Warning: Poor Application Security Health Could Kill You

The Food and Drug Administration (FDA) recently implemented new guidance regarding medical device cybersecurity. It’s not a moment too soon, as new cases arise in which healthcare technology is compromised by vulnerabilities that escalate risks, which could threaten patients’ lives. In a recent survey, over 20% of healthcare organizations said that after a cyberattack, patient mortality rates had risen, and another 57% reported that cyberattacks led to poorer patient outcomes.

Let’s look at what measures have been proposed to protect the security of healthcare technology, why they’re necessary, and the best tools to implement them.

What has the U.S. government announced?

The new law has given the FDA increased authority to establish medical device security requirements for manufacturers. The FDA can now require all new medical devices brought to market to prioritize security. In the not-too-distant future, it will be mandatory for these devices to be brought to market with a software bill of materials (SBOM) and documentation to show that every product can be updated and patched.

It is hoped this move will mitigate or even eradicate some of the risks posed by vulnerabilities in medical diagnostic and treatment devices that have remained overlooked, or worse, neglected by manufacturers under current legislation.

Why do software vulnerabilities pose such a serious threat to medical devices and the healthcare sector?

Medical devices are increasingly connected to the internet, hospital networks, and other medical devices. This connectivity means these devices can be vulnerable to security breaches, potentially impacting their safety and effectiveness. In its survey of cybersecurity in healthcare, the Ponemon Institute reported that 64 percent of respondents say they are concerned about the security of their medical devices, which can significantly impact? patient safety. 59 percent? say they are concerned about unsecure mobile apps.

The healthcare sector addresses highly personal and delicate matters and handles vast amounts of personal identifiable information (PII). PII is ripe for attack because it is a rich source of data that can be used to defraud patients or to hold healthcare organizations to ransom.

Ransomware attacks against healthcare organizations doubled in the last five years, with the most common victim being health clinics, according to a new JAMA Health Forum study, conducted by researchers from the University of Minnesota and the University of Florida, who measured attacks on healthcare delivery organizations from 2016 to 2021.

Patient confidentiality can be undermined by breaches that enable malicious actors to find and steal patient data. The JAMA study showed that attacks exposed the personal health information of 41,987,751 individuals — more than 10 percent of the U.S. population.

Even more serious, weak cybersecurity could gravely jeopardize hospitals’ ability to provide diagnostics and treatment if vulnerabilities enable attackers to infiltrate their systems. At best, compromised technology may cause delays in patients getting diagnoses. At worst, treatment could be delayed while the? technology is fixed, which could potentially leave patients’ serious conditions to deteriorate and become life-threatening. The JAMA study discovered that 44 percent of attacks result in care delivery disruptions, 8.6 percent exceeding two weeks. In 41.7 percent of cases, care disruptions exceeded two weeks, 10.2 percent resulted in rescheduling care and 4.3 percent of attacks required ambulance diversion. Furthermore, the Ponemon Institute survey showed that 70 percent believed that supply chain attacks disrupted patient care. It also identified a range of implications, including delays in procedures and tests that caused poor outcomes, a longer length of stay in hospital, an increase in the need for patients to be transferred to other facilities, an increase in complications from medical procedures, and most dramatic of all, an increase in mortality rate.

These findings demonstrate how vulnerable all critical infrastructure can be.

How have vulnerabilities threatened patients’ health?

Moody’s Investor Service reported that the Toronto Hospital for Sick Children was attacked via digital ransomware on December 18, 2022. In addition to the potential damage to its data and financial security, Moody’s said that the hospital’s ability to provide healthcare was impaired, including “delays in medical imaging, longer diagnostics, and non-critical treatment wait times.” Even 18 days after the attack, the hospital only had 80 percent of its priority systems back online.

This is just the latest incident, but there’s a history of serious breaches. In 2017, 48 National Health Service organizations in the U.K., including 30 hospital trusts, reported a major ransomware attack that hit as many as 70,000 devices including computers, magnetic resonance imaging (MRI) scanners, blood-storage fridges, and theater equipment.

Even personal life-prolonging equipment can be affected — medical devices like drug infusion pumps and implanted defibrillators. In the same year, the FDA recalled about 465,000 pacemakers manufactured by health tech firm Abbott, because of cybersecurity vulnerabilities that could have enabled attackers to wirelessly access the devices and steal personal data, drain the battery and disrupt normal life-sustaining operations.

In September 2022, the FDA issued a cybersecurity risk alert about the Medtronic MiniMed 600 Series insulin pump system, which has several components including an insulin pump and a blood glucose meter that communicate wirelessly. A vulnerability was identified (CVE-2022-32537) that could allow an unauthorized user to learn aspects of the communication protocol used to pair system components while the pump is being paired with other system components. Exploitation of this vulnerability could allow an unauthorized user to remotely set devices to deliver too much or too little insulin, slow or even stop its delivery to patients. This is scary because it could kill.

Government increases efforts against vulnerabilities.

It’s, therefore, no surprise that the government and lawmakers have intensified their efforts to strengthen security against vulnerabilities that could pose serious risks to public health. In April 2022, U.S. Senators introduced the Protecting and Transforming Cyber Health Care (PATCH) Act, with this intention, in particular, to ensure security across the supply chain.

The act called for “the inclusion in any premarket submission for a cyber device of information to demonstrate a reasonable assurance of safety and effectiveness throughout the lifecycle of the cyber device, and for other purposes.” It also required manufacturers to present a thorough plan for addressing post-market cybersecurity vulnerabilities in a timely manner. It was complimented by the FDA’s publication of a guide on medical device cybersecurity, focusing on how medical device manufacturers should develop cybersecurity measures for their devices. It then examined how they should handle pre and post-market controls and maintenance standards for medical device cybersecurity.

Governmental concerns about the vulnerability of medical device security had become so acute by October 2022 that the FDA released a video for clinicians to advise them on how to keep patients’ connected medical devices safe, and by November, it had published an updated Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.

SBOMs: The front line of security for medical tech

All this activity from the U.S. government points to the software bill of materials (SBOM) as the key tool for improving medical device cybersecurity and avoiding harmful vulnerabilities. SBOMs make monitoring vulnerabilities easier, manage license compliance, and allow developers to understand dependencies across all the components of an application or device.

The PATCH Act prefigured the latest bill in demanding that manufacturers create a software bill of materials (SBOM) for their products and components.? The FDA has advocated the use of SBOMs for years, having published guidance in 2018 and put pressure on manufacturers to implement them. Although much of the healthcare sector supports the adoption of SBOMs, the industry’s efforts have previously been hampered by a lack of transparency and communication, as some manufacturers may have been reluctant to disclose that they use legacy components. The Consolidated Appropriations Act of 2023 includes some, but not all, of the language of the PATCH Act.?

SBOMs are vital to software and application security, compliance, and supply chain security because they give software and application developers the necessary information to track supply chain relationships. They increase the transparency of software components and ensure products perform securely and as intended.?

Keep reading ?? https://go.mend.io/3KNGSTt