To improve the cybersecurity of medical devices a Cooperative Research and Development Agreement Program (CRADA) has been announced. The deal between the US Department for Veteran Affairs (VA) and Underwriters Laboratories (UL) is intended to deliver new cybersecurity standards and certification.
The US Federal Technology Transfer Act of 1986 established CRADA. The goal was to create teams to solve technological and industrial problems for the good of the US. It is a surprise therefore that it has taken this long for a CRADA deal for medical devices.
Anura Fernando, UL Principal Engineer for Medical Software & Systems Interoperability said: “Working together with the VA, we will contribute to industry-wide situational awareness of both medical device vulnerabilities and threats. We believe that this project will positively impact the direction that manufacturers take in improving the overall security posture of medical cyber assets.”
What is the threat against?
There are two groups of devices here; those that sit outside the body and those that embedded into the patient. In both cases, healthcare equipment manufacturers are increasingly using wireless systems to control devices. Wireless increases the portability of devices enabling them to be moved around hospitals and carried by patients. The concern is that hackers can take advantage of these systems to attack devices to either deny people access to treatment or kill them.
One of the big challenges for medical devices is that they can have a long lifecycle. Many of the devices used in hospitals and implanted into patients have little to no cybersecurity. Even where there is cybersecurity it is weak. This is because it was designed when the threat landscape was very limited.
Ransomware already a major problem in healthcare
Healthcare operators are already facing a sustained cybersecurity attack from ransomware and medical fraud. By locking the data, ransomware forces healthcare providers to pay up to prevent risks to patients. There is a wider danger here. The attacks that deploying ransomware could also attack other hardware such as robots in operating theatres or medical scanning machines.
Medical fraud is a much larger problem for healthcare providers. Criminals purchase stolen data including private medical insurance numbers and then bill for non existent treatment and drugs. Those drugs are then sold on to third-parties providing cash for the criminals.
Is this a real threat or scaremongering?
So far there is no documented cases where anyone has been killed due to a medical device being hacked. This does not mean that they cannot neither does it mean that all reports are scaremongering. There are two important medical device hacks that demonstrate this issue is very real.
Jay Radcliffe is a security researcher that hacked his own insulin pump in 2011. Despite initial negative reaction to his disclosure, Radcliffe did succeed in getting the manufacturer to add more security. The manufacturer concerned then reported said: “It may take years for updated pumps to hit the market” and that the risk is “extremely low.”
Motherboard reported that students from the University of South Alabama hacked a pacemaker. In the article Mike Jacobs, Director of the Simulations Program at the University of South Alabama said: “The simulator had a pacemaker so we could speed the heart rate up, we could slow it down. If it had a defibrillator, which most do, we could have shocked it repeatedly. If it was the intent, we could definitely cause harm to the patient. It’s not just a pacemaker, we could do it with an insulin pump, a number of things that would cause life-threatening injuries or death.”
Building on the UL 2900 series of standards
The press release claims this deal is based on the UL Cybersecurity Assurance Program (CAP) announced in April and based on the UL 2900 series of standards. These provide a number of frameworks and tests for network-connectable products. It is difficult to know how long it will be before we see the first certifications based on this deal.
There are several other questions that need to be asked. For example, what devices will be tested? Will the tests be mandatory for new devices? Will the tests apply to older devices? Will the VA replace devices that fail the tests? Will it establish a program to help raise awareness of risks in those with affected devices? Will the VA publish a list of devices that have failed tests?
This is a significant move forward for the healthcare industry and can only result in a positive outcome for patients. It is also an approach that the automotive industry, which seems wilfully blind to the risks cybersecurity, could follow. This is, however, just part of a much larger problem, security for the Internet of Things and connected devices.