By ECRI
It’s a nightmare scenario for hospital administrators and health technology managers: A ransomware attack locks the facility’s data, disabling information systems and disrupting hospital operations. Successful cyber attacks can have far-reaching effects on patient care and staggering financial impacts. Avoiding that scenario (and preventing sleepless nights) requires a robust cybersecurity program. ECRI explored a sometimes overlooked security risk vector – third-party software components that are incorporated into medical devices – as topic No. 7 on its list of the Top 10 Health Technology Hazards for 2021.
Any device that is networked or that processes protected health information (PHI) poses a cybersecurity risk to a health care organization. Ransomware programs and other forms of malware infiltrate a network and propagate through connected devices and systems to wreak havoc, often by encrypting data, disabling user access or otherwise compromising software and IT assets.
Medical devices are not immune to such attacks. If security vulnerabilities in these devices are not properly managed, the devices can provide an entry point for malware to infect other assets on the network or could themselves become the source of a safety concern or data breach. In just the past year, ECRI has published more than 50 alerts detailing known security vulnerabilities with specific types, makes, or models of medical devices. Preventing security issues like those from affecting hospital operations requires identifying vulnerabilities on the devices at your facility and then taking steps to eliminate the vulnerability, if possible, or to minimize the risk that it will be exploited in a manner that could cause harm.
An added challenge with medical devices is that many include software components from sources other than the medical device manufacturer. Think operating systems (e.g., Windows), network drivers within a device, or other off-the-shelf software components. “Those components may not be well identified by the device manufacturer,” explains Chad Waters, a senior security engineer in ECRI’s device evaluation group. “That makes it hard for facilities to know which of their devices could be affected by a known software vulnerability.”
In recent years, vulnerabilities like Urgent11, Ripple20, and SweynTooth, to name a few, have impacted a wide range of medical devices, including physiologic monitoring systems, infusion pumps, and cardiac monitors. Health care organizations also have had to contend with several Microsoft operating system vulnerabilities, including those associated with the end of support for Windows 7. (Software that has reached its end-of-support date poses a particular concern.)
For health care facilities, remediating such vulnerabilities is a mission-critical activity – but one replete with obstacles.
Roadblocks to Remediation
As third-party software vulnerabilities are disclosed, it can be a challenge for health care facilities to identify affected devices and remediate them in a timely manner. As noted, vendors may not specify the third-party software components that are incorporated into their devices. But even when such information is provided, health care facilities may not have easily accessible records of which of their devices include specific third-party software.
Additionally, health care facilities require information from the medical device vendor before they can remedy a vulnerability. For various reasons though, information from vendors may be slow in coming. For instance, the vendor will need to audit its product lines to identify devices that incorporate the affected software, and then assess the impact of the vulnerability on its products. It will need to validate any third-party patches for addressing the vulnerability, which involves verifying that the patch does not adversely affect the function of the medical device. And it will need to develop recommendations for remediating the problem and communicate this information to all affected customers. “That process can take time,” advises ECRI’s Waters. “But it’s important to wait for the vendor to complete its process.”
In addition, health care organizations face practical challenges associated with applying the mitigation in a clinical environment. For example, the affected equipment might be in continuous patient use or delivering life-sustaining therapy. Furthermore, updates may require hands-on access to each device (as opposed to being implemented centrally), requiring time and staffing resources that may be in short supply. And some medical devices may require the support of a field service engineer or application specialist to apply any security update or patch.
A software vulnerability that is not remedied could allow a medical device to be compromised, which could lead to a degradation or disruption of patient care by causing a device to malfunction or become unavailable. It could even trigger a system-wide security incident (e.g., a ransomware outage). Or there could be a data breach that compromises the security of PHI.
ECRI Recommendations
ECRI outlines three key activities for addressing third-party software vulnerabilities in medical devices:
1. Assess a medical device supplier’s ability to manage the software on its devices. For instance, ask whether the vendor maintains an inventory of the third-party software built into its devices. This may take the form of a Software Bill of Materials (SBOM), which is an “ingredients list” of software components that are incorporated into a product. Also ask about the vendor’s vulnerability disclosure procedures, and how the company communicates issues with its customers.
2. Obtain security information for the devices in inventory. The vendor’s Manufacturer Disclosure Statement for Medical Device Security (MDS2) form for the device will provide much of the information you need. ECRI recommends requesting the 2019 version of this standardized form, which incorporates much more information than previous editions. An SBoM, if available, would also be useful, as would details about the operating system (including whether it is nearing its end-of-support date).
“SBoMs for medical devices are becoming more commonly available,” an encouraging sign that “we’re moving away from medical devices being treated as black boxes,” notes ECRI’s Waters. “Health care is leading the way in efforts to promote software transparency.” Such transparency will help health care organizations counter growing cyber threats.
3. Use appropriate tools to store and retrieve device security information. Be sure to record medical device security information in an appropriate inventory management system, such as a computerized maintenance management system (CMMS) or other system that can be accessed by both clinical engineering and IT personnel. Facilities may also want to investigate whether an Internet of medical things (IoMT) security solution would prove useful. These solutions discover and identify medical devices that are on your network and, to varying degrees, can identify operating systems.
This article is adapted from ECRI’s “Top 10 Health Technology Hazards for 2021” and related content, including ECRI’s February 2021 webcast “Top 10 Health Technology Hazards 2021: An In-Depth Look at Managing Medical Devices with COVID-19 Emergency Use Authorization.” Each year, ECRI produces its “Top 10 Health Technology Hazards” report to help hospitals direct their time and energy toward technology management activities that can have the greatest impact on patient safety. An executive brief version of the report is available for complimentary download at www.ecri.org/2021hazards. The full report, accessible to ECRI members, provides in-depth discussion of each hazard, including detailed steps that organizations can take to prevent adverse incidents. To learn more, contact ECRI at 610-825-6000, ext. 5891, or by email at clientservices@ecri.org.
