Medical device cybersecurity will be rubbish for 20 more years

Good cybersecurity guidelines are being published, but slow development and approval processes, and long service lives, will guarantee chronic problems.
Written by Stilgherrian , Contributor

"Everything with a power point is probably connected, or will be shortly," says Christopher Neal, chief information security officer (CISO) of Ramsay Health Care.

"Increasingly that connectivity is critical to patient care," he told the Gartner Security and Risk Management Summit in Sydney on Monday.

Even if those connected devices aren't transmitting patient medical data, increasingly they're conveying information about their own health.

Yet those medical devices can be incredibly vulnerable.

Neal saw this first-hand in the medical village at the DefCon cybersecurity conference earlier this month. Hackers were let loose on the kind of equipment you'd expect to find in hospital patient rooms.

"The most fun I saw was [when] a guy sat down at an ultrasound machine," he said.

"Within about 30 seconds of connecting he had shell, unrestricted Powershell access to that system through a vulnerability in the file manager that's on the platform."

The US Food and Drug Administration (FDA) has been issuing cybersecurity guidelines for several years. Australia's Therapeutic Goods Administration (TGA) issued its own Medical device cyber security guidance for industry last month.

"There's good guidance, but any systems built with that guidance are probably three to four years away from market, and most of this gear's built to last 10 to 15 years," Neal said.

"Anything you're buying today has not been built secure-by-design, most likely. This is a problem that's going to live in healthcare for another 15 to 20 years."

You can't secure it if you don't know it's there

Ramsay is Australia's largest operator of private hospitals, with 30,000 staff and around 9,500 beds. Their set-up seems typical for a health care provider.

When he started there, Neal found a "not wonderful understanding of where IT systems are at, what's connected". There were "varying levels of support and understanding" of what devices are in place, with no centralised fixed asset list.

Each hospital also runs as its own entity, with its own chief executive officer. That works against consistency across the organisation.

While the architecture of the corporate network is flat, each hospital's medical networks are meant to be compartmentalised using DMZ networks.

"If you don't know about it you can't secure it," Neal said, so he launched a project to map all the devices across the organisations 74 hospitals.

A trial run with three hospitals took three months to complete, so clearly automation was needed. Neal chose the Forescout device visibility and control platform.

"Did we find a lot more equipment with default credentials, default configuration, sitting not on the corporate network but in those DMZs? Yes, we found a lot of that," he said.

"I see visibility as the foundation to being able to start stitching things together."

Ramsay isn't ready to move to a zero trust model for cybersecurity, however. Being able to make that move "depends on IT maturity more generally, how the organisation broadly sees and values IT".

According to Neal, at Ramsay "there's an IT and organisational maturity that's a long way off".

"For a very mature IT organisation, you can probably get it done in two or three years," he said.

"Looking to do it any faster than that in any large-ish organisation you're more likely to break things than fix them."

Related Coverage

Analysing your sweat could be the next big thing in health tech

Sweat sensor technology is opening up a whole new frontier for both optimising sports performance and medical monitoring.

Sydney healthcare clinicians turn to data analytics to improve back pain treatments

In a move to reduce opioid prescriptions, Sydney Local Health District has developed an app with Qlik to help treat lower back pain.

Pharma companies are counting on cloud computing and AI to make drug development faster and cheaper

Hyperscale cloud providers AWS, Microsoft and Google are working with biotech and pharma firms to use AI and cloud computing to improve the odds of creating a successful new drug.

Wi-Fi is not actually bad for your health, scientists say (TechRepublic)

Wireless electronics have used 2.4 and 5 GHz radio frequencies for years. These are not harmful, nor is any property unique to Wi-Fi harmful, according to new scientific evidence.

Editorial standards