While ransomware attacks on hospitals and health systems are growing in sophistication, healthcare organisations are faced with one of their biggest cybersecurity challenges: defending older legacy medical devices against new cyber threats.
Legacy medical devices in current use by healthcare organisations were designed and manufactured long before the medtech industry was thinking critically about cybersecurity features. Many older medical devices in operation today – using outdated or insecure software, hardware and protocols – were not built with cyber protections in mind, leaving healthcare organisations vulnerable to attack and putting the reputation and financial stability of device companies at risk.
Despite the cybersecurity risks, the number of connected medical devices being used in hospital networks is rapidly increasing. Over the next decade, the number of connected medical devices – devices connected to the internet – is expected to increase from 10 billion to 50 billion, according to IBM.
Over the next decade, the number of connected medical devices is expected to increase from 10 billion to 50 billion.
"Stuff that's 10-15 years old really was never designed to be on a network," according to David Finn, executive vice president at cybersecurity consulting firm CynergisTek. "Anything that connects to the internet is going to be at risk."
Making matters worse, legacy devices are using operating systems such as Windows XP that Microsoft no longer supports with security patches and updates.
"That's 20 years old. But some of these large pieces of medical equipment can last that long and still function from a medical perspective just fine," acknowledged Zach Rothstein, AdvaMed's vice president for technology and regulatory affairs.
Internet of Things cybersecurity company Forescout, in a 2020 device security report, predicted that healthcare organisations will have to deal with medical devices running legacy operating systems for the foreseeable future.
"The percentage of devices running entirely unsupported [OS] versions has not changed, remaining constant at 0.4% (between 2019 and 2020). This includes now-obsolete Windows OSes like Windows XP and Windows Server 2003," the report notes, suggesting the legacy OS problem will continue well into the future.
While a small number, systems most impacted tend to be some of the most critical devices in healthcare organisations supporting clinical care, such as insulin pumps and ventilators, the report notes.
Systems most impacted tend to be some of the most critical devices in healthcare organisations supporting clinical care.
Marc Schlessinger, a senior associate at watchdog group ECRI, said medical device security is often among the weakest links in a healthcare organisation and called legacy devices a particularly challenging area because of well-known vulnerabilities that can't be patched.
Chris Gates, director of product security at medical device engineering firm Velentium, argues that "You can't always bolt-on security after the fact, especially with a legacy piece of equipment – I've literally handed cheques back to clients and told them there's no fixing this."
As recently as last year, Schlessinger said he saw older equipment in hospitals running on Windows 98, despite the fact that Microsoft stopped all support for the operating system in 2006. These kinds of OS issues are common with ageing medical imaging systems.
"But you're not going to find a hospital who is very quick to replace an expensive MRI or CT because the operating system is outdated," Schlessinger said. Instead, he recommends healthcare organisations employ best practises to manage security risks including isolating connected medical devices as much as possible from hospital networks.
At the same time, Schlessinger acknowledges that disconnecting devices from hospital networks is often not practical, as doing so could disrupt clinical workflow critical to patient care.
Velentium's Gates, who defines legacy medical devices as those systems that cannot be brought up to current cybersecurity standards, contends that medical facilities needs to get rid of those devices that are "highly insecure" and have been in hospitals for 20 years or more. "Let's clean out the dead wood," he said.
However, limited financial and staffing resources amid competing priorities at healthcare organisations are major obstacles to fixing vulnerabilities in legacy medical devices because it is not cost-practical to either replace them or remediate them.
The problem is that security analysts and regulators are "too busy trying to keep up with potential vulnerabilities in new devices to spend time on medical systems that have been in clinical use for years," according to Mike Rushanan, director of medical security at consultancy Harbor Labs. The same cannot be said of the hacker community, which he argues has the resources and patience to continually find new cybersecurity vulnerabilities.
Constantly evolving threats
At-risk legacy devices are potentially easy targets for cybercriminals who can use them as access points into hospital networks and ultimately the valuable patient data they're after, resulting in monetary reward directly through ransomware attacks or indirectly by selling stolen information.
"These are actually financially motivated intruders who are going after the low-hanging fruit. And, healthcare happens to be fairly low-hanging fruit," said Kevin Fu, acting director of medical device cybersecurity at the Center for Devices and Radiological Health.
"Everything is hackable," Fu declared, who noted that medical devices infected by ransomware can be disabled from properly performing critical clinical functions, which could lead to patient harm.
Medical devices infected by ransomware can be disabled from properly performing critical clinical functions, which could lead to patient harm.
While medical devices such as infusion pumps are used to deliver life-supporting therapy, ECRI is not aware of hackers up to now who've done harm to patients by adjusting device settings that administer medications.
Nonetheless, IBM last year discovered a cybersecurity vulnerability that could potentially allow hackers to remotely take control of insulin pumps and alter medication dosages to patients.
So far, hackers seem more concerned about monetary rewards than doing patient harm.
"They have not gone after patients but that does not mean it can't happen," Schlessinger said. "If a hacker was looking to go in and actually harm a patient, IV pumps and ventilators would be two devices that they could easily target."
Fu warned that as more medical device companies use the cloud and depend on it for the real-time function of devices the industry is likely going to see cybersecurity incidents where they rise to the level of patient safety issues.
"Ransomware comes at the heart of availability. It simply renders the device useless," Fu said.
It's a possibility that becomes more plausible as the problem of ransomware attacks on healthcare has become an epidemic.
A gang of Eastern European cybercriminals known as Ryuk has hit at least 235 hospitals and inpatient psychiatric facilities since 2018, taking in more than $100 million from ransomware attacks, according to the Wall Street Journal. Some ransomware gangs avoid targeting healthcare organisations due to concerns about patient safety. However, Ryuk and other groups have no such hesitation.
"It's getting nasty out there. It's a much more sophisticated adversary than even a year ago," Fu told the FDLI conference, referencing the Conti ransomware group which targeted at least 16 healthcare and first-responder networks.
Fu acknowledged he doesn't know what the answer is when it comes to the massive problem of legacy devices and their inherent cybersecurity vulnerabilities.
"It's quite the thorny issue," AdvaMed's Rothstein acknowledged, observing that any medical device that hits the market is quickly considered legacy given the rapid pace of technology. "We're never really going to be completely rid of this issue," he said.