Академический Документы
Профессиональный Документы
Культура Документы
Cybersecurity Vulnerabilities in Health Care: Medical Devices and the Internet of Things
Sarah Armenio
According to the Identity Theft Resource Center (ITRC), the number of U.S. data
breaches are at an all-time high for the first half of 2017 (ITRC, 2017). There was a 29%
increase of data breaches from the previous year with 791 recorded breaches through June 30,
2017. While the business sector falls victim to the largest number of attacks and breaches, the
health care sector has not been spared. With healthcare accounting for 22.6% of all breaches
thus far this year, it equals the number of breaches in banking, government, and education
combined.
individuals. These type of cyber-attacks can also interfere with the treatment of patients and
patient safety. The widely publicized WannaCry ransomware attack on hospitals in the United
Kingdom and elsewhere has demonstrated that hackers have learned to exploit outdated software
in health care systems. In these attacks, a known security vulnerability was used to gain control
of the computer and prevent anyone from using it unless the user paid a ransom. Hospitals were
put in a critical situation as computers can be used to access patient records and assist the
treatment of patients through Electronic Medical Records (EMRs). Perhaps most disheartening
is that the situation could have been avoided if the computers were kept up-to-date. Software
patches that eliminated the vulnerability were released prior to the attack, however, the affected
organizations had not applied them to their computers thus rendering the hospitals’ computers
still vulnerable.
The security of a health care organization should be a priority of every health care
organization. It is important to not only secure the patient data, but also to secure all information
technology (IT) systems in an organization to ensure that the treatment of patients is not
compromised. Any type of successful cyberattack on a hospital detracts from the organization’s
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 3
main purpose, which is to treat patients. Efforts from the Centers for Disease Control and
Prevention (CDC) have published new tools to help organizations address cybersecurity which
further highlight the importance and priority of cybersecurity in health care (CDC, 2016). Yet,
given the increase of successful attacks this year, it seems many health care organizations have
not prioritized IT and cybersecurity or are only beginning to devote the necessary resources in
the aftermath of recent ransomware attacks. The lack of readiness for an attack has made health
However, even as health organizations rush to improve the IT security of their network,
emerging technologies and the use of medical devices are creating new or undiscovered
vulnerabilities that are yet to be accounted for. Keeping track of the thousands of medical
devices in a hospital can be a daunting task. Ensuring that a device’s operating system is up to
date and adequate in reducing vulnerabilities is even more challenging. Medical devices such as
insulin pumps and pacemakers can be hacked to administer lethal doses or stop functioning. As
technology advances, medical devices are also becoming wireless which offers new access
points for hackers. With the growing fields of the Internet of Things (IoT) and wireless sensor
networks (WSN), devices are even more vulnerable to attacks as traditional security measures
This paper will review the current literature and state of cybersecurity in health systems,
medical devices, and the Internet of Things to identify potential solutions to the issue. Properly
maintaining software and hardware in health organizations is key to mitigating the risk of
cyberattacks. A system to track and update existing software, medical devices, and other connect
IoT devices in hospitals will be reviewed as potential solution with an investigation into potential
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 4
failures. A quality measurement plan will be used to evaluate the effectiveness of the proposed
Literature Review
A literature review was conducted to examine the current state of cybersecurity in health
care information systems (HIT) and identify potential solutions for preparing and responding to
malicious cyber-attacks. The literature search resulted in a number of recent U.S. congressional
reports and hearings, on the issue along with several scholarly papers discussing the current
In June of 2017, the Health Care Industry Cybersecurity Task Force presented a “Report
on Improving the Health Care Industry Cybersecurity” to U.S. congressional committees (2017).
