Intertech Engineering Associates, Inc.

Medical Device Cybersecurity Introduction and Attack Types

Medical Device Cybersecurity Introduction and Attack Types

Medical device manufacturers have been aware of the importance of Cybersecurity for several years and the FDA has been publishing guidance on it since 2005.

The responsibility for cybersecurity is shared among the various stakeholders one of whom is the medical device manufacturer. Device manufacturers have recognized both the business and regulatory imperatives to address this through the design and development process.

The FDA has indicated through the cybersecurity guidance documents and a publication that it feels the responsibility for the manufactures to address cybersecurity is implied in the Quality System Regulations (QSRs). Specifically, the need for manufacturers to assess cybersecurity risk and develop product requirements to address any vulnerability as part of software validation and risk analysis.

Several of the FDA guidance documents recommend that device manufacturers develop a set of controls to both assess and maintain functionality and safety in the presence of cybersecurity threats. This assessment is recommended to start during the development and encompasses the definition of “design inputs” related to cybersecurity.

Like other risk management perspectives, business, and product, addressing cybersecurity needs to be considered throughout the development process.

To understand how a company should consider approaching these regulatory requirements it is helpful to start by understanding the potential motivations and nature of the attacks seen to date. Although we should anticipate that new attack methods will be developed, minimally we need to address known methods.

1. Cybersecurity Attack Types

Almost all cyber-attacks are financially motivated however some attacks are for disrupting services or causing harm to other individuals.

1.1. Financially Motivated Attack Types

  • Ransomware – a computer malware that encrypts the victim’s data holding it hostage until a ransom is paid out. With over 50% of organizations being attacked by ransomware, it is the #1 cybersecurity concern. In 2016, 88% of ransomware attacks occurred in hospitals. Hospitals are vulnerable. They average 10 to 15 connected devices per bed7. One vulnerable medical device can compromise the data server.
  • In general, only 5% of organizations pay data ransoms. However, hospitals payout more often, faster, and for larger $ amounts. Hospitals are unable to function without access to medical records risking the health of patients and large HIPAA fines.
  • Doxware – like ransomware however instead of encrypting the data, the attacker threatens to publish the data. There is a rising trend for this sort of attack. — patient data breaches can result in millions of dollars in fines by HIPAA. The Top 10 HIPAA settlements cost hospitals over $33.15 million.
  • Medical Data Black-market – The average profit per medical record is about $20,000. The information in medical records can be used for medical billing fraud as well as identity theft and other big-money scams. There used to be a valuable market for this, however, the market is now saturated with about 112 million records stolen in 2015 alone. In 2012 the street value for medical records was about $50 each and it has dropped down to $1.50 – $10.00. Also, the payouts tend to take much more time. Thus, Ransomware and Doxware attacks are much more common.

1.2. Intent to Cause Patient Harm

A hacked medical device can be used to cause serious injury and even death. Researchers have shown how to compromise many Class III and Active implantable medical devices.

  • Pacemakers – include functionality to wirelessly transmit patient data and device performance data to a remote monitor (i.e. programmer) and to receive settings and commands from the programmer. These devices can communicate up to 50 feet away to a programmer. They are often secured by a 4-digit pin that is hardcoded and usually published in the device’s service manual. A compromised device could send a fatal shock to the user. For this reason, in 2007, former VP Dick Cheney had the wireless feature of this pacemaker turned off.
  • Insulin Pump – Researchers have shown that with a $20 RF transmitter that could be purchased on eBay, they could take control of a wireless insulin pump at a distance of 300 feet and cause it to dispense random doses or disable it all together.
  • Occurrence – There have not been any reports of medical device hacking causing patient harm14. Nevertheless, since the effects of such an attack could have a high severity, medical device companies must take harms due to cybersecurity into consideration when designing devices.

1.3. Disruption of Services

Often times cyber attackers employ malware to disrupt organizations and services. A common way this is done is through the use of botnets, a group of computers or devices compromised with malicious software15. Botnets can also be used for stealing data or even controlling building systems for things like climate control and fire protection.

  • Botnets – Can be used to perform Distributed Denial of Service attacks, stealing data, and sending an unwanted email (spam). A powerful botnet network requires many connected devices and the sheer number of Internet-connected consumer devices heavily outweighs the number of medical devices. While this is not common for medical devices it does not mean a medical device can’t be turned into a botnet.

Botnets are usually deployed by automated scripts that affect thousands of devices and often do not discriminate between medical devices and non-medical devices. If any medical devices are not securely protected they are often susceptible to such attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *