By Carlos R. Aguayo Gonzalez, PhD, and Brion Bailey
Millions of Americans depend on medical devices every day, and they are shockingly vulnerable. Current medical device security is software-centric and focuses primarily on how devices connect to the hospital network. Visibility into vulnerabilities with hardware components (for example, chips, boards, and power supplies) doesn’t exist, putting millions of patients at risk.
Incredibly, one-third of healthcare Internet of Things (IoT) devices had an identified critical risk, potentially impacting the operation of the devices and the networks to which they are connected. The U.S. Department of Health and Human Services (HHS) has released research showing that the medical data of over 61 million Americans has been stolen or exposed in more than 400 cyberattacks over the past year. It’s estimated that the medical records of a third of all Americans—including millions of veterans—may have been exposed by the Change Healthcare ransomware attack earlier this year.
Device manufacturers face growing regulatory pressures to achieve this level of internal visibility. The U.S. FDA has raised the bar on device cybersecurity by publishing guidance on stricter requirements and instituting its Refuse to Accept policy. Under this policy, the FDA can reject premarket medical device submissions if they fail to meet the FDA’s description of security measures, including a software bill of materials (SBOM), vulnerability disclosures, and security controls.
Federal healthcare entities are faced with standards like GSA 504.7002 on supply chain management risk. The federal government is expected to establish minimum cybersecurity standards for private hospitals, potentially extending beyond hospitals to any entity receiving Medicare and Medicaid funds.
New technology easily deployed and complementary with existing security systems has been developed, taking advantage of existing security investments. Some of the specific benefits of this functionality to medical providers include:
- Secure the Connected Network of Things: Compromised devices can impact direct patient care activities (i.e., IV Pumps) and provide access to other network connected solutions.
- Protect Data: Compromised devices could generate corrupted clinical data that impacts clinical decisions affecting both providers and patients.
- 360 Degree Health: As healthcare innovation evolves and adopts broader remote patient monitoring/home healthcare capabilities, the requirement to create “hardened devices” that are less susceptible to intrusion will become foundational to standard operating procedures.
- Zero Trust Model: Cybersecurity teams focused on accelerating defensive measures/postures such as medical device patching and vulnerability detection will benefit from capabilities that complement efforts with Zero Trust from a single chip, component, device, and system.
Here are three specific use cases that rely on this new technology:
Stopping Threats at the Source—Device Credentialing
Medical devices could be scanned in a warehouse environment before deployment in a patient care environment to match a scan produced by the manufacturer, addressing vulnerabilities or misconfigurations. All electronic devices, including IV pumps, bedside monitors, and ventilators, produce unintended analog signals during operation as a result of semiconductor physics. New technology can evaluate these so-called “side channels” to create a baseline measurement and assess the integrity of the hardware and firmware inside the device. Software and hardware bills of materials (SBOM, HBOM) from the original equipment manufacturer (OEM) can also assist in setting the proper baseline for operation. This will also provide immeasurable benefits for healthcare systems trying to create catalogs of “known good” device versions and include them in lifecycle maintenance.
These baselines can be established for such outputs as power consumption, electromagnetic emissions, and operating temperature. Machine learning can be used to make the analysis faster and more efficient. Any deviation from established baselines would flag a device for removal and replacement. Users and operators can do this review without extensive training or deep technical knowledge. The solution should be scalable for deployment across diverse environments (i.e. warehouse, medical facility, or austere environments).
Video Surveillance Cameras—the Onramp for Attackers
Video surveillance internet protocol (IP) cameras were developed without much consideration for security. Being connected to a network and usually on the same IT infrastructure makes them a dangerous attack vector for exploitation. Hackers can exploit the vulnerabilities in IP cameras as a gateway into segmented networks, moving laterally to access other devices in the network, delivering malware to field and Operation Technology (OT) devices such as programmable logic controllers, or PLCs, even on an isolated network, and then erasing their tracks. The entire attack can be done in as little as three minutes.
New technology can detect deviations in hardware and firmware from approved configurations, such as counterfeits, chips from banned origins, tampered firmware, a Mirai botnet, Trojans, etc. Since it can detect live attacks during operation in machine time, the technology can detect and interrupt the cyber kill chain. This process can also be applied to many other products, such as sensors, networks, cloud infrastructure, etc. A continuous monitoring capability enables visibility of unwarranted device modifications to hardware and software (i.e., firmware).
In early 2024, the General Services Administration’s Inspector General released a report that the agency purchased Chinese-made video conferencing cameras that did not comply with U.S. trade standards. These purchases continued even after a June 2022 analysis demonstrated five vulnerabilities that could be used to access the camera owners’ networks secretly.
Microelectronic Supply Chain Assurance
According to the DoD, 22% of Tier 2 and 72% of Tier 3 suppliers of 39 product lines rely on Chinese manufacturing. Most COTS electronics used in DoD systems are fabricated overseas and could be tampered with to provide unauthorized access. The attacker could access such vulnerabilities later, even without direct network access. Current firmware integrity monitoring systems cannot detect these potential vulnerabilities.
In 2021, the Department of Veterans Affairs (VA) issued Cybersecurity Directive 6500 about device integrity verification. This directive called for the VA to “employ integrity verification tools to detect unauthorized changes to selected software, firmware, hardware, and information.” New testing technology can make this requirement far easier to accomplish.
Out-of-band screening can verify the integrity of electronics from the individual chip level to complex systems at scale. Machine learning is used to create baselines and detect tiny changes in both design and behavior. For example, a Trojan can be detected in silicon before deployment.
Medical devices remain a weak link in a world of escalating cyber threats. It’s not a question of if a significant breach will occur again, it’s when. There is no reason health facilities shouldn’t avail themselves of these new security tools. They can be economically deployed and do not require a rip-and-replace approach. Side-channel device analysis can be integrated with whatever existing security tools the facility has in place.
Security down to the chip level has been proven in the field. Now’s the time to make adoption widespread.
Carlos R. Aguayo Gonzalez, PhD, is the founder and chief technology officer of PFP Cybersecurity, and Brion Bailey is director of public sector business development for DSS, Inc.. Questions and comments can be directed to [email protected].