the only death associated with ransomware in September 2020, unfortunately. Universal Health Services (UHS) was hit with a massive ransomware attack. UHS is a Fortune 500 company with more than 400 healthcare facilities in the U.S. and the UK. It provides services to more than 3 million patients yearly. In many cases whole hospitals were shut down and services were rerouted to other hospitals. Because of this rerouting of services, four people died.8 With the frequency of ransomware growing, these kinds of problems will not only continue, but will likely become worse before they get better.

It is important to note that medical devices are not the only avenue for ransomware attacks, but they are, arguably, the most egregious vector due to the gaps in their fundamental security, inability to patch cybersecurity flaws in some circumstances, and the volume of problems they have—especially in the long run. One report shows that malware against internet-connected devices (not just medical devices) is up 50% from 2019.9  That being said, they are a unique avenue due to the kinds of flaws they have. For example, the range of flaws in today's internet-connected medical devices is staggering. Take medical imaging devices: 70% of the devices are based on retired operating systems or systems that are under limited support.10 The potential for vulnerabilities is extremely high. In many cases internet-connected medical devices run on Windows XP, which is no longer supported. There continues to be new vulnerabilities found—many of which allow complete compromise of the whole system. Associated with a compromised system is a whole host of risks, including everything from the system not functioning to data being exfiltrated. Either way, these are risks to both patients and to hospitals.

Now let us think about connectivity. Today's world is also much more connected than ever before. Many systems connect back to something referred to as “the cloud.” While I will go into greater depth in later chapters about the cloud, it should be noted here that the cloud aggregates and correlates data in one location. It also comes with a whole new set of risks that adds an extra layer of complexity for IT and cybersecurity teams.

Let's take a ransom in another direction—from a personal perspective. If you had a pacemaker, what would you be willing to pay to save your own life if someone threatened you with turning off the pacemaker? If attackers do not care about the lives of multiple people, they will not care about the life of one person. Attackers typically go for the easiest targets that offer the most reward. If they started targeting the rich who had internet-connected medical implants, that could be a lucrative route going forward. Of course this is not as lucrative as having a hospital pay a ransom.

Risks to Data

What does not often come to mind is the data risk related to internet-connected medical devices. Data can be as potentially deadly a risk as any device. An insulin pump that received the wrong amount of information can potentially kill someone with diabetes. A number of events can cause errors—everything from human error to machine flaws. This too deserves a much deeper dive as the data is far more interconnected than at any point in history, and that interconnection is only going to accelerate with the advent of new internet-connected medical devices.

Some risks are due to existing flaws in medical devices combined with the desire for people to have a better quality of life. For example, diabetics have hacked their own pumps to achieve innovation the manufacturers have not. While many of the devices have been recalled, people have been hurt by insulin overdoses as a result of hacking their own devices.11 Keep in mind that this was with commercial-grade systems that were attacked. These are not systems purchased off the black market.

Not everyone opts for commercially viable solutions. The cost associated with some of these solutions is too high for many to afford. As a result, they go through alternative sources that may not have the strict quality control that the commercial world has. In some cases, unknowingly, people will work with devices that are actually from the black market, such as insulin pumps that may be even less secure because they are not subject to the stronger regulation that exists today.12

While ransomware is taking the spotlight as of late, a host of other attacks are related to internet-connected medical devices. These will be described in greater detail in Chapter 8, but suffice it to say that numerous attacks can be leveraged, many of which could be avoided with sufficient cybersecurity practices. In many of these attacks, the attacker could have complete control of the data on the device. A few of the attacks against connected medical devices are listed in Figure 1-1, but this is far from a complete list. The lesson here is that quite often the vulnerabilities that can physically harm someone can also be leveraged to steal data. Data theft, by far, is much more common than the physical harm that could occur as a result of the internet connection. The stark difference is that the harm of data theft may or may not be known.

Figure 1-1: Example types of attacks against internet-connected medical devices

The vulnerabilities related to internet-connected medical devices are having an impact on organizations, and these weaknesses are not just trivialities. Nuspire, a managed security services provider, put out a few interesting statistics. The first statistic is that “18% of medical devices were affected by malware or ransomware in the last 18 months.”13 That is not a small number. Roughly 1 out of 5 devices have been affected by malware. If there is an average of 15 devices around a patient, roughly 3 of them have the possibility of being infected. Further, that malware can often be used to infect other devices. The other statistic that Nuspire mentioned was that “89% of health care organizations have suffered from an IoMT Related Security Breach.” IoMT is short for internet of medical things. For our purposes, think of IoMT as internet-connected medical devices. That alone is another concerning statistic. It means that the connected medical devices are a serious concern for healthcare organizations. It makes protecting these critical organizations all the more difficult.

If risks to human life are on one end of the spectrum, the other end of the spectrum relates to data risks. Healthcare data is one of the most sought-after data types on the internet. Security reports over the years have shown the value of a healthcare record to be worth anywhere from $10 to $1,000. By contrast, the typical credit card is worth only a few dollars. The reason is that most credit card companies have robust fraud departments that stop fraudulent transactions relatively quickly. After one or more transactions, the card is usually cut off. This is not typically true for health records. The process of detecting problems can take much more time.

From a patient perspective, the associated fraud can be a painful and lengthy road to deal with. Advisory Board, a leader in the healthcare advisory space, had an article that illustrated this quite clearly. A patient's identity was stolen, and the result was $20,000 worth of medical procedures that the victim was responsible for. It kept up over billing cycles, and the perpetrator was eventually caught and jailed, but there are still serious questions about the integrity of the victim's medical files.14 Imagine what that can do to the victim. There may be conflicting information about the health information contained in many hospital records. In a worst-case scenario, this can be life threatening.

From a hospital's perspective, it means that they can lose a great deal, too. They can perform procedures essentially for free because they performed surgery on a misauthorized individual. The victims also have a great deal to do because they have to work through the fraud with the hospitals and the insurance companies—at no fault of their own. Health and Human Services, in conjunction with the Office of the Inspector General, put out a report citing they won or negotiated $2.6 billion dollars in fraud adjustments in 2019. There were 1,060 new criminal investigations in 2019.15  Undoubtedly the numbers are much higher if you consider the cases that were thrown out or were never detected. It takes constant vigilance to detect fraud cases.

The protection of the data related to medical records is absolutely critical. We have only touched the tip of the iceberg finding all the different forces that tie into the safety of information. It is such a complex web of interrelated societal forces that need to be explored more fully to ultimately understand the ripple effect from a few vulnerabilities in connected medical devices and how everything is related to Medicine 2.0—the type of next-generation healthcare we are entering into now.16

Escalating Demand

The roots of why there has been such radical transformation in healthcare the last few years are on a few different levels. One of the key drivers is to reduce healthcare costs, which have been escalating. One of the avenues of that change has been as a result of the Patient Protection and Accountable Care Act (PPACA), which President Obama signed into law in March 2010. There were a few key provisions within this bill. The first provision was to create a Patient-Centers Outcomes Research Institute (PCORI), which would compare clinical effectiveness of medical treatments. The goal was to help the healthcare profession determine the most effective strategy for providing treatments. The second provision was a penalty that prohibited payments to states for hospital-acquired infections. Other provisions included reduced payments for hospital readmissions.17

As a result, hospitals were more incentivized to stay clean and to improve what they were doing—not just in the cleanliness, but how care would be administered. This required rethinking through many of the processes, changing hospitals' approach to technology, and catching medical issues more proactively than reactively. It would involve rethinking how they currently approach treatment and becoming more proactive. It would also involve the use of more connected technology and devices to treat and monitor patients, not just when they come to doctor's offices, but also remotely so conditions could be detected prior to onset of a more serious illness. America needed to revolutionize its way of caring for patients. Doctors would have to rely on a new generation of medical devices for their transformation effort—devices that would be internet connected to provide real-time capabilities or more real-time capabilities than they already do.

