Hidden Vulnerabilities in Medical Devices: Why Cybersecurity Matters | Ep. 2

In this episode of The Med Device Cyber Podcast, hosts Christian and Trevor from Blue Goat Cyber delve into the diverse world of medical devices and the critical cybersecurity risks they face. They begin by establishing the vast scale of the issue, noting there are an estimated two million different types of medical devices currently in use. The hosts then break down the specific vulnerabilities and potential consequences associated with different categories of these devices, using real-world examples to illustrate the life-or-death importance of robust security. Christian draws from his experience, dating back to 2015, to discuss In Vitro Diagnostics (IVD) devices. He describes a device designed to analyze blood samples for conditions like sepsis and recommend antibiotic treatments. The primary argument here is that the integrity of the diagnostic data is paramount; if a hacker were to alter the analysis, it could lead to a false negative for a critical condition like sepsis, resulting in the patient's death. Trevor expands the discussion to include modern trends like Software as a Medical Device (SaMD), particularly those incorporating Artificial Intelligence (AI). He cites AI-powered X-ray enhancement software as an example, highlighting how such tools bring benefits but also introduce new software-centric attack surfaces. The conversation also explores high-risk cyber-physical systems, such as surgical robots that may one day perform autonomous operations, and pacemakers, referencing the targeted attack concerns that led former Vice President Dick Cheney to have his device's wireless functionality disabled. The hosts categorize cyber threats into two main types: non-directed attacks and directed attacks. Non-directed attacks, like the WannaCry ransomware, are indiscriminate and exploit common vulnerabilities across entire networks, affecting any unsecured device, including medical equipment running outdated operating systems. Directed attacks, conversely, are targeted at a specific device or individual with malicious intent. To combat these threats, they champion the process of threat modeling, a systematic approach to asking critical questions: 'What are we working on?', 'What can go wrong?', 'What are we going to do about it?', and 'Did we do a good enough job?'. This framework guides manufacturers in identifying potential exploits, verifying them through penetration testing, and implementing necessary mitigations to protect both patient safety and sensitive health information.

Host: We are back with episode two of the podcast. Hey Christian, how are you doing today? Guest: I'm doing awesome. It's a great day today. I'm looking outside at the lake. It's beautiful. Uh what are we covering today in this podcast, Trevor? Host: All right, today we're going to be looking at some of the types of medical devices and then how medical devices get exploited. So, a little bit more of what's happening inside the device for an exploitation and then some of what can be applicable to different medical devices, some of the concerns around different types of devices that we see fielded in the market and sort of the final outcome what happens in the case of successful exploitation. Guest: Awesome. There are a lot of different types of medical devices and before I got into this field, I and I got I've been in this field since 2015, I had, I hadn't really thought about medical devices too much. I don't think many people really think about medical devices until you need one. And if it's not available or it's been compromised, then it could cause obviously affect um to your health or even death potentially. Like one of the first devices uh we worked on in 2015 was an IVD device or in vitro diagnostics device. And this is a device that took a sample of your blood, determined what was wrong with the blood, like if you had a specific bacteria, if you had sepsis, and then recommended a course of action, a course of treatment, like a specific type of antibiotic. And what's interesting about in vitro diagnostics, if the integrity of the analysis is altered, it could result in a false treatment. So if somebody has sepsis, and the device fails to say they have sepsis, it gives a false result, that patient can die. And I didn't really understand that until I actually got into the medical devices and the cybersecurity space of that. What are some other devices uh that you that you know of Trevor? Host: So it's such a wide field. Uh they're estimated to be around two million different medical devices out in the field right now, which is covers a pretty wide range. Uh one that we're seeing is a pretty popular trend is software as a medical device. So there's been really big trend coming in with AI and just about every industry. Uh you always see AI is kind of the new big thing for anything you can think of. But it has a lot of application to medical devices as well. Uh very popular use for AI that we see is image enhancement or sort of refining of an image or something out of a data store getting it a little bit more clarity. Uh, kind of in a recent example that we've seen is an X-ray imaging enhancement software that takes in an X-ray out of a medical device kind of data system, enhances it in the event that something went wrong with the X-ray if there was a low radiation dose or someone got a bad angle when they were trying to record it and then it creates a more accurate portrayal of what's actually behind the X-ray. Instead of needing to go back and redo the entire process or sometimes might not even be possible to redo the process. If you're trying to diagnose a problem quickly, you don't really want to have much delay and you don't want to have to go all the way back through the radiology ward. Guest: