Medical devices are becoming the target of cyberattacks, learn what we can do to protect them.
Medicine is one of the most tightly regulated industries in the United States. Companies spend billions of dollars on R&D and clinical trials to prove their drug innovations and medical devices are fit for market. This is great for the consumer, they are assured whatever medicine they are taking is safe and effective, but what about the hidden risks unaccounted for?
As technological capabilities increase along with the proliferation of embedded systems and IoT, cybersecurity is becoming a very real risk for the medical industry.
Why Should We Care?
We have all likely heard of large scale cybersecurity incidents such as the Equifax data breach in July 2017 and the more recent Spectre and Meltdown exploits. These are merely the tip of the iceberg when it comes to the kind of damage attackers are capable of inflicting to.
More consistently, we are seeing connected systems such as medical devices being the target of exploits. In early February 2017, it was announced that St. Jude Medical released a patch for their Merlin@home transmitters that were found to be vulnerable to man-in-the-middle attacks. This came in the wake of a report released in 2016 by Muddy Water Capital claiming that a wide array of pacemakers and other devices were vulnerable to attack.
These exploits if acted upon could compromise the security of millions of patient critical devices such as connected insulin pumps or pacemakers. It was found in one study that after it was compromised, a pacemaker could be tricked into delivering a lethal shock to the patient.
What Is Being Done?
As it turns out, for being such a tightly regulated industry, medical devices have somewhat lax regulations when it comes to their cybersecurity. This may be a product of the nascent nature of embedded systems in medical devices or a lack of ownership between the device manufacturer and regulatory bodies. As it stands, the Food and Drug Administration (FDA) works with the Department of Homeland Security (DHS) to ensure that all devices produced are able to protect themselves against a cyber attack.
In response to these threats, the FDA published a document titled Postmarket Management of Cybersecurity in Medical Devices which contains non-binding recommendation for medical device manufacturers. The report outlines risk management and remediation strategies for responding to a security incident.
In an FDA fact sheet relating to cybersecurity the administration claims, “Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity” (FDA Fact Sheet). The reality is patching only goes so far to protect systems. To effectively patch an exploit, the device maker must first identify the cause, develop a patch, and push it out to all devices in a short period of time. A difficult task.
What Should Be Done?
While securing a whole industry of medical devices may seem like an insurmountable task, there are a few easy ways we can start the process. First and foremost, individuals need to raise awareness that there is a problem in the first place. Many industry professionals and regulators may not see security as a priority because they do not fully understand what exploits are possible and the magnitude of the problem. Outreach and education to those in CISO, CTO, and engineering positions is a good first step to bring the issue to the forefront.
Another avenue to securing medical devices from cyber threats is to increase regulatory requirements for device manufacturers and clearly define responsibility for enforcement. This ensures both the regulatory bodies and the manufacturers are on the same page when it comes to cybersecurity.
Lastly, we can turn to new forms of security to lock down critical pieces of medical equipment. Hardware security solutions like Dover’s CoreGuard strike at the heart of the problem, securing devices at the processor level. This eliminates the need for a constant cycle of patching and provides piece of mind for our most important connected devices.
While the solution may be a combination of regulations, education, and technology, the fact stands that we must act to secure our most critical infrastructure from attack. Beginning the security conversation is the first step of the process.
Looking for more fresh content related to embedded system security? Try subscribing to the Doverlog!