Update: More Alerts About Medical Device Security FlawsLatest Advisories a Reminder of Legacy Product Risks
Several recent advisories from federal regulators concerning newly identified vulnerabilities in certain medical devices serve as the latest reminders of the risk management challenges involved.
The alerts point to the need for healthcare organizations to stay current on newly identified medical device flaws and take steps to remediate risks, including prompt software patching and segmenting devices on networks.
A series of recent advisories from the Department of Homeland Security's U.S. Computer Emergency Response Team, or CERT, deals with products from Philips and Medtronic that have vulnerabilities - including weak encryption, improper authentication, and hard-coded credentials - that can potentially put the equipment at risk for unauthorized access or cyberattacks.
Both manufacturers say there has been no evidence these vulnerabilities have been exploited, resulting in security incidents or patient harm.
One alert deals with inadequate encryption strength in the Philips IntelliBridge EC40/80, a product intended to transfer medical device data from one format to another according to preset specifications.
CERT notes that the issues were identified by the medical technology solutions team of New York-Presbyterian Hospital, which informed Philips that "the SSH server running on the affected products is configured to allow weak ciphers." An SSH server is a software program that uses the secure shell protocol to accept connections from remote computers.
The vulnerability could enable an unauthorized attacker with access to the network to capture and replay the session and gain unauthorized access to the EC40/80 hub, CERT says. Philips, which has issued an advisory about the vulnerability, which is exploitable from an adjacent network.
The company plans to issue a new release to remediate this issue by the end of third quarter of next year.
Medical Device Generator Flaws
Two other recent CERT advisories address Medtronic generator products that power some of the company's medical devices.
One alert spotlights improper authentication and protection mechanism failure in the Medtronic Valleylab FT10 and LS10. Those products are energy platforms for certain surgical applications/devices.
"Successful exploitation of these vulnerabilities may allow an attacker to connect inauthentic instruments to the affected products by spoofing RFID security mechanisms," the CERT advisory states. "This may lead to a loss of performance integrity and platform availability due to incorrect identification of instrument and associated parameters."
Medtronic, which discovered the problem and alerted CERT, issued its own advisory.
Medtronic released a software update for certain versions of the Valleylab FT10 generator, which mitigates the security vulnerability. The company will notify customers when a software update for the LS10 generators is available.
Use of hard-coded credentials, reversible one-way hash, and improper input validation vulnerabilities were the subject of a separate recent CERT advisory concerning the Medtronic Valleylab FT10 and FX8.
"You need a champion in your organization to keep a watch and hold these medical device companies accountable."
—Curt Kwak, Proliance Surgeons
"Successful exploitation of these vulnerabilities may allow an attacker to overwrite files or remotely execute code, resulting in a remote, non-root shell on the affected products," the CERT advisory states. "By default, the network connections on these devices are disabled. Additionally, the Ethernet port is disabled upon reboot. However, it is known that network connectivity is often enabled."
In its advisory about the problems, which were also discovered by Medtronic, the company says: "Medtronic has added security enhancements into a software update. These enhancements will mitigate the identified security vulnerabilities and protect the Valleylab device from malicious intrusion." The update is available for certain versions of the FT10 generators. The company will alert customers when an update for the FX8 generators is available.
Critical Risk Mitigation Steps
Former healthcare CISO Mark Johnson, who's now with the consultancy LBMC Information Security, says that when addressing issues such as those spotlighted by the recent advisories, it's important for healthcare organizations to follow several critical steps.
"Segment these devices from untrusted networks," he says. "Network segmentation or in the case of medical devices, micro-segmentation is critical to protect these devices.
"Patching is also vital. But some of these vulnerabilities don't have released patches yet. In one case the vendor [Philips] indicates that it will have new releases that will address the concerns by the end of the third quarter 2020. That's a long time to live with the risk."
"Manufacturers need to be very knowledgeable when they create these devices in terms of understanding what the security practices are when they actually design them, and what the action plan is if there are vulnerabilities found later on," says Jennifer Covich Bordenick, CEO of the eHealth Initiative and Foundation. The device makers should develop plans for quickly providing patches and updates to address issues that are discovered years down the road, she adds.
The eHealth Initiative and Foundation recently issued a study with consulting firm Booz Allen Hamilton about connected medical devices.
Healthcare entities also need to be prepared to deal with newly identified vulnerabilities in legacy devices, says CIO Curt Kwak of Proliance Surgeons, a surgery practice in Washington state.
"For the legacy medical devices, try to maintain and upkeep the latest patches and controls in those systems to at least give a chance to protecting yourselves," he says. Healthcare entities must monitor their device makers' technology roadmaps and deliverables and "hold them accountable if they are unable to deliver on their promises," he says.
"You also need a champion in your organization to keep a watch and hold these medical device companies accountable. Whether that's in supply chain, facilities or IT, someone needs to be fully responsible for this."
Kwak says medical device cybersecurity will persist as a major challenge. "This isn't about a technology solution that would integrate everything," he says. "Rather, there needs to be the development of a more collaborative and integrated culture that sees the need and urgency to address this as a whole."
Johnson, the consultant, predicts alerts about medical devices vulnerabilities will continue to be released. "And I predict that we will see more and more of remotely exploitable vulnerabilities in 2020," he adds. "We may see some level of patient safety concern directly attributed to a cyber event. This may be an intentional attack against med devices, or their may be collateral damage."
If that happens, regardless of the intention of the attack, "we will begin to hear an outcry for increased governmental action," Johnson says. "Then we will see some governmental reaction to address or mandate healthcare do something to protect these devices. What exactly that will be is too hard to tell."