Medical Device Security: Hacking Intelligent Medical Devices to Enhance Your Organization's SafetyIntelligent medical devices escalate rewards as well as risk. Learn how to decrease your health provider’s risk exposure. By: Michael Aguilar, Principal Consultant - Secureworks Adversary Group
Adversarial testing is essential to ensure the safety of patients, the confidence of regulators, and the continued acceptance of a technology that is transforming healthcare for the better.
The market for intelligent medical devices is hot. The number of devices approved by the FDA increased 25% from 2019 to 2020.1 Venture investments in new device development has grown an astounding 46% YoY to $12.5B as of May 2021.2 And the Internet of Medical Things (IoMT) market, which accounts for just a portion of all smart medical devices, is projected to grow from $24.4B in 2019 to $285.5B in 2029.3
There are several reasons for this growth:
- IoT technology (including the increased computing power now available in small form factors and the increased network bandwidth available to healthcare facilities) has matured to the point that, given the proper development cycle, smart devices can now be trusted for use on the innards of live human beings.
- Smart devices can increase the effectiveness of medical treatments and help achieve consistently higher results across clinicians with a wide variety of experience and skill levels.
- Smart devices can enhance the productivity of clinicians—which is important to healthcare providers seeking to reduce costs and increase revenue.
- Smart devices generate high-value data that can be used to improve clinician practices, institutional treatment policies, insurers’ risk adjustment calculations, epidemiological insights, and more.
That’s the good news.
The bad news is that the use of such devices increases health providers’ risk exposure—and that that the consequences of a cyberattack can go far beyond mere data theft. People’s health and safety are also on the line.
Understanding the Threats
The cyber-assault on healthcare, which probably began in earnest with WannaCry in 2017, is nothing new. In fact, given the sensitivity of healthcare data—as well as the potential consequences healthcare providers can suffer if they lose that data—it’s no surprise that attacks on healthcare infrastructure keep intensifying. HealthCareITSecurity.com, for example, reports that healthcare infrastructure attacks have risen 42% since 2019 alone, resulting in nearly 40.7 million patient records being compromised.
Intelligent medical devices create a whole new set of vulnerabilities for healthcare-focused malefactors to exploit. Many of the devices are especially vulnerable because they were developed on what we now realize are extremely vulnerable programming languages or hardware backbones, such as the deeply problematic Windows XP platform. Vulnerabilities have also been uncovered in both the Trek and Nucleus TCP/IP stacks, both of which numerous medical devices utilize.
And, of course, the vulnerabilities of these devices put more than just the devices themselves at risk. Because these devices are connected to the enterprise network, they can also give attackers a beachhead from which they can move laterally to compromise other assets. Even worse, our increasingly connected healthcare system makes it easier than ever for attackers to move between healthcare providers, insurance companies, government agencies, and other digitally linked parties.
Healthcare organizations cannot meet this threat by simply adding more security staff and technology. There just aren’t enough skilled cybersecurity professionals available on the market—and tightly constrained budgets won’t allow it anyway.
IDC MarketScape: Worldwide Incident Readiness Services 2021 Assessment - Read the Report
Trial by Fire
The new vulnerabilities created by the IoMT are, in many ways, analogous to those created by more general IoT, as we’ve learned from notable examples in the mainstream news this year. That’s why healthcare organizations undergo annual and/or bi-annual audits against HIPAA, ISO/IEC 27001, and other security standards.
Medical device manufacturers, for their part, need to understand and utilize the UL29004 series of pre-market medical device security recommendations for connected medical devices. These frameworks facilitate the testing and hardening of devices to prevent unauthorized access, execution of malicious code, data loss, and other types of attacks.
Adversarial tests, however, are also an essential component of security assessment. Only by such tests can healthcare organizations determine the security worthiness of their end-to-end environments. After all, medical devices are more than just the functions they explicitly present via their user interfaces. As small as they may be, they are nonetheless complex computer systems comprised of multiple internal assets across a multi-layer technology stack. Every asset in this stack must be probed for weaknesses that could interfere with patient care, cause patient harm, or open the door to lateral movement that could lead to data compromise, ransom payments, regulatory penalties, and/or damage to an institution’s brand reputation.
The DEF CON community—or, more specifically, the BioHacking village that is run at DEF CON events—has helped promote this kind of medical device security testing by providing forum for hackers and medical device manufacturers to collaborate. That collaboration includes hackers working in the physical presence of manufacturer staff so that the two groups can have a live dialog about any issues they discover. They can even work on a Coordinated Vulnerability Disclosure, if necessary.
Leadership in Medical Device Security
Secureworks Adversary Group (SwAG) is deeply involved in the security issues surrounding the growing use of intelligent medical devices. At DEF CON 29 in August, for example, SwAG worked with the affected manufacturer to discover and release CVE-2021-3083, CVE-2021-3084, and CVE-2021-3085.5
More importantly, SwAG is the ideal partner for healthcare organizations seeking to ensure the medical device security of medical procedures involving intelligent medical devices in the context of their specific enterprise environment.
This is critical, because healthcare environments are comprised of numerous interconnected technologies: wired and wireless networks, physical and virtual servers, distributed and centralized storage, authentication tokens (such as personal badges), other IoT and IoMT devices, websites, and more. Mere off-the-shelf scanning tools are woefully insufficient in environments of such complexity because they don’t take into account the myriad ways bad actors can exploit the under-protected interstices between these elements—above and beyond any vulnerabilities inherent in the elements themselves.
SwAG instead leverages our proven testing methodologies and the exceptional skills of our staff to emulate actual threat actors’ tactics, techniques, and procedures (TTPs). They genuinely try multitudes of tactics—including phishing and social engineering, where appropriate—to uncover security weaknesses a threat actor could possibly find and exploit. And as you can tell from the case studies elsewhere on our site, those results are almost invariably both eye opening and readily actionable by our clients.
So whether you’re responsible for the security of a regional healthcare network or a device manufacturer preparing for FDA pre-market submission, we strongly encourage you to talk to us about the benefits of Secureworks® adversarial testing services. Healthcare technology is evolving quickly. That’s great news for care providers and their patients. Unfortunately, it’s also great news for the bad guys, too, because every new innovation opens up lots of new potential vulnerabilities. Secureworks is uniquely equipped to rebalance the odds back in your favor. Feel free to contact us if you’d like to discuss your evolving needs and new concerns.