Ensuring Cybersecurity Success in Medtech Manufacturing
MD+DI spoke with Velentium’s Christopher Gates about cybersecurity vulnerabilities in medtech and how to negate security risk through prevention.
Medical devices remain especially vulnerable to cyber attacks. To understand the extend of the security risk — including unpatched devices, an upstream supply chain, and budget limitations in hospitals — MD+DI spoke with Christopher Gates, director of product security at Velentium. He explained the outstanding need for prevention practices in cybersecurity procedure, and highlighted new thorough trainings for device developers and executives, as well as all other employees throughout a company’s ranks.
MD+DI: Many don’t think about the cybersecurity risks that come with the continued technological sophistication of medical devices. However, the damage of an attack can be devastating. In your opinion, what makes medtech especially vulnerable to bad actors?
Gates: Before I answer your question, let me modify your first statement—many do think about medical device cybersecurity! A recent study by the World Economic Forum (“The Global Risk Report 2023”) rated cybersecurity as #8 for both short and long-term risks. This isn’t specific to medical devices, but medical devices are not somehow exempt from this risk to all advanced technology. Secondly, it is a good thing for medical device manufacturers that most patients do tend to overlook the risk of using a medical device in favor of its advantages and improvements to their quality of life, because if patients fully understood the risks there would be a much smaller population of patients using these devices.
Back to your question, there are many factors, such as:
The medical device may be required to keep a patient alive, which makes the risk vastly greater than say having your personal data exposed or losing cryptocurrency.
Hospitals retain devices for extended periods, such as 30 years. These are old insecure devices that need to be replaced.
The medical industry was one of the first to recognize the advantages that can be had by connecting devices to infrastructure and other devices.
Small body-worn medical devices are resource constrained, and battery life constrained, these make it more difficult to implement security mitigations
Lack of security awareness and training for medical device manufacturers
MD+DI: The recently implemented FDA policy requires companies to have a plan in place to address post-market cybersecurity vulnerabilities and exploits. What type of security vulnerabilities do you think are the biggest concern for medical devices?
Gates: There are over 600 categories of “weaknesses” in MITRE’s catalog of “vulnerabilities”, CWE, and you can pretty much take your pick. Because if the weakness is exploitable and then that vulnerability leads to harming the patient, or delaying the treatment of a patient, they are of utmost concern. Other results, such as the loss of intellectual property, market share, or reputation of a manufacturer are relatively minor in comparison.
Previously unpatched devices?
Unpatched and un-updated software in a medical device is a missed opportunity to mitigate security issues. While almost all of the medical device regulatory bodies want to see this functionality present in medical devices, very few devices currently include this feature. Of those that do, fewer are actually updated by the end user (hospitals or home healthcare patients). Some of this relates to the inherent “dysfunctional relationship” that has always existed between hospitals and medical device manufacturers. Also, the current business model for manufacturers does not allow for an appropriate level of ongoing support to hospitals. A new business model is going to have to be adopted, possibly subscription-based. For their part, hospitals need to issue more contractual requirements for timely responses to security issues from device manufacturers.
Insecure network connectivity?
No, this isn’t really an issue, because manufacturers must never assume that a medical device will be connected to a secure network. It’s just too far outside of their control. The reverse is reality: Manufacturers must assume that any digital communications to our devices, including wireless, are insecure unless we are taking active steps to control this weakness.
Third party components?
Yes, upstream supply chain risks are very real, and easily proven (just read the news). This is somewhat of an emergent property of medical device development, and while some tools are in use (such as SBOMs), more needs to be done in this area. We are still in the “crawl” phase of seeing supply chain security controls being adopted throughout the industry. Fortunately, we are seeing some excellent guidance on this topic with organizations such as Google’s SLSA initiative and NIST guidances. At some point in the not-too-distant future, these types of supply chain protections will be nearly invisible to the developer, able to be taken for granted. The harder part of supply chain security control is that development culture needs to change. Developers cannot just download an open-source tool or resource and start using it in their latest project. Each third-party component has to be vetted through a controlled process.
Budget limitations in healthcare facilities meaning staff is using outdated technology?
I hear this excuse all the time, principally “there is no money to protect the organization”, yet after the ransomware attack has completely shut down operations, somehow lost change is always found in the couch cushions—enough to pay off the always-exorbitant ransom and maybe even add a few protections to the organization. I am not certain that I believe this excuse anymore (if I ever did believe it). I think a more accurate phrase would be: “If we updated to current security best practices we would see a short-term loss of profits.”
MD+DI: What risks to security are especially apparent in the manufacturing process of a device?
Gates: I previously touched on the topic of “upstream supply chain”, but manufacturers are in the middle of this chain, so we also have to consider “downstream supply chain” vulnerabilities. These are usually much easier to control, focusing on processes and procedures such as transferring the product from development into manufacturing, and then ensuring that the integrity and confidentiality of the product is maintained in the manufacturing environment. Also, it might come as a surprise to readers, but the difference between this process (and the risks) for internal manufacturing versus a contract manufacturer is very little. All the same technical controls should be in place as well as auditing and strict quantity accounting.
MD+DI: What gaps, if any, are there in trainings focused on device security, regulatory, and compliance?