Yeah and basically, we're looking at out of those two million devices, any device has a software component needs cybersecurity. And that can even be the firmware on the device. And one of the devices that I don't know if AI is involved with this device because you're talking about AI, but one of the devices that kind of freaks me out a little bit are surgical robots. Right now, the the robots are used to assist a surgeon but in the near term, probably next two years, those devices are going to be able to perform surgery by themselves. So imagine a surgical robot working on your spine repairing something with your spine like by itself without any human interaction. Uh and and if this device is compromised, obviously there could be some severe risk. Uh and the same thing with telesurgery, a lot of these robots are operated remotely. So so a physician or a surgeon here in the United States for instance could perform surgery in Zimbabwe if they want to do. But if that connection between the surgeon and the robot in Zimbabwe is compromised and there's delays, then the treatment that the robot is administering or the surgery could be catastrophic actually. So, surgical robots are a real big one. We've worked with quite a few of those. What other devices are there that are some of the top devices that have cybersecurity challenges? Host: So the definition of a cyber device, like you said, is really, really wide. It can be just about anything with a computer involved. We see a lot of diagnosis tools. So that could be like a little device that's performing an X-ray scan or you know, outputting some sort of Doppler radiation to try to perform some diagnosis. Uh we see a lot of analysis tools, something that will pull in um cardiogram information and perform analysis, send out alerts if needed. Uh continuous monitoring systems. So like a continuous glucose monitor might be a good example of that or an ECG monitor. Anything with a computer attached is going to fall under the lens of a cyber device. Guest: And all those need to be secure and the FDA requires it and the equivalent in Europe requires it before these devices can even be sold on the market. But one of the challenges I think we have today is there's a lot of, you know, legacy devices that were put on the market and have some sort of vulnerability before they the regulators such as the FDA even had any cybersecurity regulations and and those devices have a lot of challenges as well kind of like the ones that are running Windows Iot and the WannaCry affected them. Host: That's definitely a really big problem is a lot of devices just left out into the wild. Uh the most recent guidance for the FDA as far as securing cyber devices came out in September of 2023 and there's been a massive industry-wide push in the United States, in Europe, in most countries that are taking a big push for cybersecurity and really understanding the impact, especially in the medical sector. And these devices that haven't gone through the rigorous screening process that's enforced at this point, they can be hard to control and sometimes the risk landscape isn't necessarily known very well since part of the initial submission process for any of these devices is to understand what the threat landscape is. Do threat modeling exercises, know what could happen, test to see if it can actually happen, and fix it based on that. None of this has happened. Guest: So I hear that term uh sorry to interrupt you. I hear that term threat model a lot, you know, in industry and some of our listeners have probably heard that term, but what does that actually mean? I think there's a lot of confusion around what a threat model is. Host: So a threat model is trying to ask what can happen to a device. Um we're essentially looking at the worst case scenario and trying to figure out what the outcome of it is. So Miter produces this uh great playbook. It's called the threat modeling playbook for medical devices and it asks four major questions. So it asks what are we working on? What can we do to it? Um what are we going to do about it? Or not what can we do to it, but what can go wrong, what are we going to do about it? And did we do a good enough job? So we're trying to figure out what the device is, what the scope of that device is, anything coming in and out, data flows, data stores, who are the users, just basic information. And then we're going to try to figure out how we can abuse each of these areas. How are we going to abuse the user? How are we going to abuse a data flow? How are we going to abuse this interface, this connection, can we try to modify data here? Can we change the outcome of a result? And then the third question, what are we going to do about it is essentially verification and mitigation. We go in and we test for things. So let's say one of our big concerns is that you can get access to a database containing social security numbers and modify them. Then that's where we come in to go do pen testing exercises on the device, see if we can actually get into that database and if we can, then sure enough, we have to go into a mitigation. If we can't, current mitigations are already going to be sufficient. But the final step is did we do a good enough job? Sort of making sure that we've covered everything. You go back, review the process, start from the ground up, make sure that you weren't missing any attack vectors and that your attack vectors properly applied to any threats that you could come up with. Guest: Yeah, sounds like you know quite a bit about threat modeling. We we could probably do a whole episode on that in the future and dive a little bit deeper. Oh yeah. So you so you think these uh would you consider yourself a white hat hacker then, Trevor? Host: Yeah, the there's a lot of kind of stigma against the term hacker and