The advantages of connected medical devices are obvious. Healthcare providers are given a 360-degree view of patient health metrics that matter – and that rich data, aggregate and realtime, is accessible through patient engagement software like Health Cloud.
But the risks are also apparent. We’ve grown accustom to securing our digital lives by running anti-virus software, creating complex passwords, and downloading the latest phone update. However, the implications of securing a device that’s connected to a human body – and in the case of a Class III medical device, could literally be keeping your customers alive – carry even higher stakes.
Fortunately, organizations in both the private and public sectors have advice to keep you ahead of the curve.
Private Organizations That are Helping
Armis Security, a security firm that helps secure corporate IoT devices, identified 11 common medical device vulnerabilities known as the URGENT/11. They also developed a tool that identifies if your devices are vulnerable.
Most vulnerabilities were discovered in the IPnet TCP/IP stack of the real-time operating systems (RTOSs) that commonly drive connected medical devices. These vulnerabilities can allow bad actors to take over devices with no user interaction, allowing them to:
- Propagate malware onto connected networks (in homes, hospitals, and businesses)
- Take control of the device itself
- Cause data leaks of highly sensitive data
- Cause operational errors that prevent the device from functioning properly
Armis Security’s research helped the FDA make some best-practice recommendations for medical device security.
The FDA’s tips for networked and connected devices
- Assess risk and identify post-sale security vulnerabilities. It’s essentially a reverse SWOT analysis from the perspective of your attackers to identify your own weaknesses, the opportunity they have, and the hacking incentives. This should conducted at all phases of your product lifecycle, including design, production, distribution, deployment, and maintenance. If you’re a Salesforce organization, cloud-based PLM software like Propel can help you organize these assessments. Once your research is complete, come up with mitigation plans for a variety of common scenarios.
- Ensure that your firewalls, VPNs, and embedded systems aren’t impacted by the URGENT/11.
- If your RTOS versions are impacted by URGENT/11, create a plan that includes a different version.
- Work with healthcare provider customers to ensure they are notified of compromised devices and risks are minimized.
- Engage with your consumers to recommend best practices for personal security. Inform them when there is an issue or new patch. This is a great opportunity to build customer loyalty and trust by implementing a tool like Community Cloud to engage them with strategies that work.
- Report vulnerable devices to the DOHS Cybersecurity and Infrastructure Security Agency. You can reach them here.
By adhering to these guidelines and remaining vigilant about medical device security, you can ensure your consumers are safe.