By Carl Carpenter, Arrakis Consulting
As medical device manufacturers, or someone who purchases or uses connected medical equipment, understanding the security of a medical device or equipment can be critical. Conducting a vulnerability assessment and performing a penetration test are two activities that can greatly improve your understanding of how safe a device can be from a cybersecurity standpoint and the potential risk it may bring to your company.
What Is Penetration Testing?
The short answer is penetration testing is testing to see how a bad actor could compromise a device for nefarious reasons. But that’s not completely accurate, so let’s get into the long answer. Penetration testing comprises activities of any type that a bad actor (or just a curious person) could do that would allow the person to gain control of or increase access to components of the device in ways that were not intended (or even considered) by the device manufacturer. Both cases, not intended or considered, are generally due to the device manufacturer not fully testing the device before release. This isn’t to say that the manufacturer didn’t do its best to meet FDA requirements. What’s more likely is that the manufacturer focused more on developing and maturing the device for a quicker product release.
To Test Or To Release?
So, the first question that generally comes to mind is why would a device manufacturer spend more effort developing and maturing the device for quicker product release and forgoing penetration testing? The reasons are simple: revenue, for one. But there is also the ethical reason of getting a device to market that could possibly save lives or help people. It’s really an ethical dilemma that device manufacturers face — having to decide to release a device quickly to help people or to hold off on a product release until all aspects of the device are safe and secure. However, in most economies based on capitalism, it could also be understood that releasing a device to the public sooner means realizing revenue sooner. That being said, skipping penetration testing is not in a company’s long-term best interest — or in a patient’s best interest.
Two Key Assessment Areas For Penetration Testing
Device manufacturers need to consider the following two elements prior to bringing a medical device to market.
Physical Access Vulnerabilities
The first question I always recommend device manufacturers address is this: What can a bad actor do if he or she has physical access to the device? In other words, what sort of “damage” can be done? Damage could include stealing sensitive data or corrupting device commands to do something such as multiply patient medication dosages by 10.
Some questions to evaluate physical susceptibility include: Does the device have an external serial port that could allow compromise? If so, does the serial port require a password? Does the device have a USB port where someone could plug in a thumb drive to execute code? If someone unscrewed the cover of the device, are there detachable storage devices on the inside that may contain confidential information or access to source code? If there are detachable storage devices, can I swap out one of them with my own device to perform functions that I want? Are any internal storage devices encrypted? Are there memory chips on the device that don’t get wiped when the power is lost? Just from the physical standpoint alone, these are important things to consider.
When it comes to physical access to a device, I’m reminded of the time when a device manufacturer hired my firm to test its product, claiming it was secure inside of a locked metal box. Unfortunately for them, this box had screws in the hinges on the outside. By simply unscrewing the hinges, we removed the door and then had direct access to the device, which we quickly compromised.
Device Connectivity And Data Vulnerabilities
Another area to consider is device-to-device communications. Realistically, devices manage “something.” But as a part of that management, devices most likely also collect information about the patient. This information generally is compiled “somewhere” (sometimes the cloud) but can only be compiled by being transmitted “somehow.”
The process I always like to understand is how the collected information is transmitted. Is it transmitted via Ethernet cable? Is it transmitted via Wi-Fi or Bluetooth? All methods of transmission are susceptible to interception, and the only way to help reduce the risk of an intercepted transmission is to use encryption in transit. Then I try to determine if I had access to the device by the Ethernet port, Wi-Fi, or Bluetooth, could I issue commands to the device from a remote terminal? For example, if there was a device that provided a specific amount of medication (let’s say morphine) on a schedule, what would happen if I had the ability to multiply the specific amount by a factor of 10 or reduce the time between doses?
Assuming the device did transmit data, then the next question would be to where, and how secure is the destination? If it is in “the cloud,” do I have a HIPAA Business Associate Agreement (BAA) or do I understand the security that the cloud provider has in place?
3 Vulnerability Lessons For Med Device Teams
I bring up the previous two points of physical and technical penetration testing because if one is compromised, then the device really isn’t secure. And it brings to mind a time when I evaluated a device for a company seeking FDA approval after several years of R&D. The company had taken the required security measures and applied them only to the specific device (which was designed to be implanted) but not to the whole system. Additionally, my client viewed the requirements at the lowest level rather than also viewing the system wholistically and essentially missed the essence of what regulators required. Lastly, it also failed to do several things, which I impart as three lessons for all medical device teams to implement:
- Perform vulnerability assessments during the R&D life cycle.
- Have experienced people evaluate security through the entire life cycle.
- Understand regulators’ required security measures.
Vulnerability assessments and penetration testing are not only important for patient safety but also to reduce liability risk to the device manufacturer. Additionally, increasing cybersecurity and privacy regulations will not only require you to do so but you will want to do so in order to reduce potential negative risk to the company. As always, you want to ensure that you have qualified and experienced personnel performing this task before product release.
About The Author:
Carl Carpenter is an independent author, penetration tester, and cybersecurity/IT/privacy auditor who performs cybersecurity and privacy related activities for companies of all verticals and in numerous regulatory environments. He is a former CISO for a $6B entity, was one of the primary ISO27001 auditors for Salesforce in 2017, and has performed numerous cybersecurity and privacy related activities for medical entities including device manufacturers. He is currently a consultant for Arrakis Consulting working with clients of all sizes and types.