having just left Black hat. I have all sorts of different stickers and goodies like this one right here that you know, kind of bashing on hackers. Guest: what did it say? I couldn't see it. Host: Well, I'm not sure if I should say exactly what it says, but there's a little glimpse of what the sticker's saying. Guest: Oh okay. Host: There's a lot of stigma against the term hacker. People typically think of the bad guy, you know, sitting in some windowless apartment in Russia trying to steal your social security number and your credit cards. But the white hat hacker, like a good guy is trying to do effectively the same thing as them, but for the right reasons. So we're making sure that we maintain, you know, top ethical standards anytime we're trying to hack into a device we're maintaining strict confidentiality anything that we find in the device and we're working with the manufacturers to make sure that they're putting safer products out onto the market and we're reducing the threat landscape for that bad guys out in the wild. Guest: So we use the same tactics, tools, or procedures or TTPs as the bad guys. Host: Yep, and that's a really important thing to make sure that we're using the same tactics, tools and procedures. They're learning fast and so we have to learn faster. As soon as they're learning a new attack, we have to learn it better than they do and make sure that we're covering anything that they're going to be able to do. Guest: Awesome. And like we talked about, some of the outcomes from hacking into a physical interface or a medical device could be pretty grave. Uh like we could have a misdiagnosis with the in vitro diagnostic system. And it was interesting about one of those I worked on before. It wasn't just used in healthcare, it's also used in industry as they like to say, where this same device that I talked about earlier at this this episode that was used to diagnose blood for things like sepsis or the bacteria. It was also used in the hamburger supply chain. So people took a sample of hamburger that came from a manufacturer, ran it through this device and it would tell, tell you if the hamburger had E. coli or salmonella or any other bacteria in it. And this device has some vulnerabilities. So I always thought because I did a lot of work at the Department of Defense of these scenarios where if somebody really wanted to cause havoc, they could hack this device, taint the hamburger supply chain, and then have the device test negative even though it was actually positive for E. coli or salmonella. And then have this hamburger released to the supply chain like McDonald's and Wendy's and all these um fast food places and actually kill a bunch of infants and elderly people because they're, you know, more prone to having a reaction to salmonella or E. coli. So this is like a little bit bigger challenge than just with medical devices alone because some of these things I I think are used in other for other purposes for diagnosis. Host: And that widespread impact can be pretty it's hard to get the scale sometimes. I remember pretty recently, I believe it was Chipotle had actually that exact scenario come up where they missed a supply of tainted meat and a whole bunch of people were getting sick from it and it was big lawsuit going on. So there are sort of two things to think about there as far as the impact goes. The first, of course, is the impact to whoever went to Chipotle and got really sick because of it. Some of them might have had to go to the hospital, you know, an infant or an older person might have had a pretty hard time with it. And then the other impact is the damage to Chipotle. So organizations have to be aware of the perception of public image and of course any liability in the event of a massive cybersecurity incident. It's not an isolated problem. It's widespread, prolific throughout the entire supply chain star to finish. Guest: Yeah, that's a good point because I know for a while there and it's probably still ongoing uh, various celebrities were getting diagnosed with things and that diagnosis was being leaked which in some cases was embarrassing to the celebrity. Host: Yeah, that's sort of just the perfect example. Um, you know, personally, I don't think that I'd want everyone to know exactly any medical issue that I've ever had and most people feel the exact same way. And especially if you're in, you know, the public light, you want to have at least some part of privacy in your life and so having that get disclosed, definitely could cause a lot of headache. Guest: I think even like the Dick Cheney scenario, uh that would be a directed attack. If a terrorist or state sponsored actor that wanted to take out our vice president at the time, were directing their effort to a specific target. Um and his his pacemaker was vulnerable uh as we talked about in other episodes to someone wirelessly connecting to it and shocking him to death. So he had his pacemaker removed. There's a good video he recorded about that on ABC News actually talking about his fear and why he had it removed. That that movie but I I think it's called Vice is actually pretty good too. I think Christian Bale played in that. Did you see that movie? Host: No, I haven't. I'll have to check that out. Guest: Yeah, it's a good movie. Christian Bale is a good, he's one of my favorite actors actually. Not because he has the same name as me Christian, but he's a pretty good actor. Host: Well, it's kind of interesting that, you know, he had all of these concerns about the exploitation of the device. That was sort of a while ago before cybersecurity started to become, I guess, in the in the main public eye as much. Isn't that correct? Guest: Yeah, I think that was in 2013 or so, he had it removed. I forgot the exact date, maybe before then. Um, yeah, I think it was 2013. But