Cybersecurity for medical devices is critical for manufacturers and hospitals

Technological advances are essential for caring for our health, but they also force manufacturers and hospitals to take into account the cybersecurity of medical devices

22% of healthcare organizations (hospitals, medical centers, etc.) have suffered cyberattacks affecting their medical devices. This figure clearly shows the risks hospitals face and the importance of strengthening the cybersecurity of medical devices.

This is especially true when we consider that the healthcare sector is at the forefront of designing sophisticated technological tools that use software connected to the internet or Bluetooth, such as MRI machines, infusion pumps for administering medication, surgical equipment, insulin pumps that monitor patients to adjust their doses, and smart pacemakers.

The obvious advantages of using technology in healthcare also require addressing the cybersecurity of medical devices.

Otherwise, organizations in the sector risk very serious consequences for their patients’ health.

1. Public authorities are focusing on the cybersecurity of medical devices

It should therefore come as no surprise that standards and guidelines have been approved to ensure the cybersecurity of medical devices in both the European Union and the United States.

In fact, just a couple of months ago, the FDA, the US agency responsible for food and drugs, updated its guidelines on the cybersecurity of medical devices in light of the risk that security incidents could render them inoperable and affect hospital operations and their ability to care for patients.

Likewise, law enforcement agencies, such as the FBI, have warned in recent years about the cybersecurity risks posed by medical devices and have focused on the use of obsolete medical equipment or equipment on which manufacturers’ security patches have not been applied.

They have also pointed out that the cybersecurity of medical devices is affected by the use of devices whose default manufacturer settings have not been modified or that were designed without meeting the cybersecurity requirements they should meet.

What are the cybersecurity requirements for medical devices? What can organizations do to strengthen the security of their technology? What services are key to cybersecurity in the healthcare sector?

2. Vulnerabilities in medical devices and how to prevent them

A study conducted by researchers at the University of Murcia analyzed multiple vulnerabilities in software and medical devices developed by key manufacturers in the sector and used in numerous hospitals worldwide.

What kind of vulnerabilities are we talking about? Faulty credential management, exposure of sensitive information, buffer overflow, or inadequate authentication processes.

The consequences of these vulnerabilities would include:

• Access to confidential medical information that could be used to launch fraudulent campaigns or impersonate victims.
• Incorrect administration of medication to patients.
• Problems with the functioning of devices such as pressure gauges, heart monitors, or vital signs monitors.

Along the same lines, another study conducted by researchers at the University of Rome Tor Vergata warned that:

• Vulnerabilities in medical devices are critical in 20% of cases, a figure significantly higher than in other devices.
• Devices are not designed to maintain optimal protection throughout their life cycle.
• The fact that medical devices have longer lifespans than generic software poses a security challenge.

3. What do researchers recommend to strengthen the cybersecurity of medical devices and healthcare software?

Focus on the cybersecurity of hardware and healthcare software from the design phase and throughout the development process, conducting continuous security audits before equipment is released to the market and while it is in use.

Ensure security throughout the lifecycle of devices and programs by adhering to the highest cybersecurity standards and prioritizing resilience.

Limit unnecessary medical device connections.

Optimize communication channels between manufacturers and healthcare organizations to facilitate vulnerability reporting and the implementation of security patches.

Strengthen the regulatory framework and develop methodologies to facilitate the secure development of medical device software, such as the FDA guidance.

Provide greater transparency to the software supply chain by creating software bill of materials (SBOM) inventories for the software used in medical devices.

Develop cybersecurity strategies to manage risks, address vulnerabilities, and prevent the use of obsolete or outdated equipment.

4. Risks of not ensuring an adequate level of cybersecurity for medical devices

The exploitation of vulnerabilities in medical devices or unauthorized access to them through social engineering techniques can have extremely serious repercussions for people’s well-being:

• Manipulation of device operation. If an insulin pump delivers the wrong dose to a patient, it can seriously affect their health.
• Theft of confidential patient medical data.
• Devices ceasing to function or having to be disconnected to contain an attack.
• Hospital or medical center activity paralysis occurs when essential functions, such as diagnosis, treatment, or patient monitoring, are affected.
• Impact on interventions critical to people’s health and even their lives.

