Warning: Poor Application Security Health Could Kill You
The Food and Drug Administration (FDA) recently implemented new guidance regarding medical device cybersecurity. It’s not a moment too soon, as new cases arise in which healthcare technology is compromised by vulnerabilities that escalate risks, which could threaten patients’ lives. In a recent survey, over 20% of healthcare organizations said that after a cyberattack, their patient mortality rates had risen, and another 57% reported that cyberattacks led to poorer outcomes for patients.
Let’s look at what measures have been proposed to protect the security of healthcare technology, why they’re necessary, and the best tools to implement them.
What has the U.S. government announced?
The new law has given the FDA increased authority to establish medical device security requirements for manufacturers. The FDA can now require that all new medical devices brought to market must make security a priority. In the not-too-distant future, it will be mandatory for any submissions for these devices to be brought to market to include a software bill of materials (SBOM) and documentation to show that every product can be updated and patched.
It is hoped this move will mitigate or even eradicate some of the risks posed by vulnerabilities in medical diagnostic and treatment devices that have remained overlooked, or worse, neglected by manufacturers under current legislation.
Why do software vulnerabilities pose such a serious threat to medical devices and the healthcare sector?
Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices. This connectivity means that these devices can be vulnerable to security breaches, potentially impacting their safety and effectiveness. In its survey of cybersecurity in healthcare, the Ponemon Institute reported that 64 percent of respondents say they are concerned about the security of their medical devices, which can have a significant impact on patient safety. 59 percent of respondents say they are concerned about insecure mobile apps.
The healthcare sector addresses highly personal and delicate matters and handles vast amounts of personal identifiable information (PII). PII is ripe for attack because it is a rich source of data that can be used to defraud patients or to hold healthcare organizations to ransom.
Ransomware attacks against healthcare organizations doubled in the last five years, with the most common victim being health clinics, according to a new JAMA Health Forum study, conducted by researchers from the University of Minnesota and the University of Florida, who measured attacks on healthcare delivery organizations from 2016 to 2021,
Plus, patient confidentiality can be undermined by breaches that enable malicious actors to find and steal patient data. The JAMA study showed that attacks exposed the personal health information of 41,987,751 individuals — more than 10 percent of the U.S. population.
Even more seriously, weak cybersecurity could gravely jeopardize hospitals’ ability to provide diagnostics and treatment, if vulnerabilities enable attackers to infiltrate their systems. At best, compromised technology may cause delays in patients getting diagnoses. At worst, treatment could be delayed while this technology is fixed, which could potentially leave patients’ serious conditions to deteriorate and become life-threatening because they can’t be addressed quickly. The JAMA study discovered that 44 percent of attacks result in care delivery disruptions, 8.6 percent of which exceeded two weeks. In 41.7 percent of cases, care disruptions exceeded two weeks, 10.2 percent resulted in rescheduling care and 4.3 percent of attacks required ambulance diversion. Furthermore, the Ponemon Institute survey showed that 70 percent of respondents believed that supply chain attacks disrupted patient care, and it identified a range of implications, including delays in procedures and tests that caused poor outcomes, a longer length of stay in hospital, an increase in the need for patients to be transferred to other facilities, an increase in complications from medical procedures, and most dramatic of all, an increase in mortality rate.
These findings, caused by the ease with which attackers can undermine hospitals, medical technology, and systems, demonstrate how vulnerable all critical infrastructure can be.
How have vulnerabilities threatened patients’ health?
Moody’s Investor Service reported that the Toronto Hospital for Sick Children was attacked via digital ransomware on December 18, 2022. In addition to the potential damage to its data and financial security, Moody’s said that the hospital’s ability to provide healthcare was impaired, including “delays in medical imaging, longer diagnostics, and non-critical treatment wait times.” Even 18 days after the attack, the hospital only had 80 percent of its priority systems back online.
This is just the latest incident, but there’s a history of serious breaches. In 2017, 48 National Health Service organizations in the UK, including 30 hospital trusts, reported a major ransomware attack that hit as many as 70,000 devices including computers, magnetic resonance imaging (MRI) scanners, blood-storage fridges, and theater equipment.
Even personal life-prolonging equipment can be affected — medical devices like drug infusion pumps and implanted defibrillators. In the same year, the FDA recalled about 465,000 pacemakers manufactured by health tech firm Abbott, because of cybersecurity vulnerabilities that could have enabled attackers to wirelessly access the devices and steal personal data, drain the battery and disrupt normal life-sustaining operations.
