Ancient equipment and poor networking: BlackBerry weighs in on the state of medical device security

BlackBerry executive Nader Henein says that before security weaknesses can be addressed, healthcare providers need to take a long, hard look at their networks and rebuild them from the ground up.
Written by Charlie Osborne, Contributing Writer

Executive Nader Henein.


BlackBerry executive Nader Henein believes that as more Internet of Things (IoT) and connected healthcare devices come into play, the industry must take steps to reevaluate their security -- from the ground up.

The use of IoT and connected devices can provide healthcare providers and patients with a range of benefits -- such as the use of mobile technology to track conditions, improved communication between departments, and personalized medical care -- but it also comes with risk.

The problems lie in how medical devices become connected to the internet and the path this forges for cyberattackers to potentially exploit. Not only could attackers target victims individually as demonstrated by IOActive researcher Barnaby Jack's experiments with pacemakers, but patient data can be stolen and medical devices can be left exposed online for attackers to cause havoc if they wished.

Despite these issues, business is booming, with analysts predicting the global IoT healthcare market will be worth as much as $410 billion by 2022.

Speaking to ZDNet, Nader Henein, regional director of advanced security assurance advisory at BlackBerry, said that security standards for biomedical devices, unlike PCs or mobile products, are still in their infancy.

While some patch programs do exist and some medical equipment makers -- such as Hospira -- are beginning to take responsibility for security, industry standards must be created to ensure at least a basic level of security for future devices.

However, this is not the only issue at fault.

"The focus is still almost entirely on the function of the device rather than its capacity to be secured," Henein says. "As such the problem in the medical space is the same as with any traditionally isolated device that has become connected over the past few years: these devices are often "insecure" and worse even in many cases "un-securable."

The true security of a medical device needs to be measured by a device's capability to withstand a cyberattack from skilled hackers. This, in turn, needs to evolve over time, the executive says, in order to "keeping with the nature of cybercrime," and devices should be constantly tested based on the latest industry threats.

While the US Food and Drug Administration has only reached the "recommendations" stage when it relates to medical device security, there is some independent industry movement, at least. In May 2016, DTSEC was released -- a medical device cybersecurity standard created and managed by a BlackBerry-led non-profit consortium.

The standard focuses on embedded medical device security through systems implemented at the beginning of development cycles. By using other international standards, including ISO 15408 and IEC 62304 (.PDF), DTSEC acts as a guide which contains security requirements and recommendations for different product types.

See also: FDA one of many 'toothless dragons' with no will to tackle medical device security

It is both the responsibility of medical equipment vendors and hospitals to take note of how the cybersecurity landscape is evolving and what threats may be landing at their door. It is understandable that budgets are often tight and overstretched, but unless such entities want to entertain the risk of facilitating harm to a patient due to cyberattackers, investment needs to begin at the device level and end with network security, update schedules, and staff training to detect malicious threats.

"When improving cyber defenses in the healthcare industry, one of the first steps must be to properly re-engineer the network where they sit so that insecure devices are not a threat and their usage can be properly monitored," the executive says. "In the long term, updating or replacing insecure devices should be part of the change management process."

Read on: Medical device 'birth certificates' could solve healthcare security woes

According to the executive, not enough is being done by healthcare providers to secure their networks -- especially when such investments hit the bank balance.

As the healthcare industry is trained and focused on providing patient care, research, and medical equipment, security is often left by the wayside -- and there may be little left over out of budgets to shore up networks and protect devices connected to them.

"The issue is, if they want access to the latest and greatest in lifesaving medical equipment, they're going to have to also focus on cybersecurity as almost all of these devices are connected," Henein noted. "As healthcare providers learn more about the benefits of IoT, they will also become more aware of the associated threats. In turn, healthcare budgets should start to increase to reflect this increasing awareness over time, but this is not going to happen overnight."

Cybersecurity reads which belong on every bookshelf

Internet of Things: The Security Challenge:

Editorial standards