Saturday, February 10, 2024

How To Correct Medical Device Cyber Weaknesses: 2 Golden Tips

 


The US Healthcare system has been regarded as one of the best in the world.  A lot of this has not only to do with the extensive amount of training that future doctors, nurses, and other practitioners have to undergo, but we are also blessed that we have all of the advanced technology in the world.  Not many countries can say the same.

But there is one area in our great healthcare system that is still lacking:  Yep, you guessed it, it has to do with our Cybersecurity.  Attackers still love to pounce on the targets here, especially when it comes to the heisting of patients information and data.  But there is yet another area here where it is even more detrimental:  Implanted medical devices.

A good example of this is the pacemaker.  It is used to control the heartbeat, so that it maintains a proper rhythm.  But unfortunately, it is now accessible via radio control by the patient’s doctor.  While this is a good thing, it can be a bad thing also, because the Cyberattacker can also take control of it, take control of the pacemaker, and literally kill the patient wherever they are at.

Luckily to my knowledge nothing like this has happened yet, but the potential for it is quite strong.  In response to this, the United States FDA has now mandated that all manufacturers of medical devices follow a principle called “Secure By Design”.  This is where certain kinds of controls have to be literally embedded into the device, in order to safeguard the security of the patient.

More information about the FDA requirements can be seen at the link below:

http://cyberresources.solutions/blogs/fda.pdf

More details about “Secure By Design” can also be found at the link below:

https://www.darkreading.com/application-security/lock-down-the-software-supply-chain-with-secure-by-design

An example of such a control is Multifactor Authentication, also known as “MFA” for short.  This is where at least three or more differing mechanisms are used to confirm the identity of an individual. 

But another problem now is that a lot of the healthcare providers are now moving to the Cloud (such as the AWS or Azure) in order to host the applications that support these medical devices.  As a result, this comes under the guise of what is known as the “Share Responsibility Model”.  As a user of the Cloud, you actually share your resources with other “tenants” in order to keep your monthly costs down.

While this is of course a good thing, it can be a bad thing because now your datasets can theoretically become that much more accessible to malicious third parties.  But, the Cloud providers do give you the resources and the tools that you need to protect your part of the Cloud, but you have to take responsibility to make sure that they are configured properly to your security requirements.

But to make implanted medical devices more secure, it is recommended that the following steps be taken, and quickly:

1)     The hospitals have to do their part:

Usually, the medical device vendors will provide information to the practitioners about the devices that they are interested in using.  An example of this is the “Manufacturer Disclosure Statement for Medical Device Security”, also known as the “MDS2”.  It spells out all of the details of the security features that a particular device has, and from there, the facility can make an informed decision as to whether to use it or not.  But the bottom line is that it must be read, and just discarded away!!!

2)     Configure those devices:

The vendors will also have documentation on how to further fine tune your procured devices to best meet your security requirements.  Heed these documents carefully also!!!  Most medical facilities don’t do this, and instead rely on the default settings.  Don’t do this!  This is where you will have more back doors open than you realize. 

My Thoughts On This:

Another catalyst that is leading to the explosion of implanted medical devices is the Internet of Things, also known as the “IoT”.  The connections between devices still remain unencrypted, making it more a risk to use.  Also, the growth of AI and ML isn’t helping matters much either on the Cybersecurity front, either.

The best advice I can give here for the medical practitioners are to stay proactive, and make sure that ever security control is used to the maximum extent possible.

No comments:

Post a Comment

Why Students From K-12 Are So Vulnerable In Becoming A Cyber Victim

  Whenever we hear about a Cyberattack or a security breach, we often think that the entity involved is a Fortune 500 company, or even a hea...