The Unique Cyber Vulnerabilities of Medical Devices
Cyber attackers love medical data. It’s rich in personal information, from the mundane, such as Social Security Numbers and other personal identifiers, to the more obscure, such as health information relating to diagnosis and disease. This information is enormously useful to fraudsters, who can use it to do anything from creating fake IDs to submitting false insurance claims. Medical records go for anywhere from $100 to up to $1,000 dollars on the black market. And medical institutions are remarkably bad at keeping them safe.
A report from earlier in the decade indicates that 90% of hospitals were targeted by cyber attackers in the preceding two years. And 17% of those attacks were facilitated through Internet of Things (IoT) devices. Eighty-two percent of hospitals sustained an attack facilitated through such a device according to a 2019 survey. An average hospital room may have as many as 20 connected devices vulnerable to hacking.
Approximately 385 million patient records were likely exposed in data breaches between 2010 and 2022, according to the Department of Health and Human Services.
According to healthcare data security firm CloudWave (formerly Sensato), medical devices have an average of 6.2 vulnerabilities each. And more than 40% that are in use are at the end of their life cycles and thus do not receive regular security upgrades. Some 53% have known critical vulnerabilities, according to the FBI.
This problem is complicated by the evolving definitions of what actually constitutes a medical device: now, we must consider the software systems that connect them to larger databases. This phenomenon has earned a new label — software as a medical device (SaMD). These devices are now part of a larger network and may provide entry points that are easily exploited. Now, new FDA rules have come into force — perhaps mitigating the worst of these vulnerabilities.
Here, InformationWeek investigates the vulnerabilities of medical devices and how they can be addressed, with insights from Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group.
Why Are Medical Devices Vulnerable?
As a result of their unique functionalities, which require interface between the human body and computerized systems, medical devices are a tempting target for cyber attackers. We have moved beyond the IoT to the IoB — the Internet of Bodies.
These devices often lack the security protocols built into other medical systems — and may in fact allow entry into those systems as a result. These crucial machines connect to internal hospital networks and to the internet at large — even to mobile phones.
Much of the focus in press and research reports has been on nightmare scenarios in which devices themselves could be hacked. Indeed, this has proven to be remarkably simple in experimental penetration tests.
Any number of implantable medical devices may be susceptible: cochlear implants, bladder stimulators, insulin pumps and glucose meters, intracardiac defibrillators, intrathecal pain pumps, nerve stimulators, and pacemakers, among others. These may be closed loop, in which all functions are automated, or open loop, in which humans are able to exert some level of control over their function.
Compromise of these devices could result in inaccurate readings of healthcare information, overdoses of drugs, and even the delivery of electric shocks at the wrong time.
The vulnerability of these devices is in some respects a consequence of their design. Because they must be small and lightweight to avoid impeding other bodily functions and to extend battery life, the space for security hardware is very limited. As a result, many have negligible data encryption functionality.
Some may be vulnerable to simple radio signal interference. The radio frequencies that wirelessly transmit data may even be publicly available in the manuals that come with the devices, potentially allowing malicious parties to intercept or disrupt them.
The prevailing belief in the industry was, until recently, that these medical devices constituted a low risk to security. Thus, budgets for security features were minimal and most devices did not have built-in security features due to the expense of creating them.
A study of nearly 5,000 medical devices that included a software component found that only 2.13% of their manuals included any cybersecurity content.
Devices may also be entry points to database servers and web servers. Devices connected to database servers are prime targets for structured query language (SQL) injections. These types of attacks are, ultimately, the greater threat.
“If you have a glucose meter that can only talk to your phone using Bluetooth, that’s one thing. If that glucose meter now has the ability to report into a centralized environment, it’s got a different set of risks,” Mackey observes.
While the frightening potential for attacks against individuals remains a concern, it is far more likely that attackers are after the large and lucrative caches of personal information housed in healthcare databases.
“If they can get that data, then that allows them to go down a monetization path,” Mackey says. “The collateral damage thus far tends to affect healthcare operators. If I can do something to a hospital system, that has more value than if I go after an insulin pump.”
Have Medical Devices Been Breached?