In September 2022, the FDA issued a cybersecurity risk alert about the Medtronic MiniMed 600 Series insulin pump system, which has several components including an insulin pump and a blood glucose meter that communicate wirelessly. A vulnerability was identified (CVE-2022-32537) that could allow an unauthorized user to learn aspects of the communication protocol used to pair system components while the pump is being paired with other system components. Exploitation of this vulnerability could allow an unauthorized user to remotely set devices to deliver too much or too little insulin, slow or even stop its delivery to patients. This is scary because it could kill.
Government increases efforts against vulnerabilities.
It’s therefore no surprise that the government and lawmakers have intensified their efforts to strengthen security against vulnerabilities that could pose serious risks to public health. In April 2022, U.S. Senators introduced the Protecting and Transforming Cyber Health Care (PATCH) Act, with this intention, in particular, to ensure security across the supply chain.
The act called for “the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes.” It also required manufacturers to present a thorough plan for addressing postmarket cybersecurity vulnerabilities in a timely manner. It was complimented by the FDA’s publication of a guide on medical device cybersecurity, focusing on how medical device manufacturers should develop cybersecurity measures for their devices. It then examined how they should handle pre and post-market controls and maintenance standards for medical device cybersecurity.
Governmental concerns about the vulnerability of medical device security had become so acute by October 2022 that the FDA released a video for clinicians to advise them on how to keep patients’ connected medical devices safe, and by November it had published an updated Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.
SBOMs: The front line of security for medical tech
All this activity from the U.S. government points to the software bill of materials (SBOM) as the key tool for improving medical device cybersecurity and avoiding harmful vulnerabilities. SBOMs make it easier to monitor vulnerabilities, manage license compliance, and allow developers to understand dependencies across all the components in an application or device.
The PATCH Act prefigured the latest bill in demanding that manufacturers create a software bill of materials (SBOM) for their products and their components. The FDA has advocated the use of SBOMs for years, having published guidance in 2018 and put pressure on manufacturers to implement them. Although much of the healthcare sector supports the adoption of SBOMs, the industry’s efforts have previously been hampered by a lack of transparency and communication, as some manufacturers may have been reluctant to disclose that they use legacy components. The Consolidated Appropriations Act of 2023 includes some, but not all, of the language of the PATCH Act.
SBOMs are vital to software and application security, compliance, and supply chain security because they give software and application developers the necessary information to track supply chain relationships. They increase the transparency of software components and ensure products perform securely and as intended.
Related: A Guide to Standard SBOM Formats
Further ways to improve medical device cybersecurity
In line with the FDA guidelines, it’s clear that the responsibility for the security of hardware, software, and applications in any industry sector sits primarily with the producers, whether they are manufacturers or developers. Medical and healthcare devices are no exception.
Experts at the University of Minnesota Center for Medical Device Cybersecurity complemented the U.S. government’s moves last summer, when they held a forum to discuss penetration testing as a method to ensure safety and security in medical devices.
It’s acknowledged that security is most effective when it’s applied throughout the product or software development lifecycle (SDLC). So, producers and developers are encouraged to shift security left, and begin testing, scanning and remediating vulnerabilities as early as possible in the SDLC.
There are standards and tools available to help. In addition to individual national legislation and guidelines, you should ensure you adhere to international regulatory standards for medical devices or applications. These standards and their focuses are:
- ISO 14971: Risk management
- ISO 13485: Quality management systems
- IEC 62304: Defines the lifecycle processes of medical device software.
- IEC 61508: A regulatory framework for safety lifecycle activity across industries
These standards will tell you what you need to achieve, but what will help you do that? The answer, as previously mentioned, is to deploy tools to test, scan, and remediate vulnerabilities. Static application security testing (SAST) will scan a medical device’s proprietary source code to identify vulnerabilities therein, and the new generation of SAST tools will automatically fix the issue.
When you need to check open source code, components, and dependencies in medical devices or applications, software composition analysis (SCA) will identify and automatically remediate vulnerabilities there.
Finally, and critically, remember that security is a continuous process, not just from end-to-end (development, through production, to shipping/deployment) but constantly — “shift everywhere.” That’s because software is constantly changing, with new and updated components and dependencies being introduced all the time, which can cause new and unexpected vulnerabilities and threats. So, regularly testing, scanning, and remediating your code with the best tools available is the best practice for securing medical applications and devices with confidence, and protecting the health of patients everywhere.
