Medical Device Penetration Testing Services
Over the past few years, the Internet of Things (IoT) coupled with the ubiquitous nature of Information Technology has resulted in an ever-expanding attack surface where rapid solution development and enhanced functionality routinely prevail over security. For example, attackers once disrupted the majority of U.S. internet activity by using 61 default IoT usernames and passwords. Consumers failed to change them before activating their devices, effectively turning our gadgets into culprits responsible for one of the largest Distributed Denial of Service (DDoS) in the world’s history.
The Healthcare Industry is rapidly adopting IoT devices to enhance patient safety and enhance how healthcare workers deliver treatment. From medication administration to remote sensor monitoring, embedded medical devices are improving the quality of care and increasing interaction with their providers. While this technology was most certainly created with good intentions, the lack of security in product design phases is a major concern - a concern that will likely materialize into malicious action with grave consequences.
The consequences became clear in 2017 as researchers were able to acquire equipment (from $15 - $3,000) and intercept the radio-frequencies from cardiac devices. With this capability, they were able to reprogram the devices to modify the patient’s heat beat and even drain the internal battery. As a result, the FDA recalled almost 500,000 pacemakers and enforced in-person firmware updates. Researchers have also demonstrated similar capabilities on infusion pumps and MRI systems.
Non-networked medical devices may be operating a higher level of risk. Ease of access and the availability of RFID cloners contribute to a relatively weak physical security posture. In 2018, researches demonstrated the capability to emulate and alter a patient’s vital signs in real-time using an electrocardiogram simulator that they found on eBay for $100.
In late 2018, the Department of Health and Human Services Office of the Inspector General (IG) critiqued FDA procedures in assessing post-market cybersecurity risk to medical devices. To fortify FDA core mission “to ensure there is a reasonable assurance that medical devices legally marketed in the United States are safe and effective for their intended uses”, they outlined their ongoing efforts in enhancing medical device security.
According to the FDA, “Health care Delivery Organizations (HDOs) are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks. Recognizing that changes require risk assessment, the FDA recommends working closely with medical device manufacturers to communicate changes that are necessary.”
Alpine Security can help HDOs transfer that risk by evaluating the cybersecurity posture on your wired or wireless medical devices.
Please check out a recent Medical Device Hacking and Vulnerability of Connected Medical Devices Podcast from our very own Christian Espinosa, CEO of Alpine Security: