I participated in the 2nd Medical Device Cyber Security Summit December 11-12 in San Francisco. As the medical device industry has not been my primary focus, it was a very interesting meeting. However, if you change the terminology such as “clinician” to “engineer”, the content and concerns of this Summit apply to all other sectors using control systems such as electric, water/wastewater, oil/gas, manufacturing (which can be medical devices), transportation, etc.
According to a note from the FDA, medical device cyber security has been an issue since 2013. I have working on control system cyber security since 2000 when I helped start the control system cyber security program for the electric utilities as well as being the Managing Director of ISA99 - Automation and Control System Cyber Security (the ISA62443 series of standards). Consequently, this blog will address my observations from what occurred at the Summit as well as what this means based on my observations from other defense, industrial, and manufacturing organizations. As mentioned, much of what I heard was very similar with the change in nomenclature – clinicians in medical care versus engineers making the medical devices as well as designing and operating the control systems in other critical infrastructures. The same confusing definitions in industrial control system cyber security conferences also occurred here:
- What is Operational Technology (OT) – network security versus engineering/clinical personnel
- What is an unintentional cyber incident versus a malicious cyber attack.
It should be noted that safety and cyber security are not the same. You can be cyber secure but still not be safe.
Greg Garcia, Executive Director of the Health Care Sector Coordinating Council, showed a slide stating that “health care cyber security is in critical condition”. This could be why Moody’s rates medical device cyber risk as medium to high. As with other sectors, there was no engineering management on the Health Sector Coordinating Council that included Medical Devices, Laboratories, and Pharmaceuticals which are significant users of control systems. Additionally, as with all “control system” cyber security conferences I have attended, there was sparse attendance (none here) from the engineers and technicians who design, manufacture, and operate the control systems/medical devices. That is, even though the conference was billed as a medical device conference, the focus was on network security approaches such as patching and penetration testing rather than the security of the devices themselves. There was also a misunderstanding expressed that medical device cyber security is unique in that medical device cyber security can kill people. However, control system cyber incidents have killed more than 1,500 people while medical device cyber incidents have killed less than 10 (the Therac 25 X-ray imaging device software failures is one of the cases and Cat Scan radiation issues have injured more than 350).
Technologically, medical device cyber security has similar issues to critical infrastructure control system cyber security such as:
- Dialysis machines use the same cyber vulnerable proprietary real time operating systems (RTOS) as industrial control systems (e.g., VxWorks and QNX). I identified RTOS cyber security issues as far back as 2001.
- Legacy systems with older, non-supported operating systems are common. An example was a $2Million MRI machine using Windows 2000. Legacy system issues are common with many (maybe even most) control system applications in almost all industries.
- Apache webservers were in some medical devices which the Idaho National Laboratory hacked in the 2004 time frame (this example is in my book – Protecting Industrial Control System from Electronic Threats)
- The time to detect medical device cyber issues is very long, just like control systems. In fact, cyber threats to devices, whether control system or medical, may never be detected as there are minimal to no cyber forensics at this level.
- The medical device manufacturing process uses industrial control systems, though there was no discussion about the cyber insecure devices used in the manufacturing process.
- As mentioned, just like industrial and manufacturing control system cyber incidents, medical device cyber incidents have killed and injured patients as well as impacted patient care.
Dr. Jeff Tilly from UC Davis Medical Center who is a leader in the Medsec community presented the following:
- Jeff has 100% trust in sensors. However, this can be a real problem particularly with counterfeit transmitters - https://www.controlglobal.com/blogs/unfettered/the-ultimate-control-system-cyber-security-nightmare-using-process-transmitters-as-trojan-horses)
- Jeff also discussed the Therac 25 case though he didn’t call it cyber (the definition issue of what is a cyber incident).
- Default credentials are common in medical devices (just like control systems).
- Jeff went through an integrity attack scenario using Cat Scans to change data to confuse the clinician but did not address Cat Scan integrity compromises that could directly lead to excessive radiation.
- Like most engineering disciplines, there is a lack of cyber security training in medical schools.
- Like industrial control systems, simulators are now being used for training doctors on cyber attacks.
There were several additional items of importance;
- UC Berkeley reengineered security patches to understand the vulnerability of the devices without having access to the devices.
- Soundharya Nagasubramanian from Hillrom stated she did not address the likelihood in assessing cyber risk. That is, anticipate that an incident will happen. This is important as many organizations will use a small likelihood to reduce risk (risk is frequency multiplied by consequence). Other organizations need to adapt this approach.
- I was on a panel discussing cyber security frameworks. There are many frameworks to select from though the “framework” was not defined. The IEC62443 series of control system cyber security standards apply to control systems and medical devices and should be considered.
Medical device cyber threats, whether intentional or unintentional, are real and have injured and killed people. The magnitude of the issue cannot be minimized. As mentioned in https://www.controlglobal.com/blogs/unfettered/2019-energytechinformation-security-summit-conference-the-gap-between-itot-networking-and-domain-experts, a representative from the medical industry expressed concern they have more than 30,000 infusion pumps that are directly connected to the Internet with no cyber security or ability to directly secure them. Cyber securing medical devices is similar to securing industrial control systems. When it comes to device cyber security, it is imperative for each infrastructure to stop thinking they are unique and cannot learn from others. There is also a need for the device engineering organizations to be part of cyber security efforts. I encourage readers to follow my blog at http://www.controlglobal.com/unfettered
Joe Weiss