America responded as it always does by being innovative and thoughtful about the approach to help the medical community achieve its goals. The new generation of medical devices not only met the goals needed by physicians, but it jump-started continual changes in the technology. These new devices helped to lower per-patient costs, improve efficiency, provide better response care, offer greater convenience, and provide a better overall patient experience. In short, the existing value we are getting from medical devices will fuel the desire for more medical devices. But let us look at these positives, because within the desire for positive changes lies the seeds of the challenges related to the security of internet-connected medical devices.

Types of Internet-Connected Medical Devices

If we step back in time a hundred years, there were only a small number of electronic medical machines. They were bulky, crude, and not able to store or send information. Everything had to be done by hand. By modern standards, this is painstakingly slow and inefficient. Now we have streamlined systems that not only can alert, but help with centralization of alerts meaning that, for example, a nurse does not have to be in physical proximity to a patient and/or device to be aware of a potential problem. While not everything connects together harmoniously, many devices are centralized to create alerts. In a hospital setting this is particularly important because a nurse does not have to hear an alarm from the physical machine in order to know there is an issue with a patient. A random walkthrough of the environment is not required. Nurses can be more focused on patients. Not only that, but patients who need long-term monitoring and want freedom from being at a hospital can get the care they need thanks to remote monitoring. This means the patient has a better quality of life.

Four types of medical monitoring devices are important to consider—wearable, on the skin, ingestible, and implanted. Some of these are sensory in nature, which means they can collect information or detect problems and relay them back to a centralized information source and potentially provide an alert. They are electronic in nature and can have a variety of follow-on actions such as alert for emergency medical systems.

Other systems are more protective and can respond, in a limited way, to the environment. These are referred to as smart systems. A good example of this is implanted insulin-releasing needles. If the blood sugar levels are off, the smart system can release the appropriate level of insulin to best protect the patient. In some cases, this can literally transform the lives of those who are diabetic, making it possible for them to have almost near normal lives.

With these kinds of transformations, you can imagine that the demand is very high from the patient. From the hospital's perspective, they can do more with less staff than ever before. The automated alerts mean that they do not necessarily need around-the-clock care watching over the patients if they are not in the hospital. This reduces cost for the hospital and the patient, so all-in-all this is a win-win situation.

COVID-19 Trending Influences

COVID-19 has only accelerated some of the existing trends in the market. For example, prior to the pandemic, telehealth utilization for Medicare patients was roughly 0.1%. By April 2020, visits were up to 43.5%. Some of the changes were due to relaxing the regulations around telemedicine—partially in response to consumer demand.18 The Center for Medicaid and Medicare Services (CMS) made some significant changes. Since then, it has added some 135 services to be permitted via telehealth.19  What is more eye-opening is that doctors can treat patients by phone or radio.20 

What sometimes goes hand-in-hand with telehealth is the need for in-home testing. It helps to limit exposure from people who may have COVID-19 and in some cases lower transportation costs for hospitals that may previously been inclined to move the patient for testing purposes. Many healthcare organizations were offering this as a service, but the trend has been accelerated by the pandemic.21

By the Numbers

What is more staggering than the technological trends themselves is just how pervasive those trends are. More than 430 million internet-connected medical devices have already been shipped worldwide.22 Presently, the compound annual growth rate (CAGR) of internet-connected medical devices is growing by 25%, and that is expected through at least 2023.23 The data is not out yet, but COVID-19 is expected to accelerate some of those trends as hospitals and doctor offices are experiencing pressure to not only be remote, but often are expected to do more with less. Let's take a look at those trends. A Zingbox survey stated that there are an estimated 10 to 15 internet-connected medical devices per patient bed. By itself that is staggering and a statistic worth remembering as we dig further into the issues related to these devices.24

What many people do not realize is how often healthcare companies are the target of attacks. That trend is only increasing. The HIPAA Journal published some fantastic statistics for the United States. For example, between 2009 and 2019 for breaches larger than 500 records, there have been more than 3,000 healthcare data breaches. Figure 1-2 shows a chart they published detailing the number of healthcare data breaches that occurred in those years.

