• Training
    • Overview
    • Schedule
    • Catalog
    • Training Reviews
    • Delivery Options
    • About Our Training
    • Exam Pass Guarantee
    • Student Funding
    • Alpine Security GSA Schedule
    • DoD 8570/8140 Approved Training
  • Services
    • Overview
    • Medical Device Cybersecurity
    • CISO-as-a-Service
    • Penetration Testing
    • DFARS and CMMC Compliance Audit
    • Breach Prevention Audit
    • Cybersecurity Risk Management Program
    • Enterprise Security Audit
    • Alpine Services Reviews
  • Blog
  • News
  • About Us
    • About Us
    • Meet The Team
    • Why Alpine?
  • Contact
CISO Global (formerly Alpine Security)CISO Global (formerly Alpine Security)
CISO Global (formerly Alpine Security)CISO Global (formerly Alpine Security)
  • Training
    • Overview
    • Schedule
    • Catalog
    • Training Reviews
    • Delivery Options
    • About Our Training
    • Exam Pass Guarantee
    • Student Funding
    • Alpine Security GSA Schedule
    • DoD 8570/8140 Approved Training
  • Services
    • Overview
    • Medical Device Cybersecurity
    • CISO-as-a-Service
    • Penetration Testing
    • DFARS and CMMC Compliance Audit
    • Breach Prevention Audit
    • Cybersecurity Risk Management Program
    • Enterprise Security Audit
    • Alpine Services Reviews
  • Blog
  • News
  • About Us
    • About Us
    • Meet The Team
    • Why Alpine?
  • Contact

Securing Medical Devices – Is it Possible?

Securing Medical Devices – Is it Possible?

Securing Medical Devices

Last month, the FDA issued a warning about software vulnerabilities on multiple medical devices, including infusion pumps, anesthesia machines, and imaging systems. These vulnerabilities allow threat actors to trigger information leaks, gain access to hospital networks and, most worryingly, remotely control the devices themselves.

Why is the Food and Drug Administration, of all organizations, talking about cybersecurity? It’s not just them. The recently exposed vulnerabilities are one part of a greater, systematic issue in healthcare. When it comes to medical devices today, cybersecurity is literally a matter of life and death.

Why Are Medical Devices Particularly Vulnerable to Cyber Threats?

Medical devices are an expensive capital investment. Hospitals purchase them on the understanding that they’ll continue to work for years, or even decades, with minimal operation costs. Hospitals and their staff know how to operate medical devices. However, maintenance, including software maintenance and update, is handled by the device vendor, an external party.

Operating system upgrades, patches, and repairs all incur downtime. For hospitals, this isn’t just a problem because of the opportunity cost of idle hardware. Patient’s lives depend on round-the-clock availability of devices such as infusion pumps.

Understandably, medical device maintenance is rarely a priority unless it directly affects device functioning. There are several consequences to this:

  • Many medical devices run on old operating systems with known vulnerabilities

  • Hospitals themselves lack the ability to implement software updates or security patches

  • This means that medical device software is rarely updated: disruptive updates could take device access away from patients.

Hospital user devices get quick updates. Medical devices don’t.

There is a big discrepancy between the sluggish pace of medical device software updates and updates on other devices that hospitals use. PCs, phones, and personal devices used by staff run on conventional operating systems like Windows, iOS, and Android. They receive security upgrades regularly.

Legacy Systems and “Bolted-on” Connectivity

With hospital processes growing increasingly digital, insecure medical devices are being networked with other devices. Networking always requires systematic planning and implementation. Hospitals tend not to do this when networking medical devices. Connectivity is often “bolted on” to legacy systems with little consideration for long-term consequences.

URGENT/11: Medical Devices Have Been Vulnerable Since 2006

URGENT/11 Cybersecurity Vulnerabilities in a Widely-Used Third-Party Software Component May Introduce Risks During Use of Certain Medical Devices

It’s interesting here to get a bit of context on the FDA’s cybersecurity warning from last month. The FDA warned the healthcare sector specifically about the URGENT/11 set of vulnerabilities.

These vulnerabilities are present in IPNet, an implementation of the TCP/IP stack developed by a now-defunct firm called Interpeak in the early 2000s. After Interpeak was bought out in 2006, IPNet development ceased. No security updates for IPNet have been released in the past 13 years. Despite this, the developers of several of RTOs (real-time operating systems) powering medical devices have incorporated the IPNet stack into their OSes. This means that many devices have been at risk for at least a decade. Because of this, medical devices are potent attack vectors for threat actors aiming to compromise hospital networks.

Compromised Medical Devices Are a Life or Death Situation

But these very insecurities also put the devices themselves at risk. Medical device hacking lets threat actors collect information from medical devices, monitor them, or even shut them down remotely.

At any given moment, many leaders—politicians, industrialists, business executives, and social activists alike—are hospitalized. Vulnerabilities can directly affect medical device safety. It’s not difficult to imagine the chaos that could be caused if a threat actor disables a compromised medical device at the wrong time.

What’s the Path to Medical Device Security?

Medical devices are a major, persistent vulnerability in the healthcare sector. Any hospital operating medical devices on legacy software is at significant risk. What can be done to mitigate the risk?

VLANs: The Short-term Solution

VLANs (Virtual Local Area Networks) are one possible short-term solution that hospitals can implement. A VLAN is a virtual network that connects a set of devices at the logical level. This means that:

  • Devices on a VLAN don’t necessarily have to be on the same physical network

  • Being on the same physical network doesn’t inherently provide connectivity to the VLAN

In the healthcare context, the latter point is crucial. Theoretically, it’d be possible to network medical devices and other vulnerable hardware on a separate physical network. But in practice, this would take too much time and effort to be worthwhile.

A VLAN can be used instead to segregate medical devices. They’d only be networked to the devices they need to be connected to in order to function. VLANs can be used to logically disconnect medical devices from the internet. VLANs aren’t an insurmountable obstacle. However, they provide an extra layer of defense, making it that much harder for a threat actor to compromise medical devices or the hospital network.

The Long-term Solution: The Hospital Cybersecurity Needs to Be Taken Seriously

The only long-term solution is for hospitals to consider cybersecurity a serious, systematic issue. Hospital administrators have to understand that the cost of short-term disruption is far outweighed by the risk of leaving critical vulnerabilities unaddressed.

This will require fundamental rethinks of the relationships that hospitals have with their medical device vendors. For instance, SLAs need to mandate consistent and timely software updates. The current, hands-off approach benefits no one: manufacturers don’t add value to their products with the promise of support. And hospitals remain at substantial risk. Ensuring that medical device software remains up to date will address major vulnerabilities and mitigate the risk posed by cyber threats.

It’s also critical for cybersecurity providers to become stakeholders in the process. Industries, where cybersecurity providers play a key supporting role, are less at risk from catastrophic cyber incidents than the healthcare sector.

Under the FDA’s federal regulations, medical device manufacturers must address all risks in their products, including cybersecurity risks, through methods such as penetration testing. Healthcare cybersecurity vendors such as Alpine Security can provide cybersecurity assessment and testing services. They can systematically identify risk factors and implement solutions to ensure compliance with information security standards.

It might seem self-evident, but taking cybersecurity seriously is the only real way to secure medical devices from cyber threats.

Tags: medical device securitymedical devices
Share

You also might be interested in

Most Dangerous Hacked Medical Devices
Doctor takes control over operated woman

Most Dangerous Hacked Medical Devices

Nov 17, 2018

How Secure are Medical Devices?
chest xray film of a patient with cardiac pacemaker, also with congestive heart and cardiomegaly

How Secure are Medical Devices?

Dec 14, 2018

Comprehensive Guide to IoMT Cybersecurity – Risks, Safeguards, and What We Protect
Medical icon network connection with modern virtual screen interface on hospital background, medicine technology network concept

Comprehensive Guide to IoMT Cybersecurity – Risks, Safeguards, and What We Protect

Jan 12, 2019

BLOG SEARCH:

Connect with Us

Interested in our cybersecurity training or services? Complete the form below and we’ll get back with you right away. We appreciate your interest.


Recent Posts

  • The State of Ransomware 2020
  • National Cybersecurity Awareness Month: 6 Things to Practice During the Month
  • Cybersecurity Checklist for Business Closures, Consolidations, and Acquisitions
  • What Is DevSecOps?
  • Cybersecurity and a Remote Workforce: What Does the Future Look Like?
  • 6 Penetration Testing Trends to Have on Your Cybersecurity Radar
  • Incorporating Privacy and Security by Design into MedTech
  • What is the Difference Between CMMC, DFARS, and NIST 800-171?
  • At Risk: Medical Device Cybersecurity Vulnerabilities Expose Patients to Life-threatening Consequences
  • 5 Reasons to Hire a Fractional CISO
  • Why Private Cybersecurity Training Matters for Your Organization
  • Is the CEH Certification Right For You?
  • Internal Penetration Test vs Vulnerability Assessment: Which is Right for You?
  • Best Beginner Cybersecurity Certification to Get
  • Penetration Testing for Compliance: The Top 5 Laws and Regulations that Require Testing

Alpine Security is a member of the CISO Global family of companies.

Contact Us:

  • CISO Global
  • 6900 E. Camelback Road, Suite 900 Scottsdale, AZ 85251
  • 480-389-3444
  • info@ciso.inc
  • www.ciso.inc

Get Info

About Our Training
About Our Services
Meet the Team
Blog
Terms of Use
Privacy Policy

Join The Community

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube
  • Mail

Proud Partners

© 2021 · Alpine Security, a Cerberus Sentinel Company

Prev Next