Health Hazards With Medical Device Software

Health Hazards With Medical Device Software

Medical devices can cause major damage upon failure by nature. Anything involved with providing a service relating to patient health may end up being disastrous when something goes wrong. In many cases, this can be pretty easy to understand. The failure of a critical device, such as a life support machine or a defibrillator has a very obvious and immediate impact. While it will often be less direct and apparent, purely software components can have major effects on patient safety as well.

Software As A Medical Device

Software as a Medical Device (SaMD) is any medical device that does not have a hardware component. This can work in many different ways, but a common one would be software to interpret imaging results or medication management tools. Not being tied to a hardware component makes these tools very flexible and easily deployed in a wide range of environments. They can also be less complicated for the manufacturer to produce, as well as being less costly.

New SaMD is being produced regularly as technology rapidly evolves. New tools rely on modern hardware and revelations such as artificial intelligence to push the limit of what was previously thought to be possible. Manufacturers are developing creative solutions that are revolutionizing the way modern medicine operates. As part of this process, development teams need to be sure that they are creating and releasing safe products.

Regulatory bodies, such as the FDA and EU MDR, require that medical devices, including SaMD, be tested for cybersecurity flaws with high levels of scrutiny. Attacks against medical infrastructure can be devastating, and comprehensive testing early and often is a great way to prevent these attacks. Developers may mistakenly see SaMD as less crucial to have proper security implementations, but this is far from the case.

Attacks Against SaMD

Attacks against SaMD will often be closer to more conventional cyber attacks than some other potential attacks against physical medical devices. Physical medical devices will often have very unique attack surfaces that can result in uncommon or entirely novel vulnerabilities. SaMD will typically have vulnerabilities more commonly seen in standard applications and services. This is on top of the less known vulnerabilities where SaMD is processing obscure data formats.

Standard vulnerabilities are typically exploited by attackers to either gain access to sensitive data on the machine hosting the vulnerable application or to use that machine to reach another machine. By nature of being medical devices, SaMD will often be processing sensitive patient information that must be tightly guarded. Attackers being able to find and exfiltrate this data can lead to massive breaches and a compromise in patient trust.

If a device can be used to gain leverage to further machines, this can lead to an attack chain that compromises the integrity of the entire internal network. Vulnerable software is a common starting point for ransomware operators looking for an initial foothold in a network. Medical environments are prime targets for ransomware due to the urgency of so many medical services, meaning the criminals view them as targets that are easy to force into hasty decisions.

Defending Against SaMD Attacks

Due to the complexity of SaMD and the wide range of applications, there are no easy set rules for protecting these classes of software. The class of vulnerabilities against the devices can be extremely wide and requires careful testing to provide maximum protection. The services of a security professional can be consulted to assist with this process. Ethical hackers and medical device security specialists can analyze potential threats against a device and map out appropriate fixes to reduce the overall risk as much as possible.

SaMD still should follow industry best practices for developing secure software. Proper CI/CD pipelines with DevSecOps integrations are critical to remediate vulnerabilities early and often. Many major vulnerabilities can be remediated through relatively minor fixes, but these can often be more complex as the development process moves along. No matter how early vulnerabilities are addressed, security is a very cyclical process. Fixes themselves can often introduce new vulnerabilities, so regular testing is vital to ensure that nothing slips through the cracks.

Before the release of the final product, deep and comprehensive testing should be conducted to find any final vulnerabilