Medical device cybersecurity: exploring the threats

13 Dec 2021 14min read

Connected technology and connected devices are now at the heart of many consumer products. As such, in recent years medical device developers have begun to explore ways to build connectivity into their devices, often making it accessible through smartphones. Smarter devices offer a number of benefits to manufacturers, patients and POC workers alike. By connecting a device to wider network infrastructure, developers can run remote upgrades to software, gather use-data and offer patients a better user experience.

Medical devices that use connected technology can be made accessible through smartphones, connect within the wider network infrastructure, and run upgrades, remotely yet easily, to software. All of this can bring benefits to users and improve the way that the device works, however it can also leave your device vulnerable to cyber threats.

In this blog, we’ll explore the cybersecurity risks that are associated with medical devices before suggesting ways to protect your device against them.

Medical device cybersecurity threats to be aware of

In any medical device development, risk management should form a central part of your processes. As medical device manufacturers, distributors, and designers, we need to identify the risks associated with your device, in accordance with ISO 14971 – a regulation about the application of risk management in medical device development. Once we understand the risks, we then need to consider mitigations that we can put in place to reduce the severity or probability of them. Throughout the device lifecycle, from the time of production to when its in the hands of users, manufacturers need to closely monitor their devices to ensure new threats are mitigated too.

Whilst cybersecurity risks aren’t necessarily medical device security risks per se, risks of this kind must still be identified and mitigated in the same way. The National Institute of Standards and Technology (NIST) has established a framework regarding cybersecurity, which is quite similar to ISO 14971. The framework isn’t specific to medical devices and instead focuses on cybersecurity risks in critical infrastructure. However, we can still draw on this for medical device risk assessment. The framework outlines five activities:

● Identifying threats, assets and impacts
● Implement safeguards to protect assets against the identified threats
● Create ways to detect, respond to, and manage cybersecurity events
● Detect said events as they happen
● Recover from said events and minimise their impact

Whilst a lot of cybersecurity risks will be specific to the device, depending on the way that they operate and their design, there are still some general threats to be aware of across all medical devices:

Harm to patients

Direct patient harm is a worst-case scenario, but it should still be considered when managing the risks associated with your medical device. In some instances, attackers may wish to harm patients, caregivers, or other users via your device. As an example, if a wireless interface is used to control your device and trigger therapeutic behaviour, the attacker could use this interface to control the device. Protection is therefore essential for a wireless interface, otherwise it will be left open to attack.

Leapfrog attacks

In a connected system, all points in the network are connected in order to distribute information between nodes. For attackers however, such a connected system can provide an entry route to the wider system of devices. As such, a system is only as secure as the least secure device within it. Developers must therefore ensure all devices within each system are as secure as possible.

Medical device cloud connectivity

Denial of service attacks (DOS)

A “denial of service” (DOS) type of attack is intended to temporarily block your services. This usually happens due to a large number of access requests being received in a short period of time, resulting in server downtime. Attackers may also use ransomware to block your services, as seen during the WannaCry attacks on health services. These attacks showed just how damaging the effects of cyberattacks can be, resulting in delays to surgeries and treatments for patients.

Manipulation or loss of data

Attackers often seek out sensitive data to extort individuals, steal their identities or sell to suspicious organisations. Most of the time, IT systems have protection in place for this data because of required legislation such as GDPR. However, in the context of medical data, attackers might seek to manipulate and modify this in a way that affects a patient’s treatment. To use a current example, consider what might happen if COVID-19 test results were modified by an attacker – infectious patients with a false negative result could continue to mix as usual, spreading the infection further.

Loss of intellectual property

If your software can be understood and interpreted directly from the device, attackers could take advantage of this to replicate your designs, exploiting the development work that has taken place to create your product. As a result, they might recreate elements of your functionality to get to market quicker.

DOS attack

Assessing vulnerabilities with the top-down and bottom-up approach

As discussed above, some general cybersecurity risks will be applicable to most medical devices. However, it should be remembered that each system, device, and product line is entirely unique and, as a result, will introduce unique risks. The best way to assess any risks in your medical device development is to assume that vulnerabilities will be abused and that an attack will occur. This way, you can be prepared to address all potential risks. If mitigations, such as data encryptions, are in place, then it’s also useful to assess their weakness and the chances of them failing.

In medical device software development, a common thought-process that is applied is ‘guaranteed risks’. This approach means that all risks are acknowledged and mitigated to minimise the chances of the risks being exploited.

When examining the risks, we can view these from two different angles – the top down, and the bottom up. Let’s take a look at these angles and what they entail:

The top-down approach

This type of cybersecurity assessment considers the entire overview of a system by looking at resources or features that may be exploited by attackers. We then need to consider how these could be accessed and manipulated. To begin a top-down assessment, consider what may happen if an asset – such as patient information or clinical data – is stolen, accessed and corrupted, or misused. Using the example of clinical data, such as test results, the corruption or manipulation of data could result in incorrect treatment being carried out for the patient.

Once you have gained an understanding of your assets and their vulnerabilities, it is then important to understand any possible routes of attack to ensure they are protected and appropriate mitigation is in place. This can be documented using an ‘attack tree’, as outlined by B. Schneier. Attack trees look at the various ways an asset might be attacked and accessed. Using sensitive data files as an example, a map of this kind would identify every possible way that the file could be stolen.

