to manage traditional endpoint devices such as servers, desktops, laptops, and portables. Traditional NAC takes a broad
view of the network. However, most NACs provide inadequate
contextual information about medical and IoT device use,
traffic flows, or operational status, which would render an administrator, for example, unable to determine why one Baxter
infusion pump is communicating with North Korea while the
other 999 pumps are not. Typically, NAC cannot see the IP or
networking information, which reveals the true nature of a
device and the context of its communications within the network. A NAC’s inability to distinguish medical devices often
fails to identify MRI machines and instead classifies them as
This poor device visibility results in system administrators continuously mixing unknown vulnerable devices into net work segments without thought to the National Vulnerability Database’s
recommendations on mitigating their risk. Because these devices were never designed to support an authentication certificate,
system administrators simply configure a NAC bypass allowing
the unknown devices’ automatic authentication. The solution
isn’t as simple as restricting access. These devices are incredibly
sensitive to vulnerability scans and blocking these devices is not
an option as it may interrupt practitioners administering patient
care. A key medical device management maxim is “Don’t inadvertently shut off the device administering life-saving medication to the patient.”
High Profile System Vulnerability Events
In recent years, several incidents and compromised devices
have threatened patient care. A few examples include:
1. BlueKeep, a self-replicating malware worm that exploits
Microsoft’s Remote Desktop Protocol (RDP) and allows
bad actors to remotely access and control the endpoint.
In May 2019 Siemens reported vulnerabilities in several
medical devices that could be exploited by BlueKeep. The
severity of these vulnerabilities are rated a 9. 8 out of 10 on
the MITRE’s Common Vulnerability Score System (CVSS).
ECRI, a federal patient safety organization, forecasted
RDP as the top healthcare technology threat for 2019.
Many medical devices, including critical radiology devices, run legacy Microsoft Windows operating systems,
making them likely targets to hackers and indiscriminate
2. Becton Dickinson’s Alaris Gateway Workstation (AGW)
provides power and network connectivity to infusion and
syringe pumps. An improper access control vulnerability
allows hackers to remotely upload malicious firmware
to infusion pumps, causing them to dispense all the patient’s medication in minutes instead of hours. During the
2019 RSA Conference, doctors simulated the emergency
on stage. In June 2019, the FDA recalled Medtronic’s MiniMed pump for this vulnerability. The United States Department of Homeland Security’s advisory on the AGW
has a CVSS rating of 10 out of 10.
3. At Israel Deaconess Radiology System, a net work tech connected to the internet for a firmware upgrade and went to
lunch. 3 Malware was downloaded and 2,000 X-ray images
were stolen. According to media reports, the X-rays were
sold to Chinese nationals with lung diseases who wanted
to travel outside the country for treatment.
Suspicious Activities Worth Monitoring
1. All unpatched devices vulnerable to the BlueKeep virus
are not quarantined.
2. The elevator control system is trying to communicate with
a human resources application.
3. Ninety-three percent of your IP-based security cameras
are using default passwords and security configurations.
4. You’re considering contacting the US Department of
Health and Human Services’ (HHS) Office for Civil Rights
because 20 devices on the “gone missing” list are not using data encryption.
5. It’s unclear which medical devices are running Windows
7, which will be discontinued in January 2020.
6. Heart monitors recalled by the FDA are still in use.
7. A C T scanner is sending payment card industry data to an
IP address in Ukraine.
The CHIME CEO and the Association for Executives in
Healthcare Information Security (AEHIS) chair recently
wrote4 to Senator Mark Warner (D-VA), an author of the 2015
Cybersecurity Act (CSA). Under Section 405, the CSA requires
the Secretary of HHS to address improvements for cybersecurity in the healthcare industry. They voiced their support for
several FDA policy proposals, including the draft guidance
that will address the “serious threats to patient safety stemming from cybersecurity threats to medical devices.” Their letter covered eight primary points, including the following five,
which specifically address medical devices:
1. Regulators need to understand medical device risks extend to the entire network, thus posing a real risk to patient safety.
2. The FDA should expand the definition of medical device
risk to include networks, switches, firewalls, applications,
and other components.
3. Global WannaCry 2017 patches have not been released for
certain medical devices.
4. Medical device manufacturers need certification standards similar to EHRs.
5. The FDA’s premarket guidance on medical devices should
explicitly reference the voluntary guidance provided by
HHS, in response to the CSA Section 405 mandate “Health
Industry Cybersecurity Practices: Managing Threats and
Protecting Patients,” to serve as a resource to improve
their cybersecurity posture.
Continued on page 55