Skip to main content
    Back to episode
    Episode 3 · October 29, 2024 · 22m listen · 1,174 words · ~6 min read

    Hidden Vulnerabilities in Medical Devices: Why Cybersecurity Matters | Ep. 2 - Full Transcript | The Med Device Cyber Podcast

    Read the complete, searchable transcript of Episode 3 of The Med Device Cyber Podcast - expert conversations on medical device cybersecurity, FDA premarket and postmarket guidance, SBOM management, threat modeling, and penetration testing.

    Prefer the listening experience? Open the episode page for the synopsis, key takeaways, topics, and Apple / YouTube listen links.

    Episode summary

    This episode of "The Med Device Cyber Podcast" delves into the critical role of cybersecurity in medical devices, highlighting the potential for exploitation and impact on patient safety and public health. We explore the diverse landscape of medical devices, from in-vitro diagnostics (IVDs) to software as a medical device (SaMD) and surgical robots, emphasizing that any device with a software component requires robust cybersecurity. The discussion covers the evolution of medical device regulations, with a focus on recent FDA guidance and the challenges posed by legacy devices. A key segment introduces threat modeling using the MITRE playbook, outlining a systematic approach to identify, assess, and mitigate vulnerabilities. The episode differentiates between non-directed and directed attacks, providing examples like the WannaCry worm and targeted compromises of specific device vulnerabilities. We also touch upon the broader implications of physical cyber-physical systems (CPS) and the often-overlooked physical interfaces in cybersecurity discussions. The conversation underscores the severe consequences of medical device breaches, ranging from misdiagnosis and patient harm to tainted supply chains and the compromise of sensitive patient data, reiterating the urgent need for proactive cybersecurity measures to protect individuals and organizations.

    Key takeaways from this episode

    • Medical devices with software components, including in-vitro diagnostics, SaMD, and surgical robots, are all susceptible to cyber exploitation, underscoring the universal need for robust cybersecurity across the medical device landscape.
    • Threat modeling, as exemplified by the MITRE playbook, is a crucial systematic process for identifying potential vulnerabilities, assessing risks, and developing effective mitigations in medical devices.
    • Both non-directed attacks (like widespread worms) and directed attacks (targeting specific vulnerabilities) pose significant threats to medical devices, necessitating comprehensive security strategies that address both broad and targeted exploitation vectors.
    • The exploitation of medical devices carries severe consequences, including misdiagnosis, patient injury or death, compromise of sensitive patient data, and widespread public health impacts through tainted supply chains.
    • The FDA has recently 강화ed its cybersecurity guidance for medical devices, reflecting a growing global recognition of the importance of product security in medical technology.
    • White hat hackers play a vital role in identifying and mitigating vulnerabilities in medical devices by employing the same tactics as malicious actors but with ethical intent, thereby enhancing product safety and reducing the overall threat landscape.

    Topics covered in this transcript

    Full episode transcript

    We are back with episode two of the podcast. Hey, Christian, how are you doing today? I'm doing awesome. It's a great day today. I'm looking outside; the lake is beautiful. What are we covering today in this podcast, Trevor? All right, today we're going to be looking at some of the types of medical devices and then how medical devices get exploited. So a little bit more of what's happening inside the device for an exploitation and then some of what can be applicable to different medical devices, some of the concerns around different types of devices that we see fielded in the market, and sort of the final outcome: what happens in the case of successful exploitation? Awesome. There are a lot of different types of medical devices, and before I got into this field, and I've been in this field since 2015, I hadn't really thought about medical devices too much. I don't think many people really think about medical devices until you need one. If it's not available or it's been compromised, then it could obviously affect your health or even potentially cause death. Like one of the first devices we worked on in 2015 was an IVD device, or in-vitro diagnostics device. This is a device that took a sample of your blood, determined what was wrong with the blood, like if you had a specific bacteria if you had sepsis, and then recommended a course of action or course of treatment, like a specific type of antibiotic. What's interesting about in-vitro diagnostics is if the integrity of the analysis is altered, it could result in a false treatment. So if somebody has sepsis and the device fails to say they have sepsis, it gives a false result. That patient can die. I didn't really understand that until I actually got into medical devices and the cybersecurity space of that. What are some other devices that you know of, Trevor? Such a wide field, there are estimated to be around 2 million different medical devices out in the field right now, which covers a pretty wide range. One that we're seeing as a pretty popular trend is Software as a Medical Device (SaMD). There's been a really big trend coming in with AI in just about every industry. You always see AI as kind of the new big thing for anything you can think of, but it has a lot of application in medical devices as well. A very popular use for AI that we see is image enhancement or sort of refining of an image or something out of a data store, getting it a little bit more clarity. Kind of in a recent example that we've seen is an X-ray imaging enhancement software that takes an X-ray out of a medical device kind of data system, enhances it in the event that something went wrong with the X-ray if there was a low radiation dose or someone got a bad angle when they were trying to record it. Then it creates a more accurate portrayal of what's actually behind the X-ray, instead of needing to go back and redo the entire process, or sometimes it might not even be possible to redo the process if you're trying to diagnose a problem quickly. You don't really want to have much delay, and you don't want to have to go all the way back through the Radiology Ward. Yeah, and basically we're looking at, out of those two million devices, any device as a software component needs cybersecurity, and that could even be the firmware on the device. One of the devices that I don't know if AI is involved – because you're talking about AI – but one of the devices that kind of freaks me out a little bit are surgical robots. Right now, the robots are used to assist a surgeon, but in the near term, probably the next two years, those devices are going to be able to perform surgery by themselves. So imagine a surgical robot working on your spine, repairing something with your spine, like by itself, without any human interaction. If this device is compromised, obviously there could be some severe risk. And the same thing with telesurgery. A lot of these robots are operated remotely, so a physician or surgeon here in the United States, for instance, could perform surgery in Zimbabwe if they wanted to. But if that connection between the surgeon and the robot in Zimbabwe is compromised and there are delays, then the treatment that the robot is administering or the surgery could actually be catastrophic. So surgical robots are a real big one. We've worked with quite a few of those. What other devices are there that are some of the top devices that have cybersecurity challenges? So the definition of a cyber device, like you said, is really wide. It can be just about anything with a computer involved. We see a lot of diagnosis tools, so that could be like a little device that's performing an X-ray scan or outputting some sort of Doppler radiation to try to perform some diagnosis. We see a lot of analysis tools, something that will pull in cardiogram information and perform analysis, send out alerts if needed. Continuous monitoring systems, so like a continuous glucose monitor might be a good example of that, or an ECG monitor. Anything with a computer attached is going to fall under the lens of a cyber device. All those need to be secure, and the FDA requires it, and the equivalent in Europe requires it before these devices can even be sold on the market. One of the challenges I think we have today is there are a lot of legacy devices that were put on the market and have some sort of vulnerability before the regulators, such as the FDA, even had any cybersecurity regulations. Those devices have a lot of challenges as well, kind of like the ones that were running Windows IoT and the WannaCry affected them. That's definitely a really big problem – a lot of devices just left out into the wild. The most recent guidance for the FDA as far as securing cyber devices came out in September of 2023, and there's been a massive industry-wide push in the United States, in Europe, and most countries that are making a big push for cybersecurity and really understanding the impact, especially in the medical sector. And these devices that haven't gone through the rigorous screening process that's enforced at this point, they can be hard to control, and sometimes the risk landscape isn't necessarily known very well. Since part of the initial submission process for any of these devices is to understand what the threat landscape is, do threat modeling exercises, know what could happen, test to see if it can actually happen, and fix it based on that, none of this happened. So, I hear that term – sorry to interrupt you – I hear that term