Numerous penetration tests have demonstrated the vulnerabilities of medical devices. A 2008 paper described the successful reverse engineering of an implantable cardioverter defibrillator using a software radio and an oscilloscope. The transmissions between two components of the device are typically unencrypted. Former vice president Dick Cheney had his defibrillator’s wireless function turned off in 2007 for precisely this reason.
In 2011, a threat intelligence analyst tested the vulnerabilities of his own insulin pump and glucose monitor. He found that both could easily be controlled by devices that could be purchased online. Another study that year found similar vulnerabilities — and also discovered that the devices were susceptible to eavesdropping.
In 2015, a surgical robot was experimentally hacked. The results showed that some functions could be interfered with or taken over, creating major risks for patients.
A 2016 paper describes the potential effects of hackers taking control of devices used for deep brain stimulation (DBS), often implanted for movement disorders. They range from simply disabling the function of the device, thus causing the patient impairment, to more sinister effects ranging from the alteration of impulse control and emotional processing to inducing pain.
Even seemingly innocuous devices, such as the Owlet Smart Sock, a wearable heart monitor for infants, have proven that they are susceptible to attacks. The transmissions from the monitor were unencrypted and easily controlled by other users. The product was ultimately taken off the market in 2021.
Device manufacturers have become more attentive to these vulnerabilities. In January 2023, Insulet revealed that an incident had exposed the IP addresses of its Omnipod DASH® insulin pump users. In February 2023, medical device manufacturer BD released a bulletin revealing that one of its infusion pumps had a password vulnerability that might allow access to personal information. A month later, ZOLL Medical acknowledged that the addresses, birthdates, and Social Security numbers of 1,004,443 individuals had been compromised due to a vulnerability in its LifeVest® cardioverter defibrillator product.
The FDA maintains a system of alerts for known vulnerabilities, which range from very minor to life-threatening. In September 2023, for example, the agency issued an alert regarding the Medtronic MiniMed 600 Series. The insulation pump’s communication protocol was found to be susceptible to attack and could potentially deliver too much or too little insulin.
While many of these vulnerabilities have been discovered under experimental conditions that did not directly affect patients, there have been cases where medical devices were hacked in the real world. These concerns are far more exigent.
Tim Mackey, Synopsys Software Integrity Group
“If I have an issue with my glucose meter, that’s me, and probably a few other people who are similarly configured,” Mackey says. “But if you have a CT machine go down, all the patients in that facility are affected until the machine is fixed, so the scope is bigger. And if it’s something that’s more systemic, then you’re in a situation where multiple health hospital systems could be down for this type of treatment at this point in time. That’s a big deal.”
In 2010, 122 medical devices administered by the Department of Veterans Affairs were breached, leading to the exposure of personal information. The 50,000 devices under the department’s administration were then disconnected from the larger network and restricted to virtual local area networks (VLANs).
Attacks on medical networks themselves can affect devices, too. The 2017 WannaCry attack caused major disruptions to the UK’s National Health Service, locking staff out of important devices, including those used in blood analysis and MRI equipment.
And in 2019, a Georgia hospital was hit by a ransomware attack that severely disabled its diagnostic capabilities. A baby delivered during that time later died because devices that would normally have been used to assess its status were not functional, according to a lawsuit filed in the aftermath.
What About Legacy Devices?
“Tech debt” is accrued when outdated devices or software remain in use but are no longer supported by manufacturer updates or maintenance. And it stacks up quickly in medical devices. Some may remain in use over the span of decades.
Especially in the case of implantable devices, repair and adjustment are impractical. Are patients with cardiac devices inside their chest cavities expected to schedule surgeries to ensure that the devices’ outdated software can be replaced? Most likely won’t due to the risk — and thus take on a different kind of risk because their devices are not secure.
The fact that some devices do not allow anyone besides the original equipment manufacturer (OEM) to make repairs presents further challenges. And their extensive lifespan offers hackers generous opportunity to discover vulnerabilities, which will only increase as software updates taper off. While it is not usually the case with newer technology, some devices were not even designed with internet connectivity capabilities in mind.
Regulatory oversight here is minimal.
“You may have some oversight from a post-market perspective,” Mackey says. “But you’re also probably going in and updating the software to do new functions. And it’s when those new functions come in that that legacy system will get its update and then some elements of this will become in scope, and you’ll see additional scrutiny.”
When possible, devices should be replaced prior to their end of support (EOS) date. In cases where this is not possible, compensating controls should be investigated.