Figure 1-2: Number of healthcare data breaches of 500 or more records

While 510 cases may not seem like a lot, healthcare organizations are one of the most attacked verticals. One survey demonstrated that over a two-year period, 89% of healthcare organizations suffered a data breach. Another source that echoes that information is the Verizon Data Breach Investigations report. It has one of the largest data sets available and covers global rather than local numbers. Verizon's 2020 Data Breach Investigations Report showed 521 breaches in 2019 versus only 304 breaches in the previous year.25 So the issue with healthcare being one of the most attacked sectors is not just a local United States problem, but a global problem.

The problems are only growing worse as a result of COVID-19. Along with COVID-19 are some trends that are changing the technology landscape comprising medical care. Some key considerations are telehealth, home healthcare, and remote patient monitoring—many of which are tied to internet-connected medical devices. Each of these technologies has its own set of challenges and cybersecurity risks that correspond to those challenges. Let's briefly take a look at some of these trends.

Telehealth

Telehealth is essentially providing medical services remotely. It is important in this context as medical devices are often used to enable remote communication. What is interesting to note is that access to telehealth is dependent, in part, on income. The pandemic has proven the “generalizability of telehealth,” the CMIO of NYU Langone Health stated, where virtual visits have skyrocketed since COVID-19 lockdown measures have been in place. Meanwhile, HHS recently awarded $20 million to increase telehealth access.26 This, along with the pandemic, is only going to accelerate the demand for telehealth.

Home Healthcare

The growth of home healthcare is staggering. It is estimated that it will grow more than 18%.27 Presently, there are roughly 1.4 million people employed in home healthcare services.28  2015 was the first year that more money was spent. The global home healthcare market size was valued at USD 281.8 billion in 2019 and is expected to grow at a compound annual growth rate of 7.9% from 2020 to 2027. Population aging around the world and increased patient preference for value-based healthcare are anticipated to fuel market growth. According to the World Health Organization (WHO), there were 703 million persons aged 65 years or over in the world in 2019. The number of older persons is projected to double to 1.5 billion by 2050. The aging population demands more patient-centric healthcare services, which in return increases the demand for healthcare workers and agencies and is anticipated to drive market growth.29 

Remote Patient Monitoring

Remote patient monitoring is critical for today's world. The best way to do that is with biosensors. Presently there is an 8% CAGR for biosensors, and the total market is expected to be over $29 billion by 2024.30 The demand for sensors of various kinds will be growing. COVID-19 has already accelerated that trend.

From a numbers perspective alone, it is clear that connected medical devices are not going away. They provide too much value for patients and institutions. All that said, having more devices that are less secure than they should be is creating more opportunities for hackers. Some of the problems are due to more records being digitized as part of the Affordable Care Act, but connected medical devices are most certainly a major concern for organizations.

The Road to High Risk

The key foundation for commerce is trust—trust in the exchange of money and/or good and services. Without trust, trade becomes riskier and less likely to happen. A thousand years ago you could touch, feel, see, and work with products. Today, in the IT world, we test products, read reviews, talk to peers, and so on. We install them, ensure the functionality, and do what we can to see if they work.

What is sometimes difficult to tell is how secure the product is. I once worked with a piece of software designed to examine security requirements. It did not meet many of the requirements it was examining in other products. While this may seem very rudimentary, it is not that uncommon for vendors not to do as they ask others to do. One famous case where this happened was a company formerly known as Bit9—a company that provides security protection software. They were hacked, but they did not use their own software to protect their environment. If they had, they would not have been hacked.31

What may be surprising to some of you is that some medical devices are built with old or outdated operating systems.32 What this means is the systems are full of weaknesses (called vulnerabilities in the security world) that can be exploited by hackers. The vulnerabilities are often so severe that the entire system can be compromised. Every shred of data related to the system can also be compromised. What is worse, that system can then be used to compromise other systems in a hospital. The fact that so many systems have severe vulnerabilities compounds the problems of security practitioners trying to protect the hospitals in the first place.

