It's not easy to place a recall on implanted medical devices. Imagine what that could look like for someone with a pacemaker. Consider the consequences of a vulnerability that allows a malicious actor to take remote control over a device like this. The outcome could be devastating. Manufacturers need to test devices for safety and error reporting, but they also need to ensure that they are secure from human cybersecurity risks such as a lack of a software or firmware update.
Did You Know?
Have you thought about how your medical device can be exploited from a cybersecurity perspective? The Medtronic's MiniMed 508 and MiniMed Paradign insulin pumps vulnerability could have allowed a bad actor to over deliver insulin to a patient or even stop insulin delivery all together. Anything from CAT scans, MRI machines and more can have security vulnerabilities that are overlooked. Hospitals and medical facilities are full of devices and interconnected machines that are networked together, often communicating to the cloud. As our world becomes more interconnected and we continue to add new Internet of Things (IoT) devices, we introduce new security risks.
There's a lot more at stake with these types of vulnerabilities than the breach of patient records alone. Patients' immediate safety and health are vulnerable to an attack as well. Do you remember in 2017 when the the U.S. Food and Drug Administration (FDA) required almost 500,000 patients with pacemakers to install a software patch to protect themselves from discovered vulnerabilities? Even though the FDA has stringent guidelines and regulations for cybersecurity, just "checking the box" is not enough to protect your company, especially when patients' lives are at stake.
Where are We Failing?
Some of the common risks include:
- A company has a secure network but lacks encryption. Remember to always use a multi-layered approach to security.
- It's a bad idea to postpone backups and updates. Doing this opens you up to discovered vulnerabilities.
- Avoid using "super users" or hard-coded passwords. Use the rule of least privilege and back that up with two-factor authentication.
What Can You Do?
Use authentication processes and the cybersecurity best practices guide included with the software and review software libraries or firmware that was used in the device design before purchasing and deploying to your facility.
Perform security testing on medical devices including wireless, internet connected, network connected and USB connected devices. TechGuard offers this type of testing and our experts evaluate these technologies using the Open Web Application Security Project (OWASP) top 10 framework in conjunction with the FDA Guidance Document for the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (Docket Number: FDA-2018-D-3443). This assessment will provide recommendations regarding cybersecurity risk to the device.
What is Vulnerable to Attacks?
Think of all the common things that are used in hospitals such as infusion pumps, imaging scanners, implantable medical devices, insulin pumps, pacemakers, etc. All of these devices connect to other systems creating potential vulnerabilities. The WannaCry malware attack in 2017 affected over 80 hospitals in the United Kingdom's National Health Service. Even when attacks are not intended to target medical devices, they can still be affected. Consider when legacy equipment is running on old operating systems.
TechGuard offers security testing and has found a way into these types of devices first-hand. Thankfully, the client was proactive and hired us as their "ethical hacker" before the bad guys found a way to exploit the vulnerability. In addition, cybersecurity needs to be a priority to companies when manufacturing these types of devices as well as for hospitals and medical facilities bringing in new equipment or to test their current equipment for security.