What Can Be Done to Secure Devices?
While even newer devices remain vulnerable to attack, some common-sense steps may help to prevent the compromise of medical devices.
Healthcare providers should ensure that users protect their devices with passwords that are known only to them and to trusted parties. Some older devices had hard-coded passwords that could not be changed, though that is usually not the case now. Medical devices should only be connected to systems that are themselves secure, ideally in a medical setting. Personal electronic devices such as phones that connect to these devices should themselves be secured by password protection and antivirus software.
Manufacturers need to assiduously notify healthcare providers and their patients of necessary software updates, patches, and potential hardware deficiencies as well. It is helpful if patients register their devices with the manufacturer to ensure that they receive these notifications. These notifications need to be communicated in a concise and easily understood fashion: users are less likely to act on obscure or technically worded notifications. They should clearly communicate what the user needs to do and whether they need to do it with the assistance of a medical professional.
At the same time, healthcare providers need to maintain inventories of which devices are used by their patients and offer support as needed. Providers should also attend to their procurement procedures and only use devices with appropriate security features when possible. They should check to ensure that device users remain informed and follow up to make necessary adjustments for both physical safety and protection of data. Devices that have reached EOS should be isolated from the network and only accessed as needed.
Technology that limits the potential for attackers to access devices is improving. The distance from which information from the device can be read has diminished, making it less likely that a malicious party might be able to harvest it using easily available technology. Body-coupled technology, which uses the body itself as a transmission medium, may help to ensure that only specific readers can access the devices.
Imposing an overall risk management strategy can also be helpful. An inventory listing when information from these devices is downloaded, where it is stored, who has access, and where it might be transmitted can help in ensuring that it is protected — and that, if a breach occurs, a full accounting for the exposed material can be conducted.
Penetration and escalation exercises should also be conducted by medical institutions that administer these devices. By proactively identifying where attackers might be able to access and utilize devices to enter medical databases, appropriate solutions can be devised before anything actually happens. These mitigation procedures can then be built into the budget so they do not become emergency costs down the line.
Device manufacturers may also benefit from information sharing programs. By integrating information from the wider industry into their designs, they can improve security from the outset.
The increasing demand for security of these devices will have ramifications outside of the manufacturers themselves. Many of them use software that was not expressly designed for medical devices, for example. But the increasing regulation in the medical landscape will almost certainly force the manufacturers of that software to recognize the potential problems that their products might cause.
“It will be an awakening for first order suppliers,” Mackey predicts. “They will start understanding what this regulatory landscape looks like. After they pull their hair out and run around like a cartoon chicken for a little while, they’ll realize that this is a big deal, and there’s a real reason behind it.”
“There’s now clear line of sight. You know what the software is and what the threats are,” he adds. “Those third parties are going to be playing the same ballgame.”
The FDA Cracks Down
Prior to this year, the regulations governing medical device cybersecurity have been piecemeal and somewhat unclear. Increasing awareness has led to the development of US Food and Drug Administration administered regulations that may help plug the worst holes in a highly permeable digital system.
“Their inflection point actually occurred back in 2014 when hospital systems started to be attacked, not necessarily directly but as collateral damage as a result of Windows vulnerabilities or ransomware in hospitals,” Mackey reports.
Most regulatory action was previously aimed at the post-market effects of vulnerable devices. The new regulations, while far from comprehensive, take a broader view and incentivize pre-market, preventative approaches.
The Consolidated Appropriations Act, passed in December 2022, included section 3305, Ensuring Cybersecurity of Medical Devices. This section amended the Federal Food, Drug, and Cosmetic Act. The FDA began enforcing the requirements in October.
Notably, manufacturers of new devices must “monitor, identify, and address” post-market cybersecurity vulnerabilities. They must also have a plan to identify vulnerabilities on a regular cycle and regularly update and patch software. Further, they must also offer a software bill of materials — meaning that any software used to operate the device must be explicitly identified. Failure to do so may mean delays in bringing the device to market.
“The FDA is straddling the more traditional IT security world and the product security world in terms of patient health delivery,” Mackey says.
While these new rules tighten the constraints on new devices, they remain imperfect and vulnerable. The responsibility will remain with both manufacturers and healthcare providers to ensure that patients who need these devices are adequately protected.