Medical devices -- such as pacemakers, insulin pumps and MRI machines -- are increasingly vulnerable to hacking. As of today, however, there’s no federal mandate for those devices to have cybersecurity protections.
A government-backed coalition of hospitals and medical device manufacturers took matters into their own hands on Monday. They released a 53-page “joint security plan” outlining a slew of low-hanging fruit protections manufacturers should implement and hospitals should demand.
The plan released by the Healthcare Sector Coordinating Council — a liaison on security issues between industry and government — won’t alone fix the cybersecurity problems plaguing the health-care industry. It effectively amounts to a voluntary do-list for manufacturers.
Still, the council's executive director Greg Garcia tells me it marks a sea change: Companies and hospitals are finally signaling they are willing to cooperate on fixing the problem, rather than saying it's the other's responsibility to fix.
“The big picture is this is truly a recognition that this is a shared responsibility,” Garcia told me. “The circular finger pointing should end.”
The plan is a sign the medical device industry and hospitals are unwilling to wait for Congress to catch up to the threats. Data theft and malware attacks have rocked the health-care industry in recent years, compromising patients’ data and even threatening their lives. The 2015 breach at health insurer Anthem compromised the information of nearly 80 million people, for example, while a 2017 wave of ransomware attacks locked up patient records at 16 UK hospitals, forcing them to divert patients that needed emergency care.
Cybersecurity researchers have also raised alarms about vulnerabilities in implantable medical devices that hackers could exploit to injure or even kill patients. Former vice president Dick Cheney famously had his internal pacemaker taken offline because of hacking fears.
Garcia himself acknowledges the new plan, which was drafted by about 60 medical organizations with the Mayo Clinic, the Food and Drug Administration and the medical device company BD in the lead, won't fix these vulnerabilities right away.
Yet it does advise manufacturers to describe to hospitals precisely how they’ll scan for new cyber vulnerabilities in their devices, how they’ll patch them and when. Manufacturers should also tell hospitals how long they’ll support devices by patching newfound vulnerabilities and when hospitals should plan for those devices to reach the end of their usable lives, according to the plan.
It comes one month after the coordinating council and the Department of Health and Human Services released a separate guide, basically outlining hospitals’ cybersecurity responsibilities, including what they should expect from device manufacturers.
“This begins to resolve the tension between medical device makers and hospitals,” Garcia said, “because device makers have not been building security in over the past several years and, meanwhile, hospitals have not been doing enough to secure their broader networks.”
There are four big reasons cybersecurity is lagging in the health-care sector, Garcia told me.
First off, regulations including the Health Insurance Portability and Accountability Act, a major privacy law, put strict limits around third-party organizations accessing patient data. That makes it difficult for device manufacturers to reach into hospital systems that hold that data to patch and update their software with new protections.
But, second, hospitals are often underequipped to patch the devices themselves, because they lack ready cash and work with far tighter profit margins than banks or major telecommunications companies. That means many smaller hospitals can’t afford chief information security officers — let alone full cybersecurity teams.
Third, many medical devices such as MRI machines are built to last a decade or longer, which means that even if they're built with cybersecurity in mind, they’ll be facing a whole new generation of hacking threats at the end of their life cycles.
Finally, criminal hackers started targeting health care are later than other sectors, such as financial services, where stolen information could be converted more quickly into cash. When they did arrive, though, they came in force.
“Quite frankly, it caught a lot of the health-care sector flat-footed,” when that changed about seven years ago, Garcia told me. “It was a bit of a slow-motion ambush.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Security researchers discovered an iPhone bug that allows users to call someone using FaceTime and listen in on their phone’s audio before the person has accepted or rejected the FaceTime call, 9to5Mac reported. And now Apple has turned off group chats on FaceTime, according to the Associated Press. "Apple’s online support page on Tuesday said there was a technical issue with the application and that Group Facetime 'is temporarily unavailable,'" the AP reported.
News of the bug quickly went viral on Twitter.
President Trump's former cybersecurity coordinator Rob Joyce, now at the National Security Agency, issued this warning:
iPhone users. Turn off FaceTime until Apple issues a patch for iOS and you install it. Claims of major privacy issue discovered. Go to settings. Scroll down to FaceTime (green icon with camera) and switch off. https://t.co/hIRukshaTE— Rob Joyce (@RGB_Lights) January 29, 2019
TechCrunch's security editor:
PATCHED: Sen. Amy Klobuchar (D-Minn.) and other Senate Democrats want to know how much damage the partial government shutdown inflicted on government computer networks. In a letter today to Homeland Security Secretary Kirstjen Nielsen and National Security Agency Director Paul Nakasone, the lawmakers ask about “any suspicious activity” that occurred during the shutdown and what measures the government took during the shutdown to prevent cyberattacks on federal agencies.
