The Food and Drug Administration (FDA) has recently warned many medical devices contain configurable embedded computer systems that can be vulnerable to cybersecurity intrusions and exploits.
Medical Data Is The New Holy Grail For CybercriminalsStolen patient health care data or other personally identified information has considerable value in the underworld of information resellers. It’s actually considered even more valuable on the black market than the stolen credit card credentials.
How Easy Is It To Hack Medical Devices?Hackers are increasingly targeting application binary code to launch attacks on high-value applications across all platforms, including Medical Devices. A few easy steps, as illustrated in the following exhibit, and widely available (and often free) tools make it easy for hackers to directly access, compromise, and exploit application’s code.
- Extract application from the device
- Reverse engineer the application, and create new application
- Deploy same code or tampered code on knock-off product
Hackers could inject or hook malicious code and/or attack on memory, which could compromise runtime operation of the application and thereby cause unsafe or improper operation of the medical device and a potential danger to patient safety.
Immense Impact Of Hacking on Connected Medical Devices and Healthcare IoTMedical devices and Healthcare IoT have it all for potential attackers and cybercriminals – financial gain, magnitude of impact and substantial media attention. Some of the significant impact to medical devices:
- Infiltration of low-cost/knock-off devices that seek distribution in US market
- Repackaged applications with malicious code can impact patient safety
Tips To Protect Connected Medical Devices, Prevent Monetary and Brand Damage, and Ensure Patient Safety
- FDA recommends manufacturers take steps to remain vigilant and continually address the cybersecurity risks of medical devices
- FDA emphasizes, in Premarket Guidance, that medical device manufacturers should address cybersecurity during the design & development of the medical device
- FDA emphasizes, in Postmarket Guidance, that medical device manufacturers should monitor, identify and address cybersecurity vulnerabilities and exploits as part of their postmarket management of medical devices
- FDA recommends following NIST Framework, in above guidance, to address the cybersecurity risks:
- Protect the binary code and cryptographic keys to:
- Prevent hackers directly accessing, compromising, and exploiting the binary code (e.g., analyzing or reverse-engineering sensitive code, modifying code to change application behavior, or injecting malicious code)
- Prevent cryptographic key lifting attacks
Arxan Addresses Important Connected Medical Devices’ (Healthcare IoT) Security RisksArxan offers a comprehensive application protection, which consists of Code Protection and Cryptographic Key & Data protection, to address important security vulnerabilities of Connected Medical Devices (Healthcare IoT) such as:
- Improper or unsafe operation (changing behavior, bypassing controls), e.g., prevent malicious code modifications, bypassing of controls, tampering with data integrity in medical devices / apps
- Information exposure or loss, e.g., protect private information, keys, credentials in medical devices / apps
- IP theft, e.g., protect proprietary algorithms embedded in medical apps/devices from being analyzed, stolen, or pirated
- Exposure of unknown vulnerabilities, e.g., makes it generally more difficult for hackers to reverse-engineer, analyze, or exploit code