This post is from the Arxan blog and has not been updated since the original publish date.
Connected Medical Devices – A Prescription for Cybersecurity Nightmare Unless You Act Now!
Era of IoT is here - digitally connected devices are enhancing every aspect of our lives, including our homes, cars, and even our bodies. Confluence of connected medical devices, mobile, wireless, big-data and cloud is disrupting the Healthcare IoT. It’s transforming the way medical devices are accessed and share data with patients and medical practitioners. However, the benefits do not come without any risks. As digitally connected medical devices rise, so do the attack vectors and possibilities for hackers to target the unprotected applications running on these devices. Medical Devices are becoming an increasingly attractive target for cybercriminals, simply because of the magnitude of the impact when such devices are compromised.
The Food and Drug Administration (FDA) has recently warned many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits.
Medical Data Is The New Holy Grail For Cybercriminals
Stolen patient health care data or other personally identified information has considerable value in the underworld of information resellers. It’s actually considered even more valuable on the black market than the stolen credit card credentials.
How Easy Is It To Hack Medical Devices?
Hackers are increasingly targeting application binary code to launch attacks on high-value applications across all platforms, including Medical Devices. A few easy steps, as illustrated in the following exhibit, and widely available (and often free) tools make it easy for hackers to directly access, compromise, and exploit application’s code.
- Extract application from the device
- Reverse engineer the application, and create new application
- Deploy same code or tampered code on knock-off product
Hackers could inject or hook malicious code and/or attack on memory, which could compromise runtime operation of the application and thereby cause unsafe or improper operation of the medical device and a potential danger to patient safety.
Immense Impact Of Hacking on Connected Medical Devices and Healthcare IoT
Medical devices and Healthcare IoT have it all for potential attackers and cybercriminals – financial gain, magnitude of impact and substantial media attention. Some of the significant impact to medical devices:
- Infiltration of low-cost/knock-off devices that seek distribution in US market
- Repackaged applications with malicious code can impact patient safety
FDA has issued its final guidance on protecting medical devices like pacemakers and insulin pumps from cyberattacks. According to the FDA, this final guidance "recognizes today's reality" that "cybersecurity threats are real, ever-present and continuously changing."
Tips To Protect Connected Medical Devices, Prevent Monetary and Brand Damage, and Ensure Patient Safety
- FDA recommends manufacturers take steps to remain vigilant and continually address the cybersecurity risks of medical devices
- FDA emphasizes, in Premarket Guidance, that medical device manufacturers should address cybersecurity during the design & development of the medical device
- FDA emphasizes, in Postmarket Guidance, that medical device manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices
- FDA recommends following NIST Framework, in above guidance, to address the cybersecurity risks:
- Protect the binary code and cryptographic keys to:
- Prevent hackers directly accessing, compromising, and exploiting the binary code (e.g., analyzing or reverse-engineering sensitive code, modifying code to change application behavior, or injecting malicious code)
- Prevent cryptographic key lifting attacks
Arxan Addresses Important Connected Medical Devices’ (Healthcare IoT) Security Risks
Arxan offers a comprehensive application protection, which consists of Code Protection and Cryptographic Key & Data protection, to address important security vulnerabilities of Connected Medical Devices (Healthcare IoT) such as:
- Improper or unsafe operation (changing behavior, bypassing controls), e.g., prevent malicious code modifications, bypassing of controls, tampering with data integrity in medical devices / apps
- Information exposure or loss, e.g., protect private information, keys, credentials in medical devices / apps
- IP theft, e.g., protect proprietary algorithms embedded in medical apps/devices from being analyzed, stolen, or pirated
- Exposure of unknown vulnerabilities, e.g., makes it generally more difficult for hackers to reverse-engineer, analyze, or exploit code
For medical devices manufacturers and healthcare providers, the IoT is not futuristic, nor are the risks theoretical. It’s time to ensure Connected Medical Devices (Healthcare IoT) are secure and safe!.
Blog Authored By: Prashanth Thandavamurthy, Director of Technical Product Marketing