Medical Device Vulnerability: How the FDA Recommendations Could Have Prevented Previous Attacks
In April of 2022, the Food and Drug Administration (FDA) published a Guidance Document “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submission” to suggest factors medical device manufacturers should consider when developing products. In the document, the FDA highlighted three key points from the Secure Product Development Framework (SPDF) to be reiterated given the continuous development in technology. More medical devices are becoming interconnected, meaning if an attacker gets access to one device on the network they have the possibility to access and control other devices on the same network. Cybersecurity controls need to be instilled in systems and their effectiveness should be tested to ensure the safety of devices.
The first point highlighted in the SPDF is Security Risk Management. This strongly encourages manufacturers to look at the likelihood of occurrence by doing threat modeling, tracking third-party software components, and tracking security assessments of unresolved anomalies. The second point is Security Architecture, which encourages a look into the ways the device will be connected and the security controls that need to be in place to protect unauthorized access to the device and its operation. Lastly, there is Cybersecurity Testing which simply means testing devices before deployment to find any issues that need to be fixed.
In the past five years, researchers have discovered vulnerabilities in medical devices after they had already been deployed. If manufacturers had taken the suggestion of the FDA more seriously then some of the flaws could be detected earlier. Let’s examine three examples of medical device vulnerabilities and how the recommendations from the FDA could have avoided this issue. In 2018, researchers Billy Rios and Dr. Jonathan Butts discovered a bug in the Medtronic cloud updating software which could allow an attacker of low skills to reprogram the software and disrupt the device. When they reported this issue to Medtronic, it took ten months to resolve the issue. Had Medtronic done Cyber Security Testing to find flaws in the updating software and looked at the Security Architecture to examine the access to the device this issue could have been found. Strict access controls would be the solution to the issue to allow only authorized users to update the system. The response to this issue was also concerning and Manufacturers need to act swiftly to resolve issues.
The second example was a vulnerability found in an insulin pump in 2020 by the IBM Research Team. The flaw existed in the circuit board that enabled mobile communication. Thankfully, a patch for the flaw was created and users were encouraged to update their systems. Testing of the device beforehand could have found unknown issues and looking at the Security Architecture could have helped developers see the flaw that allowed unauthorized communication to the device. Another important control that should be implemented is logging. Logs would be able to document the messages being sent to the pump and would be able to alert users if there was unauthorized access.
Lastly, the Sweyn Tooth Vulnerability was found in 2020 by researchers at Singapore University. This vulnerability compromises twelve flaws affecting wearable devices and larger medical equipment, including electrocardiograms, patient monitoring devices, and ultrasounds. Many of these devices use Bluetooth Low Energy (BLE) which can be very insecure as it can allow random pairing. It also has SoC (System on Chip) which is known for not being easily upgradeable. A combination of these issues can allow attackers to put the system in a deadlock and stop it from working. Some of these devices were able to be patched, however, some are still vulnerable due to the difficulty of upgrading the hardware component. All three SPDF components can be utilized as the Security Risk Management would involve threat modeling to find these flaws, and the Security Architecture would involve looking at how the device would be connected and its operation. Finally, Cyber Security Testing could provide a practical analysis of the system to find any errors. Since this device has BLE, there should have already been controls such as alerts if there is a reconfiguration in pairing.
The FDA’s strong recommendations to manufacturers in the development of safe medical devices provide great insight. However, manufacturers need to take these recommendations more seriously as well as need to be held more accountable and proactive in integrating cybersecurity during production. As seen with the three cases above, the use of SPDF can help reduce the deployment of vulnerable medical devices. As technology advances these cases will increase and it is up to manufacturers to provide safe and reliable devices. Continuous research and testing on hardware and software development need to be done before distribution to reduce the possibility of attacks. Medical devices should aid in health and not be vulnerable to deter it.