The State of Security in Medical Devices (Healthcare) | Blog

Today, the healthcare industry is going through a rapid transformation. As we change the way healthcare is delivered by institutions and organizations, there is a growing risk of cybersecurity as we continue to leverage data, analytics, and connected devices.
Therefore, the responsibility falls on device manufacturers to take extra care and destruct any pathway for threats to users’ sensitive information. The question that arises is an important one- how can medical device manufacturers do that?

Before we explore, let’s look at the current state of cybersecurity in the healthcare space.

The Current Scenario of Cybersecurity in Healthcare and Medical Devices

Fresh research from Clearwater revealed the top three common security vulnerabilities in healthcare:

1. Deficient authentication process
2. Endpoint leakage
3. Excessive user permission and access

These three vulnerabilities account for 37 percent of all high-risk scenarios in the healthcare sector.
Misuse of credentials is another aspect of cybersecurity that continually threatens systems in all industries, including healthcare. When malicious users try to gain unauthorized access to any users’ data, whether by exploiting weak passwords or executing phishing attacks, they gain far greater access into further systems.

However, in the case of medical devices and their security, we are making some progress. Experts believe we have reached a state of increased awareness when it comes to medical devices security. And that the Food and Drug Administration, the Department of Health and Human Services, and device manufacturers are collectively working proactively in the area of improving the security of medical devices.

Challenges in Medical Device Cybersecurity

The FDA issued guidance for the security of connected medical devices in 2018 to encourage manufacturers to implement a set of designated practices that ensure the safety of medical devices from cyber attacks.

Still, a few challenges line the path of medical device security.

For any modern medical devices, a proper teardown process will be
necessary to estimate the security threats and attack costs. However,
this process is usually expensive and time-consuming.

Dr. Sergei Skorobogatov

• Legacy systems often pose an array of cybersecurity challenges that are hard to combat.
• Since medical devices have a lengthy development time, they often cease to be supported by their manufacturers soon after hitting the market. This makes regular maintenance and updating of security in devices hard.
• Even if security patches are made available by device vendors, it is a cumbersome task for hospitals to validate these updates.
• Also, when the validation is complete, it is a tricky challenge for hospitals to manage the deployment of a security patch which might be performing critical functions such as life support.

The role of regulations in Europe/USA

An overwhelming number of providers (96 percent) point toward device manufacturers for these vulnerabilities in medical devices, citing reasons such as obsolete operating systems and the inability to patch devices.

However, there is a major role of the regulations in countries such as Europe and the US in defining how cybersecurity is assured in medical devices. The FDA, among other steps, announced a memorandum of agreement with DHS aiming to execute a fresh framework for enhanced collaboration and coordination about device cybersecurity and threats in Nov 2018.

The FDA also released a medical device security action plan, which broadly consisted of the following steps:

• Establish a safety net for medical device patients.
• Explore regulations to streamline the implementation of security mitigations post the market phase.
• Spur innovation in medical device security
• Take action to improve the security of healthcare devices

The EU Medical Device Regulation lays down the following components with respect to medical device security:

• Risks associated with a negative interaction between software and IT.
• Design regulations to ensure reliability.
• Principles of development lifecycle including information security and validation.
• Design principles relating specifically to mobile devices.
• Minimum requirements concerning IT networks and hardware.

How healthcare organizations can minimize risk?

First off, healthcare organizations need proper visibility into medical devices in order to fully understand what these devices and capable of protecting them from and where they lack.

Then, organizations can take proactive measures to minimize this risk. Institutions can monitor these devices and check for anomalies when they behave differently. Early discovery of something amiss can help respond quickly- which comes as a huge benefit in cases of cyber attacks.

Organizations can make password requirement more stringent thereby improving the security of medical devices. Moreover, hospitals can have a dedicated network traffic analysis system to detect the point of entry of any malicious user and block them wherever possible.

Above all else, industry leaders and executives at all levels need to be invested in making medical devices and the healthcare industry in general, more secure.

Case in Point – Medical Equipment Breach – April 2019

Researchers in Israel developed malware to draw attention to serious loopholes in the security of critical medical imaging equipment used for diagnosis and the networks that transmit those images.

The malware researchers created would let attackers introduce realistic, malignant-looking growths to CT or MRI scans before doctors examine patients with them. Alternatively, the malware would also allow hackers to remove cancerous growth without detection, leading to possible misdiagnosis.

In a study that was not just theoretical, doctors carried out real CT lung scans, out of which, 70 were altered by the malware. Three doctors failed to spot the anomaly and misdiagnosed conditions every time.

This study was conducted only on lung cancer scans, but similar malware could invariably work for brain tumors, blood clots, heart diseases, and so on.

Concluding Words

There is a range of regulations and guidelines for manufacturers to follow both in the US and European law. However, it is up to governments, manufacturers, and vendors to collectively face this challenge and deal with it proactively.

Device manufacturers can do their part by:

• Implement incident reactive responses so that in cases of data breach, appropriate steps can be taken without wasting any more time.
• Ensure that device installers are completely educated about the related cybersecurity risks and know what controls to execute to manage risks appropriately.
• Review and track any changes to regulatory compliances in your country and internationally.
• Review the data life cycle in any medical device to know what stages the data will pass through and how it will be processed through the system.
• Create and manage a risk register that records all kinds of possible risks and their mitigation solutions.
• Ensure that the device software is up-to-date and robustly tested by an independent party, preferably.

By implementing a few plans and taking measures, device manufacturers can largely reduce attacks on medical devices and move toward a safer healthcare ecosystem.

Learn More about Medical Device Security:

Florian Grunow & Julian Suleder are two researchers from ERNW researching in medical device security. Their following resources will describe common problems in the environment, healthcare and common vulnerabilities in (active) medical devices.

Blog Posts:
– https://insinuator.net/2015/07/the-patients-last-words-i-am-not-a-target/
– https://insinuator.net/2014/11/scaleing-down-privacy/
– https://insinuator.net/2013/11/medical-device-security/

Whitepaper:
– https://ernw.de/en/whitepapers/issue-66.html

Recordings:
– https://www.youtube.com/watch?v=0BYrmbvrpiQ
– https://www.youtube.com/watch?v=1qCS3GJsKvo
– https://www.youtube.com/watch?v=0F_eScTUris
– https://www.youtube.com/watch?v=mUOnuxnFJu4
– https://www.youtube.com/watch?v=doLi3BN7kCQ

Slides:
– https://www.ernw.de/download/ERNW_CSA-No-Summit_Hacking_Medical_Devices_fgrunow.pdf
– https://www.dmea.de/media/cit/cit_dl_vortraege/archiv_votraege_2017/Grunow_Florian_-_IT-Sicherheitsrisiken_im_Krankenhaus_-_Erkennen_und_vorbeugen_Praesentation_2017.pdf
– https://www.troopers.de/media/filer_public/2c/03/2c03209f-1cec-47b0-b484-1a18fd43064c/troopers14-how_to_own_your_heart-hacking_medical_devices-florian_grunow.pdf

Want to learn more about hardware security?

One of the largest hardware security conferences Hardwear.io is calling all cybersecurity enthusiasts to the USA and the Netherlands this year. Attack and defend hardware components and learn more about how that can be done with extensive training programs.
Learn more about Hardwear.io here!

— Written by Divya Agarwal & edited by Pratik Ghumade for hardwear.io