To make matters worse, in many cases the interface to the machine completely obfuscates the operating system, making it difficult to assess the underlying technology. The manufacturer can also add security on the front end of the medical devices, making it seem as though the security is high. For example, some systems will provide strong password requirements such as long password length, complexity, password rotation, and so on, making it seem as though the system is built securely. That aspect of the system may be relatively secure, but not necessarily the rest of the product.

Many of you may be thinking that this is an old issue and that operating systems are usually up to date. The hard reality is that these outdated operating systems are almost par for the course when it comes to internet-connected medical devices. Recently Palo Alto Networks put out a report demonstrating that 83% of medical imaging devices had operating systems that could not be updated.33 This is very serious as it means those operating systems have vulnerabilities that were not previously known and they cannot be remediated. From a hacker's perspective, these internet-connected medical devices are a metaphorical gold mine—not only because they have data, but also because they are relatively easy to hack—often allowing hackers to jump from one system to another within an organization.

This very same idea can be applied to other internet-connected medical devices that do not utilize a full operating system. In those cases, the system has a very small operating system known as firmware. On a personal computer firmware can be updated very easily, but devices that are very small with firmware only may or may not be updatable—cybersecurity patches cannot be applied In some cases, what is included is unalterable. The unalterable nature of the device is referred to as hardcoded. This is where passwords are hardcoded into some of the devices.

Processors are another avenue of attack. In January 2018, two new processor vulnerabilities, Spectre and Meltdown, hit the news and security staff across the world like a ton of bricks. They uncovered, and subsequently demonstrated, flaws in the way that motherboards were designed over the last few decades. As a result of the motherboard flaws, operating systems could be compromised in ways that previously the hardware would have provided some protection. Ultimately, if an attacker had access to a system, data could be exposed by the combination of the two vulnerabilities (of which there are three variations). For Meltdown, an attacker gains access to data they normally shouldn't see by “melting” the division of protected memory normally enforced by hardware. Spectre, on the other hand, is about making a system reveal data that it should not reveal to the attacker.34 

Both Spectre and Meltdown are examples of what were zero-day vulnerabilities—flaws that, at the time, were out but, as they are too new, do not have remediation. Hardware (such as motherboards), operating systems, and internet-connected medical devices are all prone to zero-day vulnerabilities. They are the bane of IT and security practitioners alike. They are the kind of situation, due to the severity of the vulnerability, that requires companies perform out of band patching (also called emergency patching), which can seriously disrupt the schedule of the IT department. While some zero-day vulnerabilities are of little consequence, many are much more serious—as Spectre and Meltdown were.

But why do we have these challenges with internet-connected medical devices to begin with? An incomplete and simplistic perspective might be to say that the dollar is king, security costs money, and therefore it is not done until companies are pushed into it. The reality is far more complex than that.

If we step back in time a decade for the purposes of looking at internet-connected medical device security, there were no regulations concerning their construction—very little regulatory oversight. In theory they had to meet HIPAA requirements, but many connected medical device companies did not always adhere to those—not by a longshot. Quite often these companies were not even striving to meet HIPAA requirements. The features and functions of the devices were the key capabilities they had to focus on—not security capabilities.

What makes matters worse is not every company is validating the security or making security the priority when purchasing a medical device when making a purchase. Think of it this way: If you are looking at a half-million-dollar piece of medical equipment and one company has a product that the doctors find far better than other pieces of equipment and has a better chance of saving lives, versus another product that may not save as many lives but may be a little more secure, which product do you buy? Many companies would want to purchase the product that would save more lives. It is almost common sense when weighing one concern verses another. Many hospitals would not give security a second look. Further, if you have only one or two devices that are connected, it is easy to overlook the one insecure exception in your environment. This is the way medical equipment was for decades as internet-connected medical devices first made their appearance. Keep in mind that when this started taking place, connected medical devices were not commonplace and security was not as large of a priority as it is today. Context is everything.

