Locked Down
By Keith Loria
Radiology Today
Vo. 21. No. 1 P. 18
Vendors are implementing the latest cybersecurity features to protect DR data.
Cybersecurity is about protecting the “CIA” triad—confidentiality, integrity, and availability. In a DR medical device, this means protecting the patient data stored on the device, ensuring data are not maliciously altered or corrupted, and ensuring that the medical device is always available to perform its intended function.
Michael LaLena, chief information security officer, product security with Carestream, says cybersecurity in medical devices starts with securing the design.
“It’s important to consider cybersecurity from the beginning of the product design and through the lifecycle of the product,” LaLena says. “An important step is to harden the system. This includes removing or disabling any components that aren’t necessary, using a firewall to block any unnecessary connections, and installing the latest security patches.”
From there, it’s necessary to encrypt data as they are stored on the system drive or transmitted over the network and upgrade user security, which requires unique user accounts with strong passwords and multifactor authentication, least privilege, and centralized audit logging and monitoring. A final step is whitelisting, which specifies which programs may run on the system. Anything not listed may not run; this helps to minimize malware risks.
LaLena says customers expect that their DR systems should last 20 years or more, but this requires providing upgrade paths, keeping them up to date with the latest operating system and security features.
“When DR systems were first released, security was about creating an impenetrable black box,” he says. “The device manufacturer hardened the system; the customer trusted the manufacturer that the system was secure.”
Today, it takes not only trust but also concerted effort by all involved to ensure that cybersecurity features are consistently doing their job. According to Michael McNeil, head of global product and security services for Philips, as medical devices and their connectivity have become more critical, they have also become more complex, especially in the past five to seven years.
“This period has seen even more sophisticated and aggressive cyberattack capabilities emerge, both from individual attackers and nation-state–sponsored entities,” he says.
Industry Response
The medical device industry is among the most heavily regulated in the world, with the FDA and its counterparts in the International Medical Device Regulators Forum adopting more stringent and comprehensive new regulations for product cybersecurity.
Joe D’Antonio, senior director of product management and marketing for X-ray products and women’s health at Siemens Healthineers North America, says the company has invested in providing cybersecurity tools and features in its products. Siemens recently introduced VF 10 software for the company’s Luminos Agile Max, Luminos dRF Max, Multix Fusion, and Mobilett Elara Max X-ray systems.
“It’s important for our customers to maintain a safe and healthy cyber environment to protect their assets, data, and reputation,” D’Antonio says. “For any equipment touching the internet or the cloud, it’s important that security is maintained.”
Over the past 18 to 24 months, Siemens Healthineers has been delivering systems from its production line and offering upgrades to customers with existing systems to meet demand for updated cybersecurity systems. The company provides cybersecurity features such as password protection; role-based security so that only people with the correct access can use it; whitelisting, which only allows approved software to run on the device and blocks unauthorized software; and encryption capabilities to prevent access to the hard drive if it falls in the wrong hands.
“Another feature prevalent on our system is 90-day hot fixes. It’s an ever-changing environment in cybersecurity, so every 90 days you’re going to get the latest virus pattern and updates to the software,” D’Antonio says. “Siemens Healthineers also has advanced feature functions, which involve integration to the active directory so you can maintain users and access, quickly and conveniently.”
Dan Megalo, Carestream’s product cybersecurity engineer, says the company’s product security program started in 2003, with a focus on stopping hackers.
“In today’s cybersecurity, the assumption is the attackers will always find a way in. Detecting and responding to attackers is critical, and a closed black box doesn’t provide the visibility required to allow for this,” he says. “Therefore, Carestream has redesigned its devices to be more open and accessible by customer IT departments, while still maintaining confidentiality, integrity, availability, and safety controls.”
Carestream DR systems, he says, are designed with security in mind from the beginning of the development lifecycle.
“A formalized risk management process is used to identify, prioritize, and remediate vulnerabilities in all components of the system,” Megalo says. “This risk management continues after the device is delivered to the customer through a postmarket security program that evaluates and verifies security updates before they are delivered to the device in a secure fashion.”
McNeil notes that by using a secure system development lifecycle (SSDLC) to develop all of its products, including radiology hardware and software, Philips works to protect personal health information and personally identifiable information from potential threats. Leveraging this methodology, security requirements and controls are addressed at each phase of the SSDLC, including the use of product security risk assessments, privacy assessment processes, static code analysis, third-party software bill of materials analysis, ethical penetration testing, and continuous product security training across the Philips organization.