The report acknowledged that cybersecurity has traditionally been viewed as an Information
technology (IT) challenge in the health care industry. A lack of understanding of the risks of
cyber-attacks along with a lack of resources and trained personnel were identified by the report
as a few of many obstacles. These obstacles are particularly relevant for smaller organizations
where there is no dedicated individual for IT security. Additionally, legacy hardware, software,
and operating systems with known vulnerabilities are difficult and costly to replace. The report
noted that the importance of cybersecurity is not always acknowledged nor understood by health
governance that will prioritize and set expectations for security standards in the health care
industry. Second, the health care workforce needs to be developed and educated to address
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 5
cybersecurity threats. Research has shown that cybersecurity awareness of vulnerabilities and
2000). However, while preparing for a cyber-attack can reduce damages, it is reactive in nature
and does little to proactively prevent attacks from occurring. Furthermore, increasing awareness
does not address the issue that smaller organizations have limited resources that may not be able
to implement wide ranging security measures. One additional recommendation from the Report
on Improving the Health Care Industry Cybersecurity is to increase the security of medical
devices and IT. This recommendation includes tracking and updating all IT assets and medical
The importance of updated software and medical devices was also reported in a hearing
Commerce (Cybersecurity in the Health Care Sector, 2017). Michael McNeil testified on the
system and lifecycle. McNeil noted that the risk management process should include monitoring
the security of existing medical device and that cybersecurity is shared responsibility among all
stakeholders in health care. Individuals from the hearing recommended increasing the sharing of
risks. Sharing this information allows software developers and device manufactures to correct
their products and eliminate known vulnerabilities. However, these corrections require existing
products to be updated with the correction. The issue of how to effectively and efficiently update
The “Healthcare Organization and Hospital Discussion Guide for Cybersecurity” from
the Center for Disease Control and Prevention was reviewed to investigate any potential
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 6
processes as a solution for updating devices, (2016). The discussion guide highlighted the
increased use of wireless devices and the Internet of things (IoT) in health care. Increased use of
such devices also creates increased risk such as remote enablement and control. Discussing and
planning for a cyberattack by hospital staff are noted as key tools to reduce the damage that an
attack can cause. Furthermore, active and continuous monitoring of devices and IT systems is
crucial. This a proactive step for securing an organization’s IT systems and was noted part of the
The “Security and Privacy Issues in Wireless Sensor Networks for Healthcare
Applications” paper noted that wireless medical devices are particularly vulnerable to their
communications being intercepted (Ameen, Liu, & Kwak, 2000). This interception or
eavesdropping can allow an attacker to steal or tamper with the data that is being sent from the
medical device to a remote server. In addition, information gained from eavesdropping may
allow the attacker to gain remote control of the medical device or other IoT application. To
counter these attacks, medical devices and the networks they interact with should encrypt the
data being sent and always authenticate the transmission. These safeguards must be built into the
operating systems of medical devices. When deficiencies in these systems are discovered, they
must be quickly patched via a firmware update to avoid eavesdropping and other attacks from
occurring.
the problem. The consensus from the literature depicts that the health care industry is ill-prepared
awareness of threats are all lacking in the current state of the industry. However, the increasing
use of IoT and wireless medical devices, such as heart rate, blood pressure, and activity
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 7
monitors, are creating new challenges for securing the data of hospitals and the patients they
monitoring, and simulation of attacks. Perhaps more impactful, however, are the proactive
measures to mitigate risk by ensuring that legacy systems and devices are monitored and updated
to eliminate known vulnerabilities. Yet, such proactive measures can be difficult due to the
number of systems and devices in hospitals and the native properties of wireless remote devices
that are not always associated to a fixed physical location. Updating devices requires personnel
to physically locate each device and deploy an update. As a solution to the difficulties of
updating devices to protect against emerging wireless cyber threats, a system to deliver over-the-
air (OTA) updates to remote wireless medical devices is proposed in the following sections.