Gates: The “gaps” are the almost total lack of good training programs. While there are no shortages of IT cybersecurity training, medical device (or operational technology generally, “OT”) training programs barely exist, with only a handful of options to choose from, mostly in-person training which may not align with the needs of the potential student. We have a huge shortfall of cybersecurity trained engineers in the medical device manufacturing industry, and we are trying to change that. The first step was our book on Medical Device Cybersecurity (we are currently working on the second edition) and now, Velentium has opened up its own internal training as an on-demand program available for anyone to take.
MD+DI: A system becomes compromised and a bad actor has gained access: What now? What steps should personnel follow when security measures fail?
Gates: “The house was broken into and everything has been stolen.” Same kind of situation—both are events where all the remaining options are limited and painful. Medical device cybersecurity is 80% prevention, 20% recovery/resilience.
Once an attacker gains access to a system/network, the first step is to add multiple other avenues of access so that the defender is going to have a very hard time ever keeping the attacker out of the system ever again. Suddenly all of those PAC systems, infusion pumps, monitoring stations, and printers are your potential enemy. How can you ever have trust in any of the connected equipment, once it’s been exposed? After isolation, your backups may help, but the attacker may have been in the system a long time before detection, and some equipment cannot perform backups/recoveries. Restore what you can, and monitor the performance of your systems for any oddities (such as increased traffic) that may indicate your attacker has returned.
But the real answer here is to invest in prevention, such as by including cybersecurity in the medical device purchasing process, and by establishing a relationship with the device manufacturers before you’re the victim of an attack (as opposed to naively assuming you will not be attacked).
MD+DI: What would you say to people who say engineers and developers are the only ones in a company that needs to worry about cybersecurity? Why do business executives have to be up-to-date on cybersecurity practices? Non-technical employees?
Gates: I usually laugh when I hear this! I also hear the similar “My engineers already make everything secure,” yet the senior leader cannot name a single practice they perform to make these devices secure. Often, the real answer is that nobody is doing anything to secure the device.
Unless there is senior leadership commitment to a secure total product life cycle, then it doesn’t matter what anyone else in the organization does or doesn’t do—the effort is doomed. I have seen this happen many times. It takes the Senior Leadership Team (SLT) to prioritize cybersecurity, and that is just the start. Governance programs have to be established with roles and responsibilities. All levels have to understand and commit to the culture change this imposes on all related positions. And this isn’t just a one-way “imposition of requirements” upon the organization, it also takes the organization regularly reporting back to the SLT about the progress being made, the risks, the potential impacts, the potential costs, etc. Standardized metrics are the “lingua franca” for performing these activities, such as BSIMM and SAMM.
MD+DI: Velentium has created three online cybersecurity courses for medical device developers and executives. Why did the company decide to create this training? Why is it important to have based the courses on the textbook, Medical Device Cybersecurity for Engineers and Manufacturers?
Gates: I am very excited about this student-paced online training program for medical device cybersecurity. As far as I am aware, there is nothing else like it available on the market. We have received a lot of interest in these courses, and the timing of the FDA’s new legal mandate to enforce and ensure medical device cybersecurity has helped to raise awareness and interest in training, known for years to be in critically short supply.
We are targeting engineering staff with an annual certificate program consisting of 60 hours of student-paced video training, so the student can be anywhere in the world and can consume the training while still meeting their other responsibilities. The content is everything an engineer will need to create secure devices in their organization including:
Common attack approaches
Software mitigations for specific vulnerabilities
Hardware vulnerabilities and mitigations and how to use them
Upstream supply chain vulnerabilities and controls
Organization structure and governance
Domestic and international regulations on medical device cybersecurity
Secure development life cycle (including phased-based activities)
Post-market activities and testing
Security incident response
Secure transfer to manufacturing
Regulatory and company-level metrics
Security testing (Fuzz, Penetration, malformed input, side channel, etc.)
Details of cryptography including hardware-accelerated cryptography
There is a lot of content in this training, which is why we structured it to be student-paced. Students can train in short periods, giving themselves time to process the new information while keeping up with their other responsibilities.
The second course is oriented towards the SLT, with two hours of participant-paced orientation on:
The current regulatory environment (domestic and international)
What reports should the SLT expect from their organization
Secure development activities
Post Market activities
Business risks
Governance
Metrics
The third course is for everyone else in the organization, offering eight hours of a student-paced high-level overview of the requirements and governance of security in the organization, including domestic and international regulations.
All attendees (for all courses) also have access for a year to a weekly hour of Q&A with Velentium’s medical device cybersecurity subject matter experts and our dedicated Slack channel. Both of these mediums are for clarification of training topics that are not related to specific confidential projects.
MD+DI: Please explain areas of the training that the company is especially proud of, or want more in the industry to know about and learn.
Gates: I believe that both the certificate program for engineers and the SLT overview is going to change the medical device industry. Now is the perfect time to assist manufacturers in complying with the latest legally-mandated cybersecurity requirements from the FDA, so that instead of frustration, they can train and facilitate the adoption of security into their new products. The next two years are going to see a lot of changes in this industry and the more educated everyone is on security, the quicker and easier transition will be.
About the Author
You May Also Like