yeah, that was before this stuff really became in the lime light. I mean cybersecurity now you hear it on the news every day like just when we think there can't be a a bigger data breach there's a bigger one that comes out the next day in the in the news. So I think people are finally starting to understand the ramifications. And one of the things about medical devices is either physical instruments, physical devices. A lot of traditional cyber security against some devices that don't have a physical component. There are like cyber physical systems or CPUs as some people like to call. And that to me is why these are more important because the risk is much, you know, greater. If somebody hacks the device, they could kill somebody. And here in in Phoenix, and I don't know if you've taken, I think you have Trevor, you've taken a Waymo before. That's another example of a is an autonomous driving car. I kind of group that in with medical devices because it's a physical device as a cyber component that if you can hack the cyber component, you could cause great harm just like with a surgical robot because with a autonomous car if you hack into it and you know I'm a person in the car, then you could maybe cause a car to speed up to 150 miles an hour and hit a light pole and or a telephone pole and uh you know, probably kill me. So there's a it's kind of scary when you actually pull back the covers a little bit and look at the devices and things like autonomous robots, surgical robots that are coming up pretty soon. Host: I think another interesting point on the physical device is how different the actual exploitation is there. Uh I was recently at Black Hat in Las Vegas and the entire focus was sort of just the virtual network up in the cloud and not the actual physical interfaces. I can count on one hand the amount of talks or booths that I saw about a physical interface and it's just not as well known even by cyber security professionals what the landscape is and the threat landscape against a physical interface or a physical device. As soon as you're opening up new data connections that a lot of pen testers and a lot of security professionals might not be as experienced with, they might not necessarily be aware with the risk and that's their entire industry, which is kind of an interesting thought. Guest: Yeah. And like we talked about, some of the outcomes from hacking into a physical interface or a medical device could be pretty grave. Uh like we could have a misdiagnosis as the in vitro diagnostic system. And it was interesting about one of those I worked on before. It wasn't just used in healthcare, it was also used in industry as they like to say, where this same device that I talked about earlier, this this episode that was used to diagnose blood for things like sepsis or the bacteria. It was also used in the hamburger supply chain. So people took a sample of hamburger that came from a manufacturer, ran it through this device and it would tell, tell you if the hamburger had E. coli or salmonella or any other bacteria in it. And this device has some vulnerabilities. So I always thought because I did a lot of work at the Department of Defense of these scenarios where if somebody really wanted to cause havoc, they could hack this device, taint the hamburger supply chain, and then have the device test negative even though it was actually positive for E. coli or salmonella. And then have this hamburger released to the supply chain like McDonald's and Wendy's and all these um fast food places and actually kill a bunch of infants and elderly people because they're, you know, more prone to having a reaction to salmonella or E. coli. So this is like a little bit bigger uh challenge than just with medical devices alone because some of these things I I think are used in other for other purposes for diagnosis. Host: And that widespread impact can be pretty it's hard to get the scale sometimes. I remember pretty recently, I believe it was Chipotle had actually that exact scenario come up where they missed a supply of tainted meat and a whole bunch of people were getting sick from it and it was big lawsuit going on. So there are sort of two things to think about there as far as the impact goes. The first of course is the impact to whoever went to Chipotle and got really sick because of it. Some of them might have had to go to the hospital, you know, an infant or an older person might have had a pretty hard time with it. And then the other impact is the damage to Chipotle. So organizations have to be aware of the perception of public image and of course any liability in the event of a massive cybersecurity incident. It's not an isolated problem. It's widespread, prolific throughout the entire supply chain star to finish. Guest: Yeah, that's a good point because I know for a while there and it's probably still ongoing uh various celebrities were getting diagnosed with things and that diagnosis was being leaked which in some cases was embarrassing to the celebrity. Host: Yeah, that's sort of just the perfect example. Um, you know, personally I don't think that I'd want everyone to know exactly any medical issue that I've ever had and most people feel the exact same way. And especially if you're in, you know, the public light, you want to have at least some part of privacy in your life and so having that get disclosed, definitely could cause a lot of headache. Guest: Awesome. I think we'll wrap up the episode here. So thanks for tuning in to this episode. And on the next episode, we're going to go over some of the regulatory landscape requirements for medical device cybersecurity. There's been a lot of changes recently with the FDA. and we're going to touch upon that and how the industry as a whole is making a big effort to reduce the cybersecurity risk of medical devices.