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 8
Identified Solution
vulnerabilities in health care. In January 2016, the U.S. Food and Drug Administration (FDA)
Carey, & Gallant, 2016). This guidance outlined that device manufactures should deploy
mitigations that address cybersecurity risks. It is not enough to identify and report a threat, but
medical device manufacturers must also implement device changes and release software or
firmware updates to affected devices. However, according to the FDA, ensuring that devices are
updated with the software update is the responsibility of the health care delivery organization
(FDA, n.d.). Thus, a reliable and secure technological system to deliver over-the-air (OTA)
updates to remote wireless medical devices is a potential solution for health care delivery
organizations to update their medical devices and reduce their cybersecurity vulnerabilities.
Such a method to deliver OTA updates to wireless medical devices must be secure.
Wireless sensor networks (WSNs) are insecure by nature and susceptible to eavesdropping or
modification of the data that is being transmitted. While there are many protocols for delivering
OTA updates, the Seluge++ protocol has been identified as a secure mechanism that is resistant
to Denial of Service, Wormhole, and Replay Attacks (Doroodgar, Razzaque, & Isnin, 2014).
Seluge++ protocol also ensures that the data transferred in a WSN is coming from a trusted
source and that no modification has been made to the data. A system to deliver OTA updates
Implementing an OTA update system allows health care organizations to quickly update
all of their affected medical devices when the device manufacturer releases a software update to
eliminate a known vulnerability. Devices with outdated software are more susceptible to attacks
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 9
and thus quickly updating devices reduces risk to the organization (Ameen, Liu, & Kwak, 2010).
Remotely delivering a software update is also far easier for a health care organization to
accomplish than having to physically track and update devices. This saves the organization time
and resources. Furthermore, this solution is proactive by protecting the organization from
cybersecurity attacks rather than being reactive and taking action once and attack has already
occurred. Updated devices reduce the risk to organizations, assure patients’ of their safety, and
The process for the identified solution is outlined below. Each step was analyzed for potential
failure modes and a Failure Mode Effects Analysis (FMEA) was performed. The FMEA table is
Start
1. Cybersecurity
vulnerability
detected and shared
among device
manufacturers
2. Determine which
devices and
software
components are
affected
3.Fix implemented
and software update
released
A
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 11
4. Software update
imported into
hospital s over-the-air
(OTA) server
6. Is there an
update available No End
for this device?
Yes
7. Download update
and store on device
Yes
8. Is device
currently being
used?
No
9. Implement
Update
End
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 12
Quality Measure
For the purposes of measuring the effectiveness of an over-the-air (OTA) mechanism for
updating medical devices, quality improvement (QI) measurements were developed. There are 2
measurements that will determine the effectiveness of OTA updates: (1) the percentage of
devices in an organization that are running the most recent version of software/firmware
available and (2) the average number of days between when an update is released by a
manufacture and when it is installed on a device by the owning organization. The goal for
performance improvement is for 95% of devices to be using the most recent version of
software/firmware. These goals were determined after analysis of potential failure modes that
were identified in the previous section. Given that that there may always be devices that are off
or always in use, it may be difficult or impossible to consistently achieve a 100% rate for devices
The first step for the QI measurement is to identify and establish a baseline for the data to
be collected. An initial inventory of all the medical devices within the health care organization
should be performed if not already present. Given the vast numbers of medical devices in an
organization, one type of device or one location may be used to narrow the focus. Devices that
have frequent updates, are at the highest risk for cyberattacks, or that have the greatest impact on
patient safety would be ideal candidates. This inventory should be conducted by the
locations within the organization, the local area network (LAN) administrator should assist in
reporting the details for each device at his location. However, the inventory list should be
There are 6 pieces of information that should be documented with each device:
6. Number of days between when version was released and when device was updated
This inventory serves as the initial state of all devices and gives the baseline for the
percentage of devices that are using up-to-date software/firmware. Since the number of days
between an update’s release and its implementation may not be known during the initial
inventory, devices should be monitored for a period of 6 months to measure the baseline
performance of updating devices. During this period, the inventory should be repeated at 1 week
intervals. At the end of the 6 months, the average number of days between when a new version
was released by a manufacturer and when the device was updated by the organization should be
Once an OTA system is implemented, the inventory should be repeated again at 1 week
intervals for 6 months. The nature of OTA mechanisms may make it possible for the data
collection and inventory to be performed from a central location and without the use of LAN
devices would be also available on demand. However, the 1 week inventory should still be
performed to verify the accuracy of the OTA system and ensure that the collected data that is
Conclusion
Recent cyber-attacks targeting health care organizations have exposed not only
devices that could impact patient safety if exploited. Reducing these known vulnerabilities in
medical devices relies on tracking medical devices and rapidly updating these devices after a
update system could be developed to assist in the rapid and continuous deployment of software
updates to medical devices throughout an organization. A failure mode effect analysis of this
solution suggests that such a system could be successful, but could face challenges due to
connectivity issues, continued use of devices, or devices being powered off for extended periods
of time.
