Cyberattacks can impact individuals and companies in different ways, but few if any industries have the same life-or-death impact as medical devices.
In recent years, medical devices and hospitals have come under increasing attack from different threat actors, which has not escaped the notice of regulators in the United States. At the RSA Conference in San Francisco, the safety implications of medical devices was detailed, along with direction on how things could well be set to improve in the years ahead.
Penny Chase, Information Technology & Cyber Security Integrator at MITRE, commented that with any device connected to a network there can be vulnerabilities.
"If those vulnerabilities aren't taken care of, devices can potentially be exploited, and that can result in patient harm or serve as a pivot point to get into a hospital network."
The risk to medical infrastructure is far from a theoretical threat. In 2017, the WannaCry Ransomware attack had devastating consequences in the UK, shutting down NHS operations and hospitals. There have also been publicly reported flaws in medical devices that vendors have been slow to fix. Perhaps the most well-known example occurred with Abbott Laboratories and its St Jude cardiac pacemakers.
Chase added that even when patches are available for known issues, patching medical devices is often far from routine, with many hospitals unaware that they are vulnerable.
How Medical Device Security Will Get Better
The US Food and Drug Administration (FDA), together with MITRE and other stakeholders, has been engaged in multiple efforts to improve the state of medical device security. Chase noted that in 2018 the Medical Device Safety Action Plan was published by the FDA, which includes a number of action items for device manufacturers. Among the primary items is a requirement that firms build capabilities to update and patch device security into a product's design. The plan also requires that device manufacturers have coordinated disclosure polices in place in the event of a vulnerability.
Margie Zuk, Senior Principal Cybersecurity Engineer at MITRE, commented that a key challenge with medical device cybersecurity is making sure that the vulnerabilities are understood with the right amount of detail. To that end, MITRE has been developing a Medical Device Rubric for Common Vulnerability Scoring System (CVSS) that has been submitted to the FDA.
Another current effort is to help hospitals build out their preparedness for cybersecurity incidents like WannaCry. Zuk noted that with WannaCry, for example, there was a lot of confusion between hospitals and manufacturers about risk. To help with that type of situation in the future, MITRE has developed a playbook to help hospitals with incident response.
A key challenge for understanding the risk is related to testing under different scenarios. That's where Zuk said that the Medical Device Cybersecurity Sandbox effort comes into play as an effort to help validate vulnerabilities in clinical scenarios.
Software Bill of Materials (SBOM) Will Help
One of the key efforts under way in 2020 is a multi-stakeholder effort led by NTIA for a Software Bill of Materials (SBOM). With SBOM, software in medical and other devices would need to have a list of constituent components that are included.
"SBOM is really critical to understand if you have a vulnerability in your system," Zuk said. "Hospitals need to know what the attack surface is and what's at risk."
Fundamentally, the key to improving medical device cybersecurity is reducing risk and understanding the potential for exploitation.
"It's a shift in thinking about how a device is supposed to be used, to how a device can be exploited by a malicious adversary that it trying to abuse the device, " Chase concluded.