Background

The issue of cybersecurity in the healthcare sector and, specifically, medical device vulnerabilities have always been included in our OODA Loop Daily Pulse.   Archived coverage and early signals on the issues at hand include:

Vulnerabilities in Over 100k Medical Infusion Pumps:  Palo Alto Networks’ Unit 42 has found that most smart medical infusion pumps are vulnerable to attack via known security flaws. Smart infusion pumps connect to networks to provide medication delivery to patients. The pumps use a combination of computer technology and drug libraries to administer the meds. In addition, the pumps limit the potential for dosing errors by reducing the possibility of human error. Unit 42 reviewed crowdsources data from scans of more than 200,000 infusion pumps connected to the networks of hospitals and other healthcare organizations. According to the researchers, security flaws were detected in 75% of the medical devices.  Perhaps the most shocking find was that 52% of all infusion pumps scanned were susceptible to the same two vulnerabilities disclosed in 2019, one of which boasting a “critical” severity score and the other “high.” Unit 42 advises that healthcare organizations ensure that they have maintained proper security. If hacked, the devices could be used for activities that would harm patients, such as altering medication dosage in extreme cases.

The Veteran’s Affairs Health Administration (VA) Makes Moves to 3D Print and Produce Medical Devices In-House:  The VA has been developing medical device manufacturing facilities within their hospitals in hopes of 3D printing medical equipment. The VA is aiming to personalize its patient care and steer the production of health-related instruments. Additive manufacturing solutions provider 3D systems announced on Thursday that it is collaborating with the agency to aid their efforts in the 3D printing for the medical solutions industry.  3D Systems will be installing 3D printers at VHA sites, as well as helping them to create quality management systems that include processes, documentation, and training to get VHA staff compliant as medical device manufacturers. 3D Systems is well known for its production of 3D printing software, hardware, materials, and other products and was formed over 30 years ago.

Ripple20 Threatens Increasingly Connected Medical Devices –  Researchers with Israeli cybersecurity consultancy JSOF disclosed a series of vulnerabilities affecting connected devices in the enterprise, industrial, and healthcare industries earlier this month. Experts have expressed concern over the implications for connected medical devices, which could potentially offer attackers a gateway into hospital networks or allow them to affect patient care and safety. The IoT vulnerabilities, called Ripple20, could put hospital networks, medical data, and patient safety at risk.  Ripple20 lies in low-level TCP/IP software that is built by the company Treck. Due to the fact that most IoT device manufacturers build the library directly onto devices or integrate it through third-party components, many organizations may not know they’re exposed until it’s too late. The vulnerabilities found by JSOF range from minor bugs to major flaws that could enable DDoS or information disclosure, while two could lead to remote code execution.

Medical Devices Among Most Risky to Security:  Forescout Device Cloud has identified several points of risk inherent to device type, industry sector, and cybersecurity policies through analyzing data and metrics. The company concluded that medical devices, physical access operations, and networking equipment are at high risk for cyberattacks.  The data points were correlated from 11 million devices and concluded that due to an increased reliance on new technologies and connectivity, the number and sophistication of vulnerabilities in medical devices have been steadily increasing alongside an uptake in cyberattacks on hospitals. The connected medical devices are at high risk due to their potential impact in terms of business continuity and harm to patients.

Israel Applies AI To Healthcare, Building On Leadership In Cybersecurity, Digital Medical Records:  The novel coronavirus outbreak brought medical statistics to attention worldwide, and companies have announced that they are looking into utilizing AI algorithms in patient data to identify unvaccinated high-risk individuals. One of these companies is Medial EarlySign, an Israeli startup that has developed algorithms that are designed to assist healthcare providers with the early detection of certain conditions. These conditions include diabetes, colorectal cancer, and lower GI disorders.

Healthcare organizations lack money, tools, talent to address the biggest cybersecurity threats:  A new CynergisTek survey identifies poorly secured Internet of things (IoT) devices as the top concern for half of the healthcare decision-makers. Other major concerns are medical device security and third-party risk.  The research also found that one in three medical organizations do not have a proper security strategy for medical device security, while over a quarter (26%) have no strategy at all. Furthermore, close to half of all firms have conducted only one incident response exercise ever, or never conducted any at all.