“While tools and processes are key to the Philips SSDLC, ‘security by design’ is a mindset that requires an end-to-end approach that begins with architecture and high-level design, which progresses through to coding, testing, and postmarket support,” McNeil says.
He adds that Philips’ end-to-end product security program addresses cyberthreats through adoption of industry-standard frameworks in keeping with the latest threat landscape; a software development process aligned to the secure software development lifecycle; ongoing vigilance to measure security effectiveness and continuous adoption of industry best practices; access management, such as password management, “least privilege access” principles, with role-based access control; secure communication and strong encryption; and responsive patching of operating systems, applications, and certificate authority to allow encrypted communication between devices.
“Enabling the safe and secure sharing of clinical information to expedite patient treatment is a priority of Philips’ product security program,” McNeil says.
Cybersecurity Challenges
The challenge with linking cybersecurity features and DR, D’Antonio says, is finding the correct balance between maintaining a robust cybersecurity infrastructure and not impeding the workflow or patient access for the primary function of the equipment in the hospital.
“Finding the balance between the clinical user and the IT user and having them come to some agreement in order for them to maintain a healthy and safe cyber environment for their assets is key,” he says.
Product security is a shared responsibility between the manufacturer and the customer that includes device monitoring, end-user training, and physical security.
“Cybersecurity is as much about detecting and responding to attackers as it is about preventing against attacks in the first place,” LaLena says. “Device manufacturers need to work with the customer IT departments so that DR systems are properly monitored, allowing for a quick response and rapid recovery, if necessary.”
Device manufacturers should also communicate vulnerabilities to customers in a timely fashion so that they may be remediated. For health care, this communication should be through the Health Information Sharing and Analysis Center, or H-ISAC.
A key challenge related to cybersecurity for radiology solutions lies in securing the systems to prevent malicious activity while diminishing the speed and capability of the system’s features to the least degree possible. Speed and accuracy of diagnosis lead to more effective treatment because patients benefit from information sharing between radiologists and their colleagues.
“Implementing cybersecurity controls must be efficient as well as effective and must not slow down this process while maintaining solution performance and network protection,” McNeil says. “If security features such as encryption and decryption of all inbound and outbound system traffic, antivirus scanning, and endpoint protections are not optimized for solution performance, there is a potential for system slowdown.”
DR systems that aren’t protected face dangers that could greatly impact the job they are designed to do and the care that patients receive.
“From a vulnerability perspective, there’s always a potential for loss of data and the potential of downtime due to having to update or repair vulnerable equipment,” D’Antonio says. “That could be the result of someone finding an open system that they can hack into and do something that’s unintended for that environment.”
Securing the Digital Environment
Megalo says zero-day—newly discovered—vulnerabilities and malware require a rapid response, and it has been determined that there is no feasible way to qualify a security patch and then install it on tens of thousands of devices in less than a day.
“The best response is to harden the device and mitigate vulnerabilities before the product is shipped,” he says. “No security program is perfect. Cybersecurity is a tradeoff between security and the usability of the device. For example, extremely long and complex passwords are more secure but take longer for users to enter.”
Radiology hardware and software systems are only as strong as the controls they have in place, whether technical, physical, or operational. Optimal protection for radiology systems includes overlapping protections to minimize the threat from both remote attackers and unauthorized users with physical access to the device and/or network, as well as social engineering vectors.
McNeil says Philips works with its customers to help protect systems in the context of the environment in which they are used. In addition to the security by design features of its products, installations and instructions for the secure operation of systems are intended to maximize protection from potential external and internal channels of vulnerability and mitigate the possibility of system or network compromise.
“As part of this collaborative commitment to medical device security, Philips has [created] a publicly accessible Coordinated Vulnerability Disclosure program, with defined processes to voluntarily and proactively communicate potential security issues and their resolution,” McNeil says.
Looking ahead, D’Antonio feels the industry will continue to investigate ways to secure a safe environment, without encumbering the primary use of the device, while enabling end users to more efficiently update systems.
McNeil says a potential high-level future concept under consideration industrywide may be emerging in the area of intelligent end point protection (IEPP).
“As part of a possible next-generation development in medical device protection, IEPP concepts are exploring the possible use of AI and machine learning algorithms to identify even previously unknown threats, before they can attack or compromise a system, and develop mitigations,” McNeil says.
— Keith Loria is a freelance writer based in Oakton, Virginia.