A recent cybersecurity risk recall of a ventilator serves as a real-life demonstration of the security risks that persist. The Food & Drug Administration (FDA) characterized this as a Class 1 recall. This designation means the issues could threaten patient safety. The manufacturer pulled the device as a precaution, as there are no reports of injuries or deaths.
The company first identified weaknesses in November of 2024 and completely pulled the device. It will no longer produce, distribute, or service these machines.
Ventilators are a critical component in keeping patients alive. A vulnerability in these devices has the potential to put patients at risk. While the hacking of medical devices in an attempt to hurt those using them has been rare, it’s still a legitimate threat.
So, why did the situation occur? Was the medical device secure by design?
What Is Secure by Design?
Secure by design prioritizes security from the beginning of the device’s development life cycle. It’s a proactive framework, intending to mitigate security issues early. The result is typically a more robust and reliable product.
There are several key principles in secure by design, including:
- There is an emphasis on secure coding, with actionable outcomes such as the development of a software bill of materials (SBOM). It’s a requirement of the FDA per their 2023 guidance.
- Security is a core component, not a separate initiative.
- Initial development involves a risk-based method to identify and address risks.
- There’s consideration for security throughout the product’s life cycle, from conception to testing to in-use.
The Advantages of Using Secure by Design in Medical Devices
Medical device cybersecurity is constantly evolving as new threats emerge. It’s in flux right now for many reasons, including the cuts to the FDA and the Cybersecurity and Infrastructure Security Agency (CISA).
This volatile environment means that secure by design is more essential than ever. When manufacturers use this strategy, benefits include:
- Reduction in exploitable weaknesses: This can improve further with regular vulnerability scanning, a patching update workflow, and penetration testing.
- Enhanced reliability and resilience: Secure design principles deliver a system more able to handle cyberattacks. Medical devices must be reliable. Otherwise, providers and patients lose trust.
- Cost savings: Manufacturers following a secure-by-design approach can avoid expensive remediation efforts.
- Regulatory compliance: The FDA regulates these devices, and there are multiple regulations to adhere to. Secure by design helps ensure you are in compliance.
Medical Device Cybersecurity Compromise: What Were the Ventilator Weaknesses?
Secure by design may have been a goal of this manufacturer, but the findings of the risk imply it wasn’t effective.
The vulnerabilities detected included:
- No encryption of passwords or other sensitive information, making it easy for hackers to access
- Physical port exposure, which would allow a hacker to plug a piece of hardware into the ventilator
- Minimal authentication for those testing and calibrating the device
These are glaring cybersecurity risks. However, all these things — encryption, physical security, and authentication — are all part of basic medical device cybersecurity best practices.
What Can Medical Device Manufacturers Learn from this Recall?
The first step would be to assess how secure by design your devices are. After the FDA’s 2023 guidance, there were major shifts in requirements for new devices. However, they don’t apply to legacy devices. You’re likely to have weaknesses there.
Something else to consider is reviewing SBOMs for all devices and ensuring you’re monitoring for vulnerabilities against code.
The third action step is to tighten up your device updates after they are in use to protect against new threats.
Finally, find a medical device cybersecurity expert to help you with the entire cybersecurity life cycle. This expertise could be the key to preventing an attack, breach, or removal of a device.
Get started by booking a consultation with our team today.