This summer, Ripple20 malware was discovered. It has the potential to infect millions of connected devices, and manufacturers in health care are issuing warnings. Last year, the US Food and Drug Administration (FDA) issued warnings about Urgent 11 malware, which created vulnerabilities in medical devices. A decade ago, cybersecurity experts warned that insulin pumps could be hacked.
There’s a big gap between what is possible and what is probable, however. So, should scientific labs be concerned?
The answer is “yes,” but only to a limited degree. Ensuring lab devices remain secure from cyber threats “is all about controlling access to the network…implementing multifactor authentication, and looking at how devices connect,” says Melissa Ventrone, leader of the cybersecurity, data protection, and privacy group for Clark Hill PLC, and major (retired), US Marine Corps.
As labs become more automated, the risk increases that someone will hack an unsecured, connected device—like a lab freezer, perhaps—and use it to infiltrate the broader organization. What is perhaps more likely is that, as more scientists work from home, malware on their personal devices will infect the lab equipment. Personal devices, such as smart phones, laptops, and tablets, typically are less secure than devices that stay inside the organizational intranet. “Users often don’t set up security and access controls for their personal devices,” Ventrone says. “Additionally, they’re not connecting to other networks through the organizational firewall, but through their own. If something happens, there is less forensic information.”
“Any time you connect a device to a network, it’s like punching a tiny hole in that network. From a mapping perspective, you’re looking at potentially hundreds of interconnections,” adds Ventrone.
Organizations that store patients’ health care information, including anonymized and pseudoanonymized data, are a greater target than research labs, Ventrone points out, making their data more valuable to hackers.
But hackers are opportunistic. During 2020, “COVID-19 phishing scams are proliferating,” Ventrone says. The medical field is rife with fake websites that entice people to donate to develop vaccines or help fund clinical trials or that purportedly offer COVID-19 information. “The proliferation of fraud scares me, and not a lot scares me,” she said. “Even people’s identities from 20 years ago are being used again.” Yet, despite the increasing vulnerabilities to laboratory instruments and medical devices, “there have been no compromises, to my knowledge,” she explains. That breeds complacency within the device and equipment industry.
“Most manufacturers aren’t doing much to secure their devices,” Ventrone notes. “Since there have been no compromises, they see cyber threats as minimal risks.” To underscore her point, she cites published accounts of security researchers who discovered vulnerabilities and alerted the manufactures several times of the risk. Eventually, the researchers published the information, hoping to spur manufacturers to action. “They still didn’t do anything.”
Not all manufacturers are complacent, of course. Many are working with their suppliers to develop firmware patches and provide them to their customers. It’s a team effort, and Jonathan Langer, CEO of Medigate, says, “It’s a huge problem.” The logistics of updating patches is one issue. Manufacturers may not push automatic patch installation, and customers may not have the time or willingness to install patches themselves, particularly if installation requires taking the device out of service temporarily. The other issue is the fear that installing a patch will alter the device’s operation. In commercial labs, managers may be concerned that updating legacy equipment could cause it to require revalidation. “These are valid concerns,” says Jessica Wilkerson, cyber policy advisor, Center for Devices and Radiological Health (CDRH), FDA.
The FDA is co-leading the legacy device task group under the Healthcare Sector Coordinating Council. “The task group has about 50 different members and meets multiple times each week to discuss issues related to current and future legacy devices,” Wilkerson says. “Current legacy devices” are those already deployed, she explains. “Those discussions include whether current best practices address the unique concerns of legacy equipment, as well as post-market concerns and clarifying terminology.” The meaning and usage of “end of support” versus “end of life” is one example.
“Future legacy devices” she says, are devices that will be deployed eventually. Discussions here center on ways to make the devices more resilient to cyberattack and to find ways to repair their function more quickly after attack. A simple example related to resilience is to design devices with user-configurable passwords.
From a manufacturer’s perspective, the FDA, however, only requires resubmission of a 510(k) notification when the software or firmware update significantly changes the device. Notifications are not required for cybersecurity patches, according to the FDA Guidance for Cybersecurity for Networked Medical Devices Containing Off-the-Shelf (OTS) Software. That means users and manufacturers can install security patches to their devices without fear of needing revalidation or of altering the device’s function or results.
Ripple20, one of the latest threats, offers a case in point. It is designed to exploit 19 vulnerabilities in the TCP/IP stack—the communication protocols used to access compute networks—created by Treck Inc. If an attack is initiated, it could cause denial of service, information disclosure to unauthorized parties, or execute codes embedded in the malware. The malware could cause devices to reboot or switches to operate improperly, or use devices to host man-in-the-middle attacks (compromising the device so it intercepts communications between trusted sources).
In response to the Ripple20 malware, medical device manufacturers, including Baxter and Smiths Medical, recommended isolating devices using the Treck TCP/IP stack from other hospital networks and using secure wireless network protocols (such as WPA2 or EAP-TLS) to minimize the risk of unauthorized access to the network. Smiths Medical also recommends establishing a virtual private network (VPN) for devices that lab personnel access remotely.
The National Institute of Standards and Technology released its final guidance for securing internet of things (IoT) devices in the summer of 2020. NISTIR 8259A, the Core Cybersecurity Feature Baseline for Securable IoT Devices—“Core Baseline,” for short—is a starting point for users and manufacturers. Compliance is voluntary.
The Core Baseline’s applicability to lab mangers is mainly in its recommendations when purchasing connected devices. Whether the device is an IoT-enabled lab freezer, a liquid handler, or a coffee pot, it should include these features or capabilities:
- Identification: It should have a unique address on computing networks.
- Configurability: A lab manager should be able to change or update its security software and firmware configuration.
- Data protection: Encryption or other data protection methods should be embedded into the device to protect it from unauthorized modification.
- Limited network interfaces: Devices should require user authentication to access the device, thus limiting their access to the local and wide area networks.
- Software and firmware updates: A secure, configurable way to update the software and firmware should be available, whether automatic or manual.
- Event logging: Cybersecurity events should be logged by the device to alert lab managers to vulnerabilities and to enable forensic analysis if hacked.
Finding devices with those cybersecurity features is getting easier. “We have seen an increase in the maturity of medical device manufacturers and health care delivery responses in cybersecurity,” says Wilkerson. “Unfortunately, we have found no way to make a 100 percent secure device. If the device is using software and is connected to the internet, even for maintenance, there is a risk.”
Hackers are trying to find the weakest link. That often means an unprotected device that, once linked to a network, allows hackers inside. “Installing patches when they come out is highly recommended, but not all vulnerabilities have timely patches,” Langer explains.
Therefore, he advises protecting your lab with a “zero-trust” cyber environment by segmenting it from the wider institutional network. “In a segmented environment, the hacker might penetrate the network firewall, but would be locked out from other segments of the network,” he explained.
To ensure your lab remains secure, contact your organization’s IT specialists to talk about ways to reduce your lab’s threat exposure. Topics of discussion may include updating security configurations on individual devices, closing unused firewall ports, establishing a lab VPN, and updating firmware and software on lab devices and also on the personal devices that, increasingly, are used to access labs remotely.
“Assess your risks constantly, and determine where you can assume risk and where you can’t,” he adds. “Threats are increasing.”
Last year alone, more than 20,000 new vulnerabilities were reported, and most don’t make the news.