More research is necessary to determine if any such OTA systems for medical devices
currently exists. However, based on initial analysis it is suspected that no such systems are
currently commercially available. Therefore, next steps should include contacting devices
manufacturers to determine if any such system is being considered and the viability of such a
solution. While the solution could prove its merit and usefulness to health care organizations, IT
staff, and cybersecurity professionals, any OTA software/firmware solution would require buy-in
and commitment from device manufacturers. Manufacturers would need accept the solution and
design their device firmware/software to be compatible with such a system for delivering
updates. Development of an OTA system could then be considered in collaboration with device
manufacturers.
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 15
References
Ameen, M. A., Liu, J., & Kwak, K. (2010, March 12). Security and Privacy Issues in Wireless
https://doi.org/10.1007/s10916-010-9449-4
https://link.springer.com/chapter/10.1007%2F978-0-387-35515-3_3
Brown, N. A., Carey, C. H., & Gallant, M. P. (2016, April 1). Cybersecurity of Postmarket
eds.b.ebscohost.com.sally.sandiego.edu/eds/pdfviewer/pdfviewer?vid=0&sid=4cd54c3e-
3a8a-4105-9d3e-6f2a6f9db4ab%40sessionmgr103
Center for Disease Control and Prevention. (2016, August). Healthcare Organization and
https://www.cdc.gov/phpr/healthcare/documents/healthcare-organization-and-hospital-
cyber-discussion-guide.pdf
and Commerce, United States House of Representatives. 115th Cong. 1 (2017, April 4).
Doroodgar, F., Razzaque, M. A., & Isnin, I. F., (2014, March 11). Seluge++: A Secure Over-the-
doi:10.3390/s140305004
Health Care Industry Cybersecurity Task Force. (2017, June). Report on Improving
https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf
Identity Theft Resource Center. (2017, July 17). At Mid-Year, U.S. Data Breaches Increase at
year-data-breach-report-press-release.
U.S. Food and Drug Administration, (n.d.). The FDA’s Role in Medical Device Cybersecurity.
Retrieved from
https://www.fda.gov/downloads/medicaldevices/digitalhealth/ucm544684.pdf
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 17
Appendix
exploited
3 Potential Cause(s) Slow Vulnerability Failure on
reaction from buried in code. developer to
manufacture No existing understand the
s on fix fixes or vulnerability.
workaround Poor
documentation
in reporting.
4 Severity Moderate Moderate Moderate
5 Probability Frequent Uncommon Uncommon
6 Hazard Score 8 4 4
S
o
p
c
e
s
s
#
5
t
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 20
(serious determine if
design flaw update is
in OTA available.
server)
3 Potential Cause(s) Design flaw Damaged or OTA server
in OTA worn out flash updated more
server memory. recently than
Firmware device
defects
4 Severity Minor Minor Minor
5 Probability Remote Uncommon Remote
6 Hazard Score 1 2 1
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 21
S
o
p
c
e
s
s
#
8
t
CYBERSECURITY VULNERABILITIES IN HEALTH CARE 22
device implementation
between
download and
implementation
6 Hazard Score 1 2 1