By Carlos R. Aguayo Gonzalez, PhD, and Brion Bailey

The medical devices millions of Americans depend on daily are shockingly vulnerable. According to a new report from the U.S. Government Accountability Office, 53% of connected medical devices and other Internet of Things (IoT) devices in hospitals have known vulnerabilities.

Critical Risks and Data Breaches

Approximately one-third of healthcare IoT devices had an identified critical risk, potentially impacting the operation and function of the devices. The U.S. Department of Health and Human Services has released research showing that the medical data of over 61 million Americans has been stolen or exposed in more than 400 cyberattacks over the past year. It’s estimated that the medical records of a third of all Americans – including millions of veterans – may have been exposed by the recent Change Healthcare ransomware attack earlier this year.

In this dangerous climate, a new definition of security for medical devices is required. New technology can analyze device integrity without compromising device operation or connectivity. In a sense, it can provide biometric readings on medical technology itself, reporting on the health of devices protecting human health.

Addressing Hardware and Firmware Vulnerabilities

Current medical device security is software-centric, with clinical care for patients as the priority. Visibility of vulnerabilities in hardware components (such as chips, boards, and power supplies) and firmware is a growing concern. Facilities need to know in real-time when a device begins to act abnormally, whether due to a cyberattack, a supply chain counterfeit, or device degradation over time.

The ability to credential device integrity based on hardware and firmware Bill of Materials (BOMs) is critical to protect medical devices from intrusion and unauthorized modifications, preventing patient harm and loss of patient data. This technology addresses a blind spot in existing IT asset management systems and provides data via APIs to these systems, ensuring comprehensive visibility of connected devices.

There are three central tenets of a strong Integrity Assessment:

  1. Assessing the devices connected to the network
  2. Assessing the components of those devices, down to the chip level
  3. Continuously monitoring devices from hardware/firmware visibility and detecting anomalous behavior

Regulatory Pressures and Compliance

Device manufacturers face growing regulatory pressures to achieve this level of internal visibility. The U.S. FDA has raised the bar on device cybersecurity by publishing guidance on stricter requirements. Federal healthcare entities must comply with regulations like GSA 504.7002  on supply chain management risk. The federal government is expected to establish minimum cybersecurity standards for private hospitals, potentially extending beyond hospitals to any entity receiving Medicare and Medicaid funds.

Improving Medical Cybersecurity

Internal visibility allows medical facilities and leaders to evaluate the risk profile of their networks. Improving medical cybersecurity doesn’t have to be a rip-and-replace initiative. Testing tools can highlight devices that have been compromised, have vulnerable components, or are showing degraded performance. For example, if 20% of IP cameras exhibit issues, those cameras can be segmented and replaced rather than the entire system.

To satisfy new security regulations and strengthen medical device security, healthcare leaders need the following capabilities from testing technology:

  • Supply chain assurance: Detecting both hardware and software anomalies across the three assurance tenets
  • Cyber resilience: Machine-time detection, mitigation, and remediation
  • Protection from Advanced Persistent Threats (APTs): Detecting hardware and firmware Trojans, counterfeits, and clones
  • Effective and easy to use: Enabling rapid discovery of device clusters with different hardware or firmware
  • Highly scalable: Deploying in cloud, on-premise, or portable for embedded

Despite rapid advancements in technology and their potentially life-saving role in patient care, medical devices have not historically been designed with security in mind. The current threat environment demands that hardware security be held to a new definition that is as, or more, rigorous than software. Technology exists to make this a reality, and medical facilities need to adopt it for regulatory compliance, legal liability protection, and basic patient safety.

Carlos R. Aguayo Gonzalez, PhD, is the founder and chief technology officer of PFP Cybersecurity and Brion Bailey is director of the public sector business development for DSS, Inc. Questions and comments can be directed to [email protected].