Top 10 Medical Device Vulnerabilities with Myles Kellerman | Ep. 38 - Full Transcript | The Med Device Cyber Podcast

Hi, welcome back to the Med Device Cyber podcast. In today's episode, we're going to go a little bit behind the scenes and talk about the 10 most common and also most dangerous cyber security vulnerabilities we discovered during penetration testing. And these are penetration tests against real world medical devices. One time we found a legacy diagnostic device with a password of admin hard coded in the firmware. And that device was in production use. So imagine the vulnerabilities with that and what somebody could do with that just by guessing the default password. I'm joined today with Myles Kellerman, he's our director of MedTech Cybersecurity. He's one of our lead penetration testers and leads our penetration testing team. And I've also got our CTO and co-host Trevor Slattery. I think Trevor's coming from San Francisco area, Miles is coming from the same area. Both of you in the Bay Area today and I'm in the Phoenix Metropolitan area where it's like 118 degrees. Trevor: It's foggy and cold here right now, so that's crazy. Christian: Cool. So let's uh cover a few of a little bit of the background. Like about penetration testing. Let's just for those of in the audience that don't really understand what penetration testing is and in the context of medical devices, let's just unpack that just a little bit. So there's some context around what we're going to be discussing the rest of the uh podcast episode here. So Trevor, I'll throw it over to you. Uh, what's your best definition of penetration testing in terms of what we're trying to accomplish with medical devices? Trevor: Penetration testing is in its essence trying to simulate what a bad hacker is doing before they can do it. So, if a good guy hacks into a device, they responsibly and ethically tell the manufacturer of the device how they did it so that they can go and fix these problems before it's in the market. It's going to lead to a safer product as opposed to waiting for someone with maybe more malicious intentions to find these vulnerabilities first. So it's kind of an interesting uh, it's an interesting type of testing since it's practically just simulating crime to see what would happen to a system if someone wanted to really abuse it and misuse it. Christian: So we're simulating the bad actors or the malicious software that's propagating a health care delivery organization network typically. Yeah. Go ahead. Trevor: There are a couple of different, I think that pen testing is a little bit of an umbrella of activities looking at different goals. Um, there are all sorts of different types of scanning, sorts of different testing, some are automated, some are manual that go into the process. But it's pretty much just trying to dig up any flaws or poor design decisions for security that are going to introduce risk to a patient or to a health care delivery organization, like you said, like a hospital network or a blood delivery center, something like that. Christian: Okay, I think one of the misconceptions at least that I see periodically with pen testing or penetration testing is many prospects or clients think that we are not going to find anything. Has that ever been the case? I'll defer to you Miles. Have you ever done a penetration test where you did not find anything that needed to be addressed from a cyber security perspective? Myles: Uh, typically not. Um, they there are a lot of variables that go into protecting a uh medical device, uh everything from the supply chain aspect all the way down to the source code. Um so there's always usually something there an area of concern or at the minimum a security recommendation to strengthen the cyber security controls of that medical device. So, Christian: Yeah, and these devices are looked at through a little bit of a different lens from a risk perspective. I mean typically in quote, you know, traditional cyber security, we look at data disclosure. Uh so somebody steals my credit card information or my protected health information. So it's an inconvenience, but in the lens we're looking at the world through with penetration testing and vulnerabilities with medical devices, it's really about patient safety. If somebody hacks into a defibrillator and shocks you to death, it's a little bit more severe than uh your credit card information being stolen. You can recover from your credit card information being stolen, but you can't recover if you die from being shocked to death obviously. So the risk is much greater. Trevor: Getting shocked to death is pretty permanent. And when we're going through the uh risk assessment process, it's very different from that regard. We have to look at how we're blending security and safety, which is completely unique to this industry. And so in security they talk about the CIA triad, confidentiality, integrity, availability. It's going to be relevant in the medical space, but we add the new CIA H quad square. Uh and that H would be for harm. So looking at can we harm an individual? Can we cause direct pain or discomfort to a patient? Can we delay treatment, misdiagnose a disease, something like that. There is a lot that can go wrong with like you said Christian, lasting permanent damage in many cases.