Cybersecurity is a pressing matter in most industries, with massive corporations being the most concerned about the potential risks of cyber attacks since they deal with so much precious data and operate global-scale services/products. On the other hand, apart from government services departments, the public sector faces similarly large cyber-threats that manage to go ignored mostly.
Medical devices are primarily prone to criminal breaches because they are not built to be secure enough. Hospitals and healthcare delivery organizations are demanding better security infrastructures from ‘Medical Device Manufacturers’ (MDM) ever since the infiltrations into public medical centers, and their management systems have become commonplace.
Gaping vulnerabilities in the security frameworks of the devices and machinery used in health care have increasingly been the target of ransomware attacks as of late. However, according to Christopher Gates, a principal security architect at Velentium, MDM’s are now shifting their focus on bridging the gaps between what’s demanded by health care institutions (cybersecurity-wise) and what’s being provided.
Legitimate Cause for Concern
The potential reasons for cybercriminal attacks being orchestrated against hospitals extend further than just gaining access to the healthcare systems’ network or controlling the hospitals’ entire databases or systems altogether. The other possible reasons include:
1. MDM Competition
Many of the algorithms and solutions hosted by medical devices that are readily available in the market are not the work of their respective MDMs. Instead of producing the solutions through several months or even years of research and development, the MDMs find it a lot cheaper and easier to hack into existing working algorithms and simply reverse-engineering it.
2. Pathways to Attacks on National Security
Hospital delivery organizations and medical devices constitute critical national infrastructure areas, paving the way to other areas of that infrastructure. Nuclear power plants may fall into those areas, therefore enabling state-backed cybercriminals to possibly aim their attacks towards securing cyber-weapons via extremely sophisticated techniques.
Further attacks could look towards disabling medical responses to emergencies, an outcome producing little evidence given the lack of threat preventability and detection in these devices.
3. MD Recycle Industry
Consumed medical disposables constitute a multi-million dollar industry when they are re-enabled and sold. By reverse-engineering the device mechanism, they can be reverted to factory settings.
The Biggest Vulnerabilities
Medical devices are essentially the access points and gateways for malware attacks to use when infiltrating medical care systems and networks. They’re lined up with a plethora of existing vulnerabilities, ready to be exploited and only recently to have been realized. The major weaknesses in medical devices include the following.
1. Physical breaches via unsecured debugging ports, sniffed internal busses, microcontrollers, etc.
2. Unsecured updates in firmware, which could be reversed engineered into obsolete versions that house more significant exploitable vulnerabilities
3. No communication authentication with other devices (such as lack of challenge-response pairing mechanisms)
4. Enabled manufacture commands and support
Best Way to Prevent These Attacks
The MDMs need to implement a culture of cybersecurity in their development processes and maintain the best practices during operation. The vulnerabilities in medical devices usually arise from a lack of experience pertaining to cybersecurity among the developers themselves. They emphasize the performance aspect more than the safety aspect, so the key to mitigating the potential risks is incorporating safety into all phases of the development cycle and the product life cycle.