How can manufacturers improve responses to medical device cybersecurity vulnerabilities?

Medical devices present a great cybersecurity challenge, given their closeness to confidential patient data, not to mention the patients themselves. To compound the issue, a single medical device can have a lifespan of up to 20 years due to a lack of funding and personnel to update them on a regular basis (1). For this reason, many devices often run on obsolete operating systems or have vulnerabilities that have gone unpatched.

These issues cause complications in confronting the threat already posed by hackers who use ingenious methods to compromise medical devices. One such method is monitoring a network with connected medical devices and studying the error messages they generate during normal operation. By leveraging the sensitive software and hardware information the errors often show, hackers can launch a focused attack on those devices (2).

To protect medical devices against these threats, there is a need for an efficient process, involving all stakeholders, to identify and address security gaps. Steps have been made toward this ideal, starting with the FDA cybersecurity guidance. Since its release in 2016, the number of cybersecurity advisories disclosed has been increasing and is projected to double this year, compared to 2017 — with nearly half of them categorised as critical or high (3).

While it is fortunate that there are improvements being made in how medical device cybersecurity concerns are handled, the healthcare industry still lags behind other sectors in this regard.

The number of medical device advisories is projected to double in 2018 (3).

Since the release of the FDA guidance, the amount of critical and medium level disclosures have increased significantly (3).

Identifying where improvements should be made

A recent example of a slow response to a vulnerability is a Fortune 500 medical device company  that came under intense scrutiny for its mishandling of product vulnerabilities. The latest concerned the company’s portable computer system, which is used to program and manage cardiac devices and runs on the outdated Windows XP operating system (4).

Researchers from a cybersecurity firm showed that it was possible to hack the device with a fake software deployment network and gain control of any connected devices. This allowed attackers to, for example, remotely disable an implantable insulin pump or take control of a pacemaker system to deliver malware directly to the computers implanted in a patient’s body (5).

The researchers had first reported the exploit to the manufacturer 570 days before its public announcement (5). While the company initially downplayed the risk, it later acknowledged that its response was lacking and pledged to hasten the evaluation and reporting of risks to authorities. Since then, it has released four advisories and an update to its advisory concerning the computer system (5).

A second example is of a different Fortune 500 company’s terminal server that provides administration capabilities to a variety of bedside medical devices connecting to hospital networks. The server uses a web management interface based on RomPager, an embedded web server product commonly use in Internet of Things devices, which has been known to be vulnerable to an exploit called “Misfortune Cookie” (6).

A healthcare cybersecurity research group discovered Misfortune Cookie in the terminal server and found that the exploit can create an arbitrary write to the memory without authentication, letting attackers login without credentials, gain administrator-level privileges, or crash the system — harming server availability and the network connectivity of linked medical devices.

The FDA’s 2016 cybersecurity guidance aimed to mitigate similar cyber security threats by placing emphasis on collaboration between stakeholders. In the case of the terminal server, the manufacturer’s response to the vulnerability follows the FDA’s guidance, where after being notified by the cybersecurity firm, it worked to validate the vulnerability, notify customers, and provide a workaround and an update to the device’s firmware.

While the response was commendable, Misfortune Cookie was publicly known for at least four years before its discovery in the server, showing that there is still room to improve the rate at which vulnerabilities are found and addressed (6). The full details regarding the impact of this vulnerability can be found in this advisory.

Take action to ensure security of your device

To enhance the safety of medical devices, the FDA plans to take actions to provide a robust regulatory framework. The agency has requested additional authority from the United States Congress to require manufacturers to make their devices patchable and to have hospitals set up programs for security researchers to contact them when a vulnerability is found (1). The FDA also has plans to set up a CyberMed Safety Analysis Board in the 2019 fiscal year to provide oversight for digital risks, which can include investigating suspected incidents of compromise, assessing vulnerabilities and adjudicating disputes (1,7).

At ICON, we recommend the use of a cybersecurity vulnerability assessment tool to alert manufacturers of a device’s risks. Our cybersecurity experts can assist in the development of programs that proactively control risks and stay on top of vulnerabilities as they arise. To learn more, please contact us at