Hidden Vulnerabilities in Medical Devices: Why Cybersecurity Matters | Ep. 2

We are back with episode two of the podcast. Hey, Christian, how are you doing today? I'm doing awesome. It's a great day today. I'm looking outside; the lake is beautiful. What are we covering today in this podcast, Trevor? All right, today we're going to be looking at some of the types of medical devices and then how medical devices get exploited. So a little bit more of what's happening inside the device for an exploitation and then some of what can be applicable to different medical devices, some of the concerns around different types of devices that we see fielded in the market, and sort of the final outcome: what happens in the case of successful exploitation? Awesome. There are a lot of different types of medical devices, and before I got into this field, and I've been in this field since 2015, I hadn't really thought about medical devices too much. I don't think many people really think about medical devices until you need one. If it's not available or it's been compromised, then it could obviously affect your health or even potentially cause death. Like one of the first devices we worked on in 2015 was an IVD device, or in-vitro diagnostics device. This is a device that took a sample of your blood, determined what was wrong with the blood, like if you had a specific bacteria if you had sepsis, and then recommended a course of action or course of treatment, like a specific type of antibiotic. What's interesting about in-vitro diagnostics is if the integrity of the analysis is altered, it could result in a false treatment. So if somebody has sepsis and the device fails to say they have sepsis, it gives a false result. That patient can die. I didn't really understand that until I actually got into medical devices and the cybersecurity space of that. What are some other devices that you know of, Trevor? Such a wide field, there are estimated to be around 2 million different medical devices out in the field right now, which covers a pretty wide range. One that we're seeing as a pretty popular trend is Software as a Medical Device (SaMD). There's been a really big trend coming in with AI in just about every industry. You always see AI as kind of the new big thing for anything you can think of, but it has a lot of application in medical devices as well. A very popular use for AI that we see is image enhancement or sort of refining of an image or something out of a data store, getting it a little bit more clarity. Kind of in a recent example that we've seen is an X-ray imaging enhancement software that takes an X-ray out of a medical device kind of data system, enhances it in the event that something went wrong with the X-ray if there was a low radiation dose or someone got a bad angle when they were trying to record it. Then it creates a more accurate portrayal of what's actually behind the X-ray, instead of needing to go back and redo the entire process, or sometimes it might not even be possible to redo the process if you're trying to diagnose a problem quickly. You don't really want to have much delay, and you don't want to have to go all the way back through the Radiology Ward. Yeah, and basically we're looking at, out of those two million devices, any device as a software component needs cybersecurity, and that could even be the firmware on the device. One of the devices that I don't know if AI is involved – because you're talking about AI – but one of the devices that kind of freaks me out a little bit are surgical robots. Right now, the robots are used to assist a surgeon, but in the near term, probably the next two years, those devices are going to be able to perform surgery by themselves. So imagine a surgical robot working on your spine, repairing something with your spine, like by itself, without any human interaction. If this device is compromised, obviously there could be some severe risk. And the same thing with telesurgery. A lot of these robots are operated remotely, so a physician or surgeon here in the United States, for instance, could perform surgery in Zimbabwe if they wanted to. But if that connection between the surgeon and the robot in Zimbabwe is compromised and there are delays, then the treatment that the robot is administering or the surgery could actually be catastrophic. So surgical robots are a real big one. We've worked with quite a few of those. What other devices are there that are some of the top devices that have cybersecurity challenges? So the definition of a cyber device, like you said, is really wide. It can be just about anything with a computer involved. We see a lot of diagnosis tools, so that could be like a little device that's performing an X-ray scan or outputting some sort of Doppler radiation to try to perform some diagnosis. We see a lot of analysis tools, something that will pull in cardiogram information and perform analysis, send out alerts if needed. Continuous monitoring systems, so like a continuous glucose monitor might be a good example of that, or an ECG monitor. Anything with a computer attached is going to fall under the lens of a cyber device. All those need to be secure, and the FDA requires it, and the equivalent in Europe requires it before these devices can even be sold on the market. One of the challenges I think we have today is there are a lot of legacy devices that were put on the market and have some sort of vulnerability before the regulators, such as the FDA, even had any cybersecurity regulations. Those devices have a lot of challenges as well, kind of like the ones that were running Windows IoT and the WannaCry affected them. That's definitely a really big problem – a lot of devices just left out into the wild. The most recent guidance for the FDA as far as securing cyber devices came out in September of 2023, and there's been a massive industry-wide push in the United States, in Europe, and most countries that are making a big push for cybersecurity and really understanding the impact, especially in the medical sector. And these devices that haven't gone through the rigorous screening process that's enforced at this point, they can be hard to control, and sometimes the risk landscape isn't necessarily known very well. Since part of the initial submission process for any of these devices is to understand what the threat landscape is, do threat modeling exercises, know what could happen, test to see if it can actually happen, and fix it based on that, none of this happened. So, I hear that term – sorry to interrupt you – I hear that term