Episode 29 · October 29, 2024 · 22m listen · 3,832 words · ~19 min read
Hidden Vulnerabilities in Medical Devices: Why Cybersecurity Matters | Ep. 2 - Full Transcript | The Med Device Cyber Podcast
Read the complete, searchable transcript of Episode 29 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.
Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.
Episode summary
In this episode of The Med Device Cyber Podcast, hosts Christian and Trevor from Blue Goat Cyber delve into the diverse world of medical devices and the critical cybersecurity risks they face. They begin by establishing the vast scale of the issue, noting there are an estimated two million different types of medical devices currently in use. The hosts then break down the specific vulnerabilities and potential consequences associated with different categories of these devices, using real-world examples to illustrate the life-or-death importance of robust security.
Christian draws from his experience, dating back to 2015, to discuss In Vitro Diagnostics (IVD) devices. He describes a device designed to analyze blood samples for conditions like sepsis and recommend antibiotic treatments. The primary argument here is that the integrity of the diagnostic data is paramount; if a hacker were to alter the analysis, it could lead to a false negative for a critical condition like sepsis, resulting in the patient's death. Trevor expands the discussion to include modern trends like Software as a Medical Device (SaMD), particularly those incorporating Artificial Intelligence (AI). He cites AI-powered X-ray enhancement software as an example, highlighting how such tools bring benefits but also introduce new software-centric attack surfaces. The conversation also explores high-risk cyber-physical systems, such as surgical robots that may one day perform autonomous operations, and pacemakers, referencing the targeted attack concerns that led former Vice President Dick Cheney to have his device's wireless functionality disabled.
The hosts categorize cyber threats into two main types: non-directed attacks and directed attacks. Non-directed attacks, like the WannaCry ransomware, are indiscriminate and exploit common vulnerabilities across entire networks, affecting any unsecured device, including medical equipment running outdated operating systems. Directed attacks, conversely, are targeted at a specific device or individual with malicious intent. To combat these threats, they champion the process of threat modeling, a systematic approach to asking critical questions: 'What are we working on?', 'What can go wrong?', 'What are we going to do about it?', and 'Did we do a good enough job?'. This framework guides manufacturers in identifying potential exploits, verifying them through penetration testing, and implementing necessary mitigations to protect both patient safety and sensitive health information.
Key takeaways from this episode
The medical device ecosystem is vast, with over two million different types of devices, each presenting unique cybersecurity challenges.
Data integrity is a matter of life and death for In Vitro Diagnostic (IVD) devices, as a compromised test result can lead to a fatal misdiagnosis.
Software as a Medical Device (SaMD), especially with the integration of AI, introduces powerful new capabilities but also complex software vulnerabilities that must be addressed.
Cyber-physical systems, such as surgical robots and implantable devices like pacemakers, carry the highest risk, as a successful hack could directly lead to severe patient harm or death.
Threats to medical devices can be either non-directed, like malware spreading across a hospital network, or highly targeted, aiming to harm a specific individual.
Threat modeling is a crucial, systematic process for manufacturers to anticipate potential attacks, test for vulnerabilities, and implement effective security controls.
Any medical device containing a software component, including its firmware, is considered a 'cyber device' and falls under the purview of cybersecurity regulations and best practices.
Full episode transcript
Page 1 of 5· Paragraphs 1 - 10
Host: We are back with episode two of the podcast. Hey Christian, how are you doing today?
Guest: I'm doing awesome. It's a great day today. I'm looking outside at the lake. It's beautiful. Uh what are we covering today in this podcast, Trevor?
Host: All right, today we're going to be looking at some of the types of medical devices and then how medical devices get exploited. So, a little bit more of what's happening inside the device for an exploitation and then some of what can be applicable to different medical devices, some of the concerns around different types of devices that we see fielded in the market and sort of the final outcome what happens in the case of successful exploitation.
Guest: Awesome. There are a lot of different types of medical devices and before I got into this field, I and I got I've been in this field since 2015, I had, I hadn't really thought about medical devices too much. I don't think many people really think about medical devices until you need one. And if it's not available or it's been compromised, then it could cause obviously affect um to your health or even death potentially.
Like one of the first devices uh we worked on in 2015 was an IVD device or in vitro diagnostics device. And this is a device that took a sample of your blood, determined what was wrong with the blood, like if you had a specific bacteria, if you had sepsis, and then recommended a course of action, a course of treatment, like a specific type of antibiotic. And what's interesting about in vitro diagnostics, if the integrity of the analysis is altered, it could result in a false treatment. So if somebody has sepsis, and the device fails to say they have sepsis, it gives a false result, that patient can die. And I didn't really understand that until I actually got into the medical devices and the cybersecurity space of that. What are some other devices uh that you that you know of Trevor?
Host: So it's such a wide field. Uh they're estimated to be around two million different medical devices out in the field right now, which is covers a pretty wide range. Uh one that we're seeing is a pretty popular trend is software as a medical device. So there's been really big trend coming in with AI and just about every industry. Uh you always see AI is kind of the new big thing for anything you can think of. But it has a lot of application to medical devices as well.
Uh very popular use for AI that we see is image enhancement or sort of refining of an image or something out of a data store getting it a little bit more clarity. Uh, kind of in a recent example that we've seen is an X-ray imaging enhancement software that takes in an X-ray out of a medical device kind of data system, enhances it in the event that something went wrong with the X-ray if there was a low radiation dose or someone got a bad angle when they were trying to record it and then it creates a more accurate portrayal of what's actually behind the X-ray. Instead of needing to go back and redo the entire process or sometimes might not even be possible to redo the process. If you're trying to diagnose a problem quickly, you don't really want to have much delay and you don't want to have to go all the way back through the radiology ward.
Guest: Yeah and basically, we're looking at out of those two million devices, any device has a software component needs cybersecurity. And that can even be the firmware on the device. And one of the devices that I don't know if AI is involved with this device because you're talking about AI, but one of the devices that kind of freaks me out a little bit are surgical robots.
Right now, the the robots are used to assist a surgeon but in the near term, probably next two years, those devices are going to be able to perform surgery by themselves. So imagine a surgical robot working on your spine repairing something with your spine like by itself without any human interaction. Uh and and if this device is compromised, obviously there could be some severe risk.
Uh and the same thing with telesurgery, a lot of these robots are operated remotely. So so a physician or a surgeon here in the United States for instance could perform surgery in Zimbabwe if they want to do. But if that connection between the surgeon and the robot in Zimbabwe is compromised and there's delays, then the treatment that the robot is administering or the surgery could be catastrophic actually.