Devices running embedded software exist all around us—and healthcare facilities are accruing these IoT devices at a rapid rate. The rise of such devices, sometimes collectively referred to as IoMT (the Internet of Medical Things), stands to benefit the quality and efficiency of care delivered in healthcare facilities worldwide. Allied Market Research predicted medical IoT devices will garner a $136.8 billion worldwide market by 2021.
Devices Can’t Be Assumed to Be Secure
Healthcare organizations with a lack of cybersecurity awareness are tempted to think of these devices as self-contained and self-maintaining. However, the truth is that these devices are computer systems with hardware components as well as operating systems and applications within their firmware—often featuring communication interfaces to the outside world.
Just like the application systems hosted on servers within networks, the security controls of these devices must be designed, maintained and updated to address security vulnerabilities, and to fit within the security architecture of the larger systems and networks in which they function. Unfortunately, an explosion in new usages for embedded devices in medical technology means that many of them are often rushed to market without appropriate security controls.
The Risks Posed by Connected Medical Devices
Connected medical devices help providers gather and monitor vitals, reduce risks and errors, and often come in the form of wearables or implantables that help patients remain monitored and healthy day in and day out. Modern hospitals are full of such devices, all of which collect and transmit data, and all of which are exploitable to some extent. Data theft, ransomware attacks, and DDoS attacks are all on the table for each connected medical device.
Healthcare practitioners are not adequately trained in IT security, and strapped budget often means patching vulnerable devices is not as high on the list of priorities as it should be. Medical devices used for diagnostics, surgeries, imaging and more can be vulnerable to potential cyberthreats. Aside from the financial consequences of cybercrime, these are cases in which human lives are at immediate risk if a device’s function is interrupted. Much of the onus is on medical device manufacturers themselves.
Guidance from the FDA
There is a need for effective cybersecurity in healthcare to assure the functionality and safety of medical devices. In response, the Food and Drug Administration (FDA) has developed a guidance document to assist manufacturers in identifying issues related to cybersecurity which should be considered when designing and developing medical devices and preparing for their pre-market submissions.
The FDA recommends that manufacturers consider cybersecurity risk as a part of the medical device design and development and that they submit documentation to the FDA about the identified risks. These manufacturers also should consider putting controls in place that will help mitigate those risks.
The FDA suggests the following security measures for connected medical devices:
Authentications must be used to limit access for medical devices to trusted users. Various authentication methods, such as username and password, biometrics, and smart card or multi-layered authentication, can be used.
Make sure the data is transferred securely to and from the medical device using encryption wherever appropriate.
Implement functionalities that allow analysts to detect, recognize, log, time and act upon any security compromises.
Provide end users with information regarding appropriate actions to be taken when a cybersecurity event is detected.
Solution: Medical Device Assessments
Tripwire supports medical device companies and other healthcare organizations with embedded software devices by providing rigorous security assessments. Tripwire’s device testing approach includes identifying security risks and vulnerabilities that may exist in the physical construction of the device and its network interfaces. Our goal is to identify potential control exposures through security configuration analysis and vulnerability testing of the platform and the operating environment. Tripwire analyzes the security configuration of the operating system.
Tripwire’s device testing engagements have revealed devices that allowed the login screens to be bypassed, or login screens that failed to actually authenticate user sessions with the device so that any user could become an administrator. In-depth testing has also revealed weaknesses that allow bypassing of encryption controls and malicious intrusion between circuit boards within the device. For devices which reside in public areas, this vulnerability could grant malicious intruder access to the critical control network, such as a smart grid network.
Each assessment begins with a review of the architecture of the device and the intended application in which it will be used. This sometimes involves testing encryption controls, circuit board interfaces, and the protocols by which the device communicates with other systems or networks. This enables the testing results to be expressed within the context of the systems and business functions they support, as well as to enable recommendations for risk mitigation to be practical and realistic within the applicable environment.
Let us take you through Tripwire’s medical device assessments and other professional service and answer any questions you have. Understand how Tripwire’s suite of integrity and vulnerability management products and services can be customized to specific IT security and compliance needs.