Last month, the FDA issued a warning about software vulnerabilities on multiple medical devices, including infusion pumps, anesthesia machines, and imaging systems. These vulnerabilities allow threat actors to trigger information leaks, gain access to hospital networks and, most worryingly, remotely control the devices themselves.
Why is the Food and Drug Administration, of all organizations, talking about cybersecurity? It’s not just them. The recently exposed vulnerabilities are one part of a greater, systematic issue in healthcare. When it comes to medical devices today, cybersecurity is literally a matter of life and death.
Why Are Medical Devices Particularly Vulnerable to Cyber Threats?
Medical devices are an expensive capital investment. Hospitals purchase them on the understanding that they’ll continue to work for years, or even decades, with minimal operation costs. Hospitals and their staff know how to operate medical devices. However, maintenance, including software maintenance and update, is handled by the device vendor, an external party.
Operating system upgrades, patches, and repairs all incur downtime. For hospitals, this isn’t just a problem because of the opportunity cost of idle hardware. Patient’s lives depend on round-the-clock availability of devices such as infusion pumps.
Understandably, medical device maintenance is rarely a priority unless it directly affects device functioning. There are several consequences to this:
-
Many medical devices run on old operating systems with known vulnerabilities
-
Hospitals themselves lack the ability to implement software updates or security patches
-
This means that medical device software is rarely updated: disruptive updates could take device access away from patients.
Hospital user devices get quick updates. Medical devices don’t.
There is a big discrepancy between the sluggish pace of medical device software updates and updates on other devices that hospitals use. PCs, phones, and personal devices used by staff run on conventional operating systems like Windows, iOS, and Android. They receive security upgrades regularly.
Legacy Systems and “Bolted-on” Connectivity
With hospital processes growing increasingly digital, insecure medical devices are being networked with other devices. Networking always requires systematic planning and implementation. Hospitals tend not to do this when networking medical devices. Connectivity is often “bolted on” to legacy systems with little consideration for long-term consequences.
URGENT/11: Medical Devices Have Been Vulnerable Since 2006
URGENT/11 Cybersecurity Vulnerabilities in a Widely-Used Third-Party Software Component May Introduce Risks During Use of Certain Medical Devices
It’s interesting here to get a bit of context on the FDA’s cybersecurity warning from last month. The FDA warned the healthcare sector specifically about the URGENT/11 set of vulnerabilities.
These vulnerabilities are present in IPNet, an implementation of the TCP/IP stack developed by a now-defunct firm called Interpeak in the early 2000s. After Interpeak was bought out in 2006, IPNet development ceased. No security updates for IPNet have been released in the past 13 years. Despite this, the developers of several of RTOs (real-time operating systems) powering medical devices have incorporated the IPNet stack into their OSes. This means that many devices have been at risk for at least a decade. Because of this, medical devices are potent attack vectors for threat actors aiming to compromise hospital networks.
Compromised Medical Devices Are a Life or Death Situation
But these very insecurities also put the devices themselves at risk. Medical device hacking lets threat actors collect information from medical devices, monitor them, or even shut them down remotely.
At any given moment, many leaders—politicians, industrialists, business executives, and social activists alike—are hospitalized. Vulnerabilities can directly affect medical device safety. It’s not difficult to imagine the chaos that could be caused if a threat actor disables a compromised medical device at the wrong time.
What’s the Path to Medical Device Security?
Medical devices are a major, persistent vulnerability in the healthcare sector. Any hospital operating medical devices on legacy software is at significant risk. What can be done to mitigate the risk?
VLANs: The Short-term Solution
VLANs (Virtual Local Area Networks) are one possible short-term solution that hospitals can implement. A VLAN is a virtual network that connects a set of devices at the logical level. This means that:
-
Devices on a VLAN don’t necessarily have to be on the same physical network
-
Being on the same physical network doesn’t inherently provide connectivity to the VLAN
In the healthcare context, the latter point is crucial. Theoretically, it’d be possible to network medical devices and other vulnerable hardware on a separate physical network. But in practice, this would take too much time and effort to be worthwhile.
A VLAN can be used instead to segregate medical devices. They’d only be networked to the devices they need to be connected to in order to function. VLANs can be used to logically disconnect medical devices from the internet. VLANs aren’t an insurmountable obstacle. However, they provide an extra layer of defense, making it that much harder for a threat actor to compromise medical devices or the hospital network.
The Long-term Solution: The Hospital Cybersecurity Needs to Be Taken Seriously
The only long-term solution is for hospitals to consider cybersecurity a serious, systematic issue. Hospital administrators have to understand that the cost of short-term disruption is far outweighed by the risk of leaving critical vulnerabilities unaddressed.
This will require fundamental rethinks of the relationships that hospitals have with their medical device vendors. For instance, SLAs need to mandate consistent and timely software updates. The current, hands-off approach benefits no one: manufacturers don’t add value to their products with the promise of support. And hospitals remain at substantial risk. Ensuring that medical device software remains up to date will address major vulnerabilities and mitigate the risk posed by cyber threats.
It’s also critical for cybersecurity providers to become stakeholders in the process. Industries, where cybersecurity providers play a key supporting role, are less at risk from catastrophic cyber incidents than the healthcare sector.
Under the FDA’s federal regulations, medical device manufacturers must address all risks in their products, including cybersecurity risks, through methods such as penetration testing. Healthcare cybersecurity vendors such as Alpine Security can provide cybersecurity assessment and testing services. They can systematically identify risk factors and implement solutions to ensure compliance with information security standards.
It might seem self-evident, but taking cybersecurity seriously is the only real way to secure medical devices from cyber threats.