In addition to these consequences in the healthcare sector, there is also the economic, reputational, and legal damage that a security incident can cause:

• Substantial economic losses due to the disruption of hospital operations: patient referrals, longer stays, manual management of multiple tasks, delays in appointments and surgical procedures, etc.
• Penalties for violating data protection regulations and costly compensation if patients’ medical information is used to attack or extort them.
• Undermining patient confidence in a healthcare organization, medical centers, or a medical device manufacturer.

That is why investing in the cybersecurity of medical devices is not a secondary issue but an absolutely strategic, priority one for organizations in the sector.

5. IoT medical devices are becoming increasingly common in homes and must be protected

Although we generally think of medical devices as used in hospitals, the truth is that in recent years there has been a proliferation of smart devices patients wear, such as smart pacemakers, and use in their homes, such as CPAP machines to treat sleep apnea.

These smart devices can also have vulnerabilities that malicious actors can exploit, such as those related to their internet or Bluetooth connections.

What could be the consequences of malicious actors accessing these devices? Similar to those listed in the previous section: theft of medical data, manipulation of equipment operation… To which we must add a very disturbing threat: that attackers can know where a person is through the medical devices they use.

For example, if a hostile actor can tell whether or not a smart CPAP machine is in operation, they can be certain whether or not a person is at home and even decide to burglarize the home during their absence.

In other words, the cybersecurity of medical devices can become key to preventing malicious actors from controlling where their victims are. This is especially important when the targets are people of interest, such as business leaders or political figures.

6. What the MDR regulation says about the cybersecurity of medical devices

The European Medical Device Regulation (MDR) establishes several cybersecurity requirements for medical devices that use software, which the companies that develop them must comply with:

• Medical devices must be «safe and effective» and not compromise «the clinical condition or safety of patients». In addition, the risks associated with them must be «acceptable in relation to the benefit they provide to the patient and compatible with a high level of safety and health protection».
• Products must be manufactured «in such a way as to minimize any potential risks».
• Products that include software, as is the case with many medical devices, must be designed «in such a way as to ensure repeatability, reliability, and performance in line with their intended use». In addition, «the principles of development life cycle, risk management, including information security, validation, and verification» must be taken into account in their development.
• The instructions for use of the devices must include the IT security measures implemented to protect them from unauthorized access.
• Companies that develop medical devices must implement risk control measures from the design stage and eliminate or reduce risks through safe design and manufacturing procedures.
• Manufacturers must have a risk management system in place throughout the life cycle of a product, including the development of regular systematic updates.

Therefore, manufacturers are required to ensure the cybersecurity of medical devices from design through their life cycle.

7. How to strengthen the cybersecurity of medical devices

Beyond the recommendations we have outlined throughout this article, it is essential that both companies that develop and market medical equipment equipped with software and the hospitals and centers that use them resort to essential cybersecurity services such as:

• Continuous security testing: source code audits, IoT security audits, Bluetooth security assessments. Continuous testing is critical for detecting vulnerabilities in equipment before malicious actors exploit them.
• Vulnerability management. Both product developers and hospitals must have an effective system in place to manage device vulnerabilities, prioritize their mitigation based on potential impact and likelihood of exploitation, and respond with the utmost diligence to emerging vulnerabilities.
• Penetration testing. Hospitals can conduct advanced intrusion testing to detect critical vulnerabilities in their equipment that could be exploited by malicious actors to disable equipment, alter its operation, or extract sensitive data.
• Incident response. Healthcare organizations need to have an incident response plan developed by an Incident Response team. In an area as sensitive as healthcare, not only does every minute count, but acting in a less-than-diligent manner can directly affect people’s well-being. Proactive incident response services can identify the scope of the compromise, contain the malicious actor, expel them, and ensure that a hospital or healthcare facility returns to normal as quickly as possible, without affecting its essential functions.

In short, cyberattacks against the healthcare sector are not limited to ransomware attacks aimed at stealing medical data and patients’ personal and financial information. The cybersecurity of medical devices will become increasingly important as advances in technology that protect people’s health continue to grow.

It is therefore essential that both device manufacturers and organizations in the sector have strategies in place to increase their resilience and strengthen the cybersecurity of medical devices.