As medical devices become increasingly connected to the software infrastructure of hospitals and healthcare settings – the risk of a devastating cyber attack escalates. At the same time, cyber criminals are increasing the sophistication of their tactics and showing a growing willingness to exploit vulnerabilities that put patient data and safety at risk. In March, a cyber attack caused the shutdown of Change Healthcare’s billing and payments system, which impacted healthcare providers throughout the US. Meanwhile, in February an attack in Romania led to 79 healthcare facilities being forced to disconnect themselves from the internet.
While it isn’t possible to completely eliminate the cyber security risk of connected devices, too many of the medical devices we use have security vulnerabilities built-in due to poor design or inherited from 3rd party software. Security at the design phase must be made a priority, so the next generation of medical devices that come to market don’t pose a risk to the patients they are intended to support.
Medical device vulnerabilities
Medical devices are a part of complex networks that enhance diagnostics, treatment, and patient monitoring. This integration brings huge benefits to patients and advanced capabilities to assessors, but has also opened the door to the threat from cyber criminals.
An FBI notification in September 2022, warned that 53% of connected medical equipment and IoMT devices in hospitals have known critical vulnerabilities. A more troubling consideration is that nearly a third of bedside IoT devices are already at a level of critical risk. These include insulin pumps, pacemakers, wearable panic devices, and even medication dispensing machines. Serious injury, loss of life, system or data manipulation are all possibilities of a cyber attack on a medical device.
Moving away from dependence on detection and response
In the development of an innovative medical device there is a laser focus on the functionality of the device in a clinical setting and how the technology will transform patients’ lives. The most important thing is that the device does exactly what it is designed to do. The problem, however, is that with the focus on functionality, security sometimes becomes an afterthought. Those developing the software for a medical device often lack the skills and inclination to consider whether what they are designing might be vulnerable to cyber attack. The result is that medical devices come to market with vulnerabilities already built in, leaving the healthcare organisations that deploy them dependent on threat detection and crisis response.
This is not an issue exclusive to healthcare – it happens right across the software landscape. Developers are experts in creating software that delivers functionality for the customer, and the incentives are focused on getting the product to market. Security issues come into the picture later down the line when vulnerabilities are already baked-in.
The entire software industry needs to shift its focus, towards creating products that are secure-by-design.
Security-by-design
Between January and September 2023, the global healthcare sector fell victim to 241 cyber attacks – more than any other sector – according to research by technology research provider, Omdia. Cyber criminals recognise that exploiting a sector that is in the business of saving lives, is lucrative.
This threat has not been lost on regulators. The vulnerability of medical devices has become such a grave concern for US regulators, that an amendment to the Federal Food, Drug, and Cosmetic (FD&C) Act, which took effect in March 2023, introduced new rules for the approval of medical devices by the US Food and Drug Administration (FDA).
The legislation stipulates that to secure a license, any new medical device must be protected against potential cybersecurity threats and developed using security-by-design principles, including the use of a threat model.
Mitigation is key. Building security-by-design into the developmental process, from the early stages of development and at every phase in the process, has a number of benefits. Anticipating risk, identifying vulnerabilities and fortifying technology to protect against them before they happen is both logical and commercially beneficial.
In addition, using a threat model, not only allows you to identify and mitigate vulnerabilities, it provides a way of clearly demonstrating to regulators that risk mitigation has been built into the design process.
Developing a threat model for medical devices
Threat modeling involves a thorough analysis of the design of software, before the code is written, in order to be able to plan what security controls and features need to be built into it.
There are a number of different approaches to threat modeling, but fundamental to them all is analyzing the design of the system as a cross-functional team — development and security teams coming together to identify potential security and privacy issues and developing a plan to solve or mitigate them.
Threat modeling used to be a time consuming process. It was traditionally done with a group of people, developers and security professionals, getting together around a whiteboard. However, new technology has brought with it automated threat modeling. It is now possible to use automation to generate a comprehensive threat model detailing potential security threats and suggesting appropriate countermeasures.
One example of a countermeasure that all medical device developers should be looking at is software/firmware integrity checks during the boot process of a device. A component should perform checks to validate the integrity of the firmware and/or software prior while it is starting up. This will ensure that vulnerabilities are detected before a device is used with a patient.
At a higher level, medical device manufacturers should be incorporating zero trust, password-free authentication and One-Time Authentication Code (OTAC). OTAC provides secure authentication and a way of accessing a medical device in the form of a functional authentication process, rather than the user being prompted for a login input.
There is no silver bullet countermeasure, however. The most important defense strategy is to integrate security early on in the product life cycle. Understanding the designated environment, identifying clear scopes, responsibilities and software capabilities of the devices will provide a preliminary security design basis to define applicable threats and their corresponding countermeasures. This ultimately saves costs, and allows manufacturers to make informed decisions regarding security protocol.
With interconnected healthcare systems comes unprecedented benefits, but exposure to new cybersecurity risks can not afford to be ignored. Manufacturers must prioritize security-by-design and take a proactive approach to device development to secure the future of healthcare and safety of patients.
Utilizing a threat model allows you to both identify and mitigate the vulnerabilities of a connected device and demonstrate to regulators that you have done so.
Editor’s Note: Charles Marrow is Senior Lecturer Practitioner in Cyber Security at Anglia Ruskin University and Head of the Centre of Excellence in Embedded Device Security at IriusRisk