Another challenge that hospitals are sometimes faced with two products with poor security (or sometimes even one product with poor security). In these situations, hospitals need to choose a product and simultaneously make the hospital less secure. In those situations, you kind of have to live with the an imperfect decision of having an insecure device or decide not to help people. For most, not helping people is unthinkable for very good reasons.

Innovate or Die

Peter Drucker, considered the father of modern management techniques, popularized (or perhaps originated) the phrase “Innovate or die.”35 What he was referring to was that companies needed to stay ahead of the pace of change from a market perspective or face obsolescence. In business today that means continually changing and updating your products to ensure marketability. As a former salesperson myself, if a competitor has an innovation you lack, that could be enough to give them the competitive edge to stay in business. Innovation is here to stay.

Perhaps the most poignant example of this is Blockbuster Entertainment Inc., more commonly known as Blockbuster. It had a brilliant business model in the 1990s. It offered a very convenient way to rent movies, video games, and so on, but it did not innovate. Blockbuster held the philosophy that people enjoyed going to a store to rent movies. They did not anticipate that people would prefer the advantages that a modern streaming service offers people. That philosophy was its undoing, and now it is out of business. The world is full of examples where this is true. For instance, Polaroid, Compaq, Borders, Tower Records, Atari, Kodak, and Xerox were all big, recognizable names 20 years ago. But the reality is, they did not innovate with the times and thus suffered or went out of business as a result. So, too, is that true for medical device companies.

Numerous studies have been done on the companies that have survived for decades or longer. The number-one trait that all of the companies share in common is adaptability—a willingness to change with the times. What is interesting to note is that this “innovate or die” attitude has taken on another life in Silicon Valley. At this point it is well known for both its innovation and its technology disruption. Deloitte stated it best: “More than one-third of the 141 companies in the Americas, Europe, and Asia Pacific that grew to a valuation of greater than $1 billion between 2010 and 2015 were located in the Bay Area.”36 CEOs and entrepreneurs know this. While there are countless keys to success, part of the success criteria is to make companies more agile by shortening the time to market. Indeed, many companies have had to shift their overarching philosophy. Large companies used to take the time to create products that were fully ready for the market. Billions of dollars were lost this way as a result of smaller, more agile, more innovative companies creating something more quickly. The old ways of doing business simply do not apply anymore.

In short, innovation is not just a random concept that is haphazardly thrown into business. It is the basis for business models. Companies are shaped around this philosophy and quite often far more successful than they were as a result of the transformations that go along with the desire to innovate. As you can imagine, the pressure to innovate is a very strong driving force in companies today. If we look back at the CEOs who were responsible for the downturn (and sometimes demise) of companies, they were under very harsh criticism for not turning companies around or losing business due to lack of innovation. This kind of pressure leads people and thus companies to make decisions that do not always have security in mind.

This kind of pressure also affects medical device manufacturers—so much so that there is a new name for the medicine coming out of connected medical devices: Medicine 2.0. Medicine 2.0 utilizes digital diagnostic capabilities, including wireless devices, mobile health solutions, data, smartphone apps, wearable devices, and remote monitoring. Other technologies such as cloud and artificial intelligence allow for greater innovation and more rewards for both the medical industry and the patient. These technologies are only accelerating as the pace of innovation changes and grows.37

Imagine what kind of pressure CEOs, product marketers, etc., face when creating products. Where does security fit in in this kind of world? Is it surprising that there are as many vulnerabilities in products that we are seeing today? The sad answer is no, and this is for multiple reasons. If we sidestep to nonconnected devices for a brief minute, the Associated Press reported that since 2008, medical devices for pain have caused more than 80,000 deaths—and this is a 2018 statistic.38 The same Associated Press article talked about how little testing there is for those pain stimulators. That article was fair in that it pointed out that there are more than 190,000 devices on the market and very rarely do they need to pull devices. Yes, occasionally things get through that are bad, but the system is working remarkably well in the FDA's estimation.39 The central point here is that despite having processes in place, those processes are far from perfect and could use greater transparency so we as consumers can make better decisions.

To that point, Kaiser Health News (KHN) did a fantastic report in late 2019 about patient deaths related to heart devices. In this case, the report discussed more than 5,800 deaths reported about the MedTronic heart valve since 2014. FDA made it sound as though the deaths were related to the heart valve. As it turns out, the FDA was not as transparent as it could have been about the deaths. KHN reported that many of the deaths were due to how fragile the people were who were receiving the heart valve and not related to the heart valve itself. Many of the device injury reports were kept effectively hidden from the public. Even safety experts were not aware of the problems.40 What this does point to is that we do not have enough information to make a strong judgment call about the risks pertaining to internet-connected medical devices in all cases.

There is the obvious feature and hardware side of things when it comes to connected medical devices, but the more important part from this perspective is the software that is written in and around medical devices. As the business world must evolve or die, so must software live within those paradigms. To that end, software security has often taken a back seat compared to other disciplines. There is an old joke that has evolved since 1997 about how unstable Windows is and comparing its operability to that of a car.41 The joke is much more involved, but it does serve to illustrate the problems with software development even back then—not just from a security standpoint, but an overall operability standpoint.

Automobile engineers have to have high safety standard. People can die as a result of a car's brakes not working (for example). With software it is historically acceptable to have flaws because, generally speaking, lives are not on the line. The discipline never developed the kind of rigor typically found in automobile engineering. Software coding is a little bit more of art than science in many cases because there can be numerous ways of obtaining an objective. The end result is systems that are riddled with vulnerabilities. Windows 10, at the time of this writing has 1,111 known vulnerabilities.42 The more complex a system is, the more likely there will be risks associated with those vulnerabilities.

What is almost as concerning as the number of vulnerabilities is how we got here. In 2016, Global Newswire published the results of a CloudPassage study of United States’ universities failing at cybersecurity. The key findings brought out by the study may be jaw dropping for the uninitiated, but not surprising for those in the cybersecurity profession. The most startling finding was the almost complete lack of security required by computer science programs for graduation. Of the top 36 Computer Science Programs (according to U.S. News and World Report) only one had a cybersecurity required course. According to Business Insider's top 50 list, there were only three programs that required cybersecurity to graduate.43

When it comes to cybersecurity, quite often universities are not the place to get that education. People walk out of school barely cybersecurity literate, but eager to start building IT systems. How secure do you think those systems will be if no one educates them on how to build secure systems? While there are certainly exceptions and companies have degree programs in cybersecurity, it does show the extreme deficit about the methods for protecting organizations. People who are interested in cybersecurity either need to learn on the job, go to a very specialized school, or go get cybersecurity certifications.

From a software development perspective, organizations need to supplement the understanding of the workers to get on board. Further, the lack of cybersecurity education helps to contribute to a lack of understanding of cybersecurity within organizations. That, in turn, affects the culture of the organization and ultimately the cybersecurity posture within organizations. Only companies with strong regulatory requirements or that have gone through a breach feel that they need a team to get them up to speed. Some of the requirements of cybersecurity may even appear bizarre due to cybersecurity illiteracy.

We could stop here, but the story is really more complex than that. Todd Fitzgerald, in his book CISO Compass, brilliantly lays out the course of cybersecurity over the last 30 years. He points out from the 1990s to 2000 that security was seen as an IT problem—basically login security, passwords, antivirus, and the firewall. From 2000 to 2004 we started to see more regulatory security practitioners as the regulations began kicking in, so there was an emphasis on the regulatory landscape. From 2004 to 2008, there was a turn toward a more risk-oriented approach to doing information security, and from 2008 to 2016 the move was more toward understanding the threats and toward understanding the cloud. After 2016, the move was to privacy and data awareness as another aspect of security evolution.44

Having worked in IT and security for roughly 25 years, I have seen firsthand the evolution that Todd Fitzgerald is talking about. All of these are extremely valuable insights that demonstrate the growth and change within the information security landscape. Given that company culture can take up to five years to make changes45