Rapid advances in medical technology prolong patients’ lives and provide them with a higher standard of living than years past. But the increased interconnectivity of those devices and their dependence on wired and wireless networks leave them susceptible to cyberattacks that could have severe consequences.
Whether it’s an implantable defibrillator that transmits data to a cardiologist, an infusion pump that allows a nurse to monitor a patient’s vital signs, or even a smartwatch that logs wellness routines, these instruments broaden the attack surface bad actors can exploit.
In 2017, hospitals around the world were victimized during the large-scale WannaCry ransomware attack. The National Health Service assessed that across England and Scotland, 19,500 appointments were canceled, 600 computers were frozen, and five hospitals had to divert ambulances. In August 2022, a French hospital was subject to a ransomware attack on its medical imaging and patient admission systems, and a similar ploy targeted another nearby hospital a few months later. HIPAA Journal, citing data from Check Point Research, reported in November that an average of 1,426 cyberattacks on the healthcare industry took place each month in 2022 — a 60% increase year over year.
The medical devices themselves are rarely of interest to cyber criminals, who use them as a way to access network infrastructure and install malware or obtain data. They have also recognized that software isn’t the only way in: The hardware that powers all devices, semiconductor chips, is drawing increased attention due to security vulnerabilities that can be remotely accessed and exploited. Vulnerabilities in software can be patched, but it’s more complex and costly to fix hardware issues.
Limited oversight of the cybersecurity of medical devices has created an environment that’s ripe for exploitation. We must begin asking questions that lead to proactively addressing these hardware vulnerabilities and develop ways to overcome the complications associated with securing a vast array of instruments before something dramatic happens.
Range of devices, shared networks among security issues
The Food and Drug Administration (FDA) has periodically released reports on the importance of securing medical devices — including in March 2020, when it raised awareness of a vulnerability discovered in semiconductor chips that transmit data via Bluetooth Low Energy. But the modern patient care environment is so heavily reliant upon interconnectivity that minimizing cybersecurity risks can be a monumental task.
In its warning, the FDA urged the seven companies that manufactured the chips to talk to providers and patients about how they can lessen the risks tied to that vulnerability. It also acknowledged that any repairs wouldn’t be simple because the affected chips appear in pacemakers, blood glucose monitors, insulin pumps, electrocardiograms, and ultrasound devices.
According to a report issued by Palo Alto Networks’ Unit 42 cyber threat research department, medical instruments and IT devices share 72% of health care networks, meaning malware can spread between computers and imaging machines — or any combination of electronics — rather seamlessly.
Medical devices’ long lifecycles can also make securing them challenging. Although they can still function as intended, they may run on an outdated operating system (OS) that can be costly to upgrade. Scanners such as MRI and CT machines are targeted because of their outdated OS; according to the Unit 42 report, only 16% of the medical devices connected to networks were imaging systems, but they were the gateway for 51% of attacks. The Conficker virus, first detected in 2008, infected mammography machines at a hospital in 2020 because those devices were running on Windows XP — an OS that no longer received mainstream support from Microsoft as of 2014.
And, because of their seemingly niche functions, many medical devices weren’t constructed with cybersecurity in mind. Few security scanning tools exist for instruments that run on a proprietary OS, making them ripe for attacks. In September, the FBI issued a warning to healthcare facilities about the dangers associated with using outdated medical devices. It highlighted research from cybersecurity firms that showed that 53% of connected medical devices have known critical weaknesses stemming from hardware design and software management. Each susceptible instrument has an average of 6.2 vulnerabilities.
When we consider the number of devices in use around the world, the way they are used, and the varying platforms they operate on, it’s apparent that such a broad attack surface presents a significant threat.
Documenting vulnerabilities offers a path forward
Fixing hardware flaws is complicated. Replacing affected semiconductor chips, if even possible given the age and functionality of the device, takes considerable resources and can lead to a disruption in treatment.
Hospitals and other patient care centers aren’t often prepared to defend the broad attack surface created by their use of hundreds of medical devices. Guidance from organizations such as the FDA — the latest of which was released in April, two months before a bipartisan bill that mandated the organization update its recommendations more frequently was introduced in the Senate — only goes so far. Manufacturers must prioritize the security of the semiconductor chips used in medical devices, and consumers throughout the supply chain must ask questions about vulnerabilities to ensure greater consideration is being put into the chips’ design and large-scale production.
A hardware bill of materials (HBOM), which records and tracks the security vulnerabilities of semiconductor chips from development through circulation, is an emerging solution. It can help ensure defective or compromised chips aren’t used — and if they are, in the case of Apple’s newest M1 chips, which have noted design flaws, would allow the weaknesses and repercussions to be thoroughly documented. Plus, even if a vulnerability is identified in the future, manufacturers can undertake a forensic review of the semiconductor chip’s design to determine which devices are susceptible to certain attacks.
By knowing the specific weaknesses in the hardware, you can prevent it from being exploited by cyber criminals and causing devastation across medical facilities.
Risks, outcomes show a high level of urgency
Emerging technology has gotten in the way of the safe operation of medical devices before. In 1998, the installation of digital television transmitters caused interference with medical devices at a nearby hospital because the frequencies they used overlapped. What’s different today, however, is that outside actors can target the power they exert over these instruments — but it’s preventable.
The increasing potential of attacks on semiconductor chips in networked medical devices demonstrates how savvy cyber criminals are becoming. Although advances in technology have made these devices a routine part of care around the globe, they’re also introducing security vulnerabilities given their interconnected nature. Patients can be exposed to serious safety and cybersecurity risks, and we must act now to shore up those vulnerabilities before something catastrophic occurs.
Also Read:
ASIL B Certification on an Industry-Class Root of Trust IP
Validating NoC Security. Innovation in Verification
NIST Standardizes PQShield Algorithms for International Post-Quantum Cryptography
Share this post via:
Next Generation of Systems Design at Siemens