Cyber attack tree example

This approach is useful in the early stages of your project, as it can help you to clearly identify potential weaknesses at a higher level. As such, it helps you to think about the cybersecurity risks when outlining and deciding on the requirements of your device. However, completing this diagram should not be a one-time event – instead, it should be revisited at different stages of your device development. That way, you can be confident that new assets have been identified and managed throughout the process.

The bottom-up approach

This type of assessment is usually conducted during the design and implementation phases of medical device development. Instead of looking at things from a higher level, the bottom-up approach instead considers the harms that may be caused, or the assets which might be accessed, when a failure occurs. This approach is similar to Failure Mode and Effects Analysis (FMEA), a well-understood and recognised concept – where teams look at individual components within a design and assess their risks. The implemented mitigations that we use often focus on methods of prevention and detection, and/or the failures of specific elements within the design.

Using a computer as an example, we can look into the details of our system and then consider the ways in which this system would be attacked or corrupted. We might spot that the network connection it uses increases its vulnerability, and so the next step would be to consider how the exploitation might occur:

Whilst both the bottom-up and top-down approaches are effective in their own right, they work best when they are used together. For example, the bottom-up approach might help you to identify risks that the top-down assessment may miss and vice versa. Using both approaches will help you to identify an exhaustive list of vulnerabilities, helping you to then put mitigations in place for them.

Potential cyber attack routes

Understanding common vulnerabilities and useful mitigation strategies

When uncovering potential risks during the design process, it’s useful to have a list of common and well-understood vulnerabilities as a reference. The UL2900 international cybersecurity standard expects mitigations to have been implemented against your system’s vulnerabilities, so it’s a useful starting point to work from.

When it comes to identifying mitigation strategies, whilst there will be risks that are specific to each individual application, there are also some common concepts here you can consider:

Data at rest

Clinical data, platform data, and user passwords are all examples of sensitive data that might be stored, at rest, on a device. This sensitive data is often highly sought-after by attackers, who could access it via the user interface or the device’s hardware. One of the best ways to mitigate this risk is to encrypt the data by using robust mechanisms like AES 256. This encryption involves mixing the data up in a way that only a device with an encryption key will understand. By doing this, it reduces the opportunities for attackers to understand the data that they are trying to retrieve.

It’s important to note that the encryption keys also need to be protected from hackers – a Trusted Platform Module (TPM) is one of the best ways to protect your encryption key. These hardware modules are made by a range of manufacturers, allowing teams to choose the best device for their applications’ needs. TPM’s offer a selection of security functions such as authentication of data and users, encryption and decryption of data, and the management of cryptographic key storage and exchange. These features can be integrated into your device to enhance its security levels.

Data in transit

Data transferred between devices is known as data in transit. While moving between devices, data can become vulnerable to attackers trying to intercept and steal information. Just like data at rest, you can mitigate this threat by using encryption, specifically ‘end-to-end encryption’. In this type of system, only the parties that need to use the data (the sender and recipient) know the encryption keys. As such, whilst the data is handled by the server, it cannot be read by anyone or anything other than those that understand the encryption keys.

When using end-to-end encryption however, it’s important to be aware that the sender and recipient sharing the same encryption key could also act as a single point of failure for multiple devices. With all of this in mind, it could be safer to use asymmetric key encryption. This method involves encryption keys that are unique to each individual communication session between two devices and, better still, these devices aren’t required to know the encryption key in advance.

Data authenticity

Another way for attackers to cause harm is to disrupt data whilst it’s in transit and then modify it. Random data corruption from electromagnetic interference is often one of the tactics used, or attackers may carry out ‘man in the middle’ attacks. Either way, corrupting data can cause significant harm. For instance, it can lead to incorrect patient records, or in the context of your medical device, it can also lead to incorrect instructions to remote modules. Corrupt data can be identified and mitigated against by attaching robust signatures – like SHA256 – to the data. Devices receiving the data can then confirm that it’s valid by calculating the signature of the data that they’ve received. If the signature doesn’t match the signature provided, the data cannot be authenticated.

The second part of authentication involves identifying whether the source of the data is valid, as well as the data itself. Website and server certificates can be crucial here, as they can be used to confirm that communication is taking place with the correct host. Authentication data can then be exchanged between devices once encrypted communication sessions have been set up and it’s clear that the recipient is valid.

One of the easiest ways for attackers to access data stored on a device is to simply gain physical access to the device. While it’s common to use passwords to secure computer systems and similar devices, these can often be used as a point of entry if attackers are able to find them or figure them out. As with any IT security measures, using the same passwords across entire systems isn’t wise – it increases the chances of attackers accessing all devices within an ecosystem. When devices are configured, they will require a default password, but this should always be entirely unique. One way this risk can be mitigated is by implementing adequate password policies – each user and each device should have a unique password and, wherever necessary, access to data must be restricted. Password updates post-launch are also vital.

Connected devices

What you need to remember

Considering cybersecurity risks as part of your medical device risk management process will help you ensure that the right mitigations can be implemented to keep your device or systems secure. While we have covered a number of common cybersecurity risks, vulnerabilities and ways to mitigate them, it’s important to remember that attackers will always be searching for novel ways to get past your defences.

The best way to protect against this is to start your risk management process early, mitigating against as many eventualities as you can and then continuously monitoring your devices while in the field.

If you have any questions about where to start, or would like to find out how we could support you with your medical device cybersecurity risks, we’d love to hear from you. You can contact our team online easily by emailing [email protected] or calling 01799 532 700.

Join the conversation

Looking for industry insights? Click below to get our opinions and thoughts into the world of
medical devices and healthcare.