FDA Warns Of Dangerous Cybersecurity Hacking Risk With Connected Medical Devices:   A 2019 warning by the US Food and Drug Administration (FDA) on insulin pumps produced by Medtronic MiniMed underscored how insecure Internet-connected devices in the healthcare industry can put patients at risk.  Medtronic recalled a number of its insulin pumps because they have a vulnerability that “allows a potential attacker with special technical skills and equipment to potentially send radiofrequency (RF) signals to a nearby insulin pump to change settings, impacting insulin delivery.” The FDA warns that the “risk of patient harm […] is significant” in the case of exploitation. Because the affected devices cannot be updated, Medtronic has opted for a product recall.  Medial EarlySign’s data sets cover more than 150 million patient years and it has already conducted tests of its technology at 13 sites worldwide. Precision medicine is the practice of finding hidden clues of potential risks and telling data patterns and using them to predict an individual’s likelihood of developing a disease. Medial EarlySign’s algorithms and ones similar could become essential to the medical world, alerting healthcare providers to a serious disease at an early stage where intervention is more successful.

The FDA takes steps to strengthen cybersecurity of medical devices:  “To strengthen the safety of medical devices, the U.S. Food and Drug Administration today finalized recommendations to manufacturers for managing cybersecurity risks to better protect patient health and information.”

A July 2019 post by OODA Loop contributor Michael Tanji discusses cybersecurity innovation relative to the death toll caused by cyber events and, how, unfortunately, that is the only metric that leads to real action.  Strangely enough, we are hard-pressed to find research and analysis which frames the medical device threat surface relative to deaths caused by attacks on the healthcare sector.  However, the arguments Taji positions in a general fashion do apply here.  To date, what has been the impact of cyber vulnerabilities in the healthcare sector?

The good news is that cumulatively over time, and without hard metrics about a death toll that acted as a tipping point,  these reports and issues of concern have now been elevated to the legislative level, with the introduction in June 2022 of bills related to medical device cybersecurity and the sale of health and location data.

The Medical Device Cybersecurity Bill

As first reported by CyberScoop:

• Sens. Jacky Rosen, D-Nev., and Todd Young, R-Ind., introduced legislation that would require the U.S. Food and Drug Administration (FDA) to keep federal guidance on medical device security up to date with rapidly evolving cyber threats to the health industry.
• The legislation would impose requirements on the FDA to work with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to issue binding guidance for industry and FDA staff regarding medical device cybersecurity no less than every two years.
• The bill also requires FDA to regularly update its website to share cybersecurity vulnerabilities and access to support for health care professionals and industry.
• The FDA last issued cybersecurity guidance in 2018. There are currently no existing requirements for how often the agency has to issue guidance.
• The FDA in April issued a draft of guidelines for the industry regarding devices with cybersecurity risks. The guidance would apply to not just health care devices, but health care facility networks, a frequent target for ransomware attacks.
• The guidance includes recommendations that devices come with a software bill of materials and a new labeling system to convey device risks — both practices highlighted in President Joe Biden’s executive order on federal cybersecurity in 2021.
• Rosen, alongside Sen. Bill Cassidy, R-La., introduced separate legislation in March that would also strengthen Health and Human Services’ collaboration with CISA. (1)

The ​​Health and Location Data Protection Act

As reported by our friends over at The Record:

• Legislation introduced by Senator Elizabeth Warren (D-Mass.) Wednesday seeks to rein in the sale of Americans’ sensitive information. 
• The ​​Health and Location Data Protection Act — co-sponsored Ron Wyden (D-Ore.), Patty Murray (D-Wash.), Sheldon Whitehouse (D-R.I.), and Bernie Sanders (I-Vt.) — comes as the country awaits a Supreme Court opinion on abortion access that has highlighted the lack of control US residents have over information that can reveal sensitive personal health choices.
• The new legislation would prohibit the sale or transfer of information about location and health, other than certain categories including those compliant with federal medical privacy regulation, protected by free speech, or disclosed with valid authorization.
• The legislation would also task the Federal Trade Commission (FTC) with developing rules to implement the ban and give the agency $1 billion over the next decade to carry it out. The FTC, State Attorneys General, and individuals would also be able sue violators under the proposal.
• Civil liberties advocates have long warned that the vast amounts of data being collected about people online and as they navigate daily life can reveal sensitive information. That data is also often resold through the complex economy that has developed around digital marketing.
• Efforts to address privacy on a federal level are seeing a new push. (2)

What Next?

We are already seeing signs of more FDA/CISA collaboration.  In June,  The FDA issued a statement in conjunction with a CISA Advisory warning of vulnerabilities in medical devices used for genetic testing.

The Healthcare sector, along with the Food and Agricultural (FA) sector, has also been on the receiving end of a disproportionate amount of the staggering number of cyber and ransomware attacks in the last year.  We will continue to track and surface incidents of note in this sector in the year ahead.

For a deeper dive into the legislative issues at hand, in May the Committee on Health, Education, Labor, and Pensions held a hearing on Cybersecurity in the Health and Education Sectors which you can find here.

Stay Informed

It should go without saying that tracking threats are critical to informing your actions. This includes reading our OODA Daily Pulse, which will give you insights into the nature of the threat and risks to business operations.

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community