Klobuchar is leading the letter, which was shared with The Cybersecurity 202. It was also signed by Sens. Edward J. Markey (D-Mass.), Tom Udall (D-N.M.), Catherine Cortez Masto (D-Nev.) and Cory Booker (D-N.J.). The letter also notes that several Web security certificates used by federal agencies expired during the shutdown and asks DHS to work wtih other agencies to prevent that happening in future shutdowns.
"Experts from multiple cybersecurity firms have warned that these lapses in cybersecurity provide an opportunity for adversaries and cybercriminals to carry out attacks against the U.S. government," the letter states, noting reports that Chinese hackers penetrated the Federal Elections Commission website during a 2013 government shutdown.
PWNED: The Trump administration continued its crackdown on Chinese telecommunications giant Huawei Monday, a company that U.S. officials have said could be a platform for Chinese spying. A 13-count indictment in New York charged Huawei, two affiliates and Meng Wanzhou, Huawei's chief financial officer, The Washington Post's Ellen Nakashima and Devlin Barrett reported. FBI Director Christopher A. Wray said that companies like Huawei “pose a dual threat to both our economic and national security, and the magnitude of these charges make clear just how seriously the FBI takes this threat.”
The indictment contains allegations of bank and wire fraud, and the company is also accused of violating U.S. sanctions on Iran and conspiring to obstruct justice, according to my colleagues. Another 10-count indictment in Washington State alleged that Huawei conspired to steal technical details about a phone-testing robot from T-Mobile.
Sen. Mark R. Warner (D-Va.), the Senate Intelligence Committee's vice chairman, praised the administration for the move. “It has been clear for some time that Huawei poses a threat to our national security, and I applaud the Trump Administration for taking steps to finally hold the company accountable,” Warner said in a statement. Sen. Roger Wicker (R-Miss.), the chairman of the Senate Commerce Committee, said in a statement that the “ indictments of Huawei officials confirm the risk of China’s involvement in transformational, next generation technology.”
— The U.S. Court of Appeals for the 4th Circuit today is set to hear an appeal by Sharyl Attkisson, who in a 2015 lawsuit alleged that she was the subject of illegal government surveillance when she was an investigative reporter at CBS News, the Associated Press's Denise Lavoie reported. A federal judge had dismissed the lawsuit. Attkisson says that two computer forensics teams found unauthorized communications on her laptop connected to an IP address belonging to the U.S. Postal Service, "indicating unauthorized surveillance,” according to the AP. Attkisson made her allegations public in 2013 and filed a complaint with the Justice Department's Inspector General. “The FBI and DOJ publicly stated that they had no knowledge of any electronic surveillance of Attkisson or her family,” according to Lavoie.
— After the Federal Communications Commission was asked whether it would investigate the sale by AT&T, T-Mobile and Sprint of their cellphone users' location data to third-party companies, the agency said it is “going where the facts lead us” and added that it would not “comment publicly in the middle of an investigation,” according to a tweet from Motherboard's Joseph Cox.
— More cybersecurity news from the public sector:
— The European Union’s digital security agency said in a report that Iran will probably increase its cyber espionage operations as Tehran’s relations with Western countries deteriorate, Reuters reported. The agency, called the European Union Agency for Network and Information Security, also said that state-sponsored hackers are among the biggest threats to the E.U.’s digital security. “Newly imposed sanctions on Iran are likely to push the country to intensify state-sponsored cyber threat activities in pursuit of its geopolitical and strategic objectives at a regional level,” the agency’s report said, according to Reuters.
— Europol and its partners are targeting thousands of users of webstresser.org, a site for launching distributed denial-of-service attacks that law enforcement took down last year, according to TechCrunch’s Zack Whittaker. “As part of the collective law enforcement effort from the U.K., U.S., and many European partners in Operation Power Off, Europol obtained a list of its 151,000 registered users,” TechCrunch reported.
— More cybersecurity news from abroad:
- Senate Intelligence Committee open hearing on worldwide threats.
- Senate Armed Services Committee hearing on “Department of Defense enterprise-wide cybersecurity policies and architecture.”
- Senate Armed Services Committee hearing on China and Russia.
- BSidesPhilly cybersecurity conference in Philadelphia on Friday.
- B-Sides Tampa cybersecurity conference in Tampa on Saturday.
Amid political turmoil, Venezuelans express desire for a better future:
Trump never caves. Until he does.