NIST's New Advice on Medical IoT Devices
28.8.18 securityweek Safety
Medical infusion pumps, which deliver medications to patients, are archetypal examples of the expanding threat surface being delivered by connected devices. Connecting these pumps to clinical systems can improve healthcare delivery, but if not properly secured could endanger the patient and expose the health delivery organization (HDO) infrastructure to intrusion.
Over the last few years, researchers have shown that many infusion pumps contain vulnerabilities. In May 2015, researchers found several flaws in Hospira LifeCare pumps that could lead to remote control. In October 2016, Rapid7 found four flaws in the Animas OneTouch Ping insulin pump, one of which could alter the dose and cause a hypoglycemic reaction in the patient. In September 2017, eight remotely exploitable vulnerabilities in the Smiths Medical Medfusion 4000 wireless syringe infusion pumps were patched.
NIST has now responded to these concerns by publishing SP 1800-8: Securing Wireless Infusion Pumps in Healthcare Delivery Organizations (PDF). NIST's primary cybersecurity function is to develop standards and advice for federal agencies. Its 1800 Series, however, is a series of documents designed to present practical, usable, cybersecurity solutions to the cybersecurity community at large. Such documents do not describe regulations or mandatory practices, nor do they carry statutory authority.
SP 1800-8 applies "security controls to the pump's ecosystem to create a 'defense-in-depth' solution for protecting infusion pumps and their surrounding systems against various risk factors. Ultimately," it says, "we show how biomedical, networking, and cybersecurity engineers and IT professionals can securely configure and deploy wireless infusion pumps to reduce cybersecurity risk." It does this using standards-based, commercially available cybersecurity technologies that protect the entire HDO infrastructure.
The document offers "guidelines to better secure the wireless infusion pump ecosystem, such as the hardening of operating systems, segmenting the network, file and program whitelisting, code-signing, and using certificates for both authorization and encryption, maintaining the performance and usability of wireless infusion pumps."
Network segmentation is one of the key themes. It uses network devices such as switches and firewalls to divide a large complex network into a series of smaller subnetworks that can each be better defended. It implies only limited trust even within the organization's perimeter, with internal firewalls limiting access from one subnetwork to another to only trusted users or processes. Segmentation is an important method of preventing or limiting adversarial traversal within a corporate network. It will help prevent an attacker who has breached the wider attack surface of the network gaining access to the smaller attack surface of the medical device.
"For simplicity and convenience," says the document, "we implemented subnets that correspond exactly to VLANs. The routing configuration is the same for each subnet, but the firewall configuration may vary depending on each zone's specific purpose. An external router/firewall device is used to connect the enterprise and guest network to the internet." The segmentation was implemented via a VLAN by using Cisco switches.
It ensures that only known users/processes from a particular subnetwork can even attempt to access the device -- which is further protected by direct access controls.
The basic concept of securing the entire HDO infrastructure in order to better protect wireless connected devices can be applied to more than just infusion pumps, and the document has been well received by the security industry. "Defense in depth is required and is common practice," comments Joseph Kucic, chief security officer at Cavirin. "Beyond the publication, I expect that the appropriate safeguards will include a barrier gateway that records access to update electronic medical records as to who accessed the isolated Controlled Wi-Fi and all actions are done from a controlled device to ensure an audit trail with an extra authentication layer that can be controlled independent of the user's or vendor's normal access privileges. Based on this publication with the mentioned additional controls this can function as a template for other such devices."
Rishi Bhargava, co-founder at Demisto, said, "The NIST SP 1800-8 is a good first step that guides healthcare organizations towards better, more proactive protection of their IoMT (internet of medical things) environments. Since internet connected devices span across multiple industries -- both conventional and upcoming," he told SecurityWeek, "these guidelines have taken the cogent step of mapping best practices with a range of other standards like HIPAA and NIST RMF."
This doesn't mean that everybody is entirely happy with NIST 1800-8. "I'm glad to see there is a guide by NIST addressing the security of wireless infusion pumps," says Chris Morales, head of security analytics at Vectra. "The risks are real as disruption in medical devices can lead to dire consequences. Hospitals quite literally are saving lives and uptime of medical devices is a life or death situation," he told SecurityWeek.
But he is surprised that this document does not appear to be in sync with NIST's larger project on IoT security. "While wireless infusion pumps are of particular interest due to their specific application in healthcare, the risks to the devices are the exact same as any IoT device; and the recommendations should be the same," he said.
Morales is concerned about one specific statement in the NIST document: "Our reference architecture uses Cisco's solution architecture as the baseline. This baseline demonstrates how the network can be used to provide multi-tiered protection for medical devices when exchanging information via a network connection... This section provides additional details on how to employ security strategies to achieve specific targeted protections when securing wireless infusion pumps."
There's nothing new here -- it's standard segmentation practice. But in assigning it to Cisco, he feels that, effectively, "Cisco helped write this document."
"The problem here," he told SecurityWeek, "is that segmentation has never worked in hospitals. Doctors and nurses require constant access to devices and these are not locked down networks, nor can they be. If a doctor cannot access patient health records or devices, it is again a life or death situation. It is a noble attempt, but it thus far has not proven viable in health care, nor perhaps any industry with a large IoT deployment that is critical to the business function."
He thinks that network segmentation is still important, but that it won't look the same as the traditional designs. "The three most important aspects of any IoT security strategy," he suggests, "will be device identification, network segmentation, and network traffic analytics. IoT becomes a big data problem with lots of devices producing huge amounts of data and a large amount of remote access. These deployments will need to be monitored in real time to identify the difference between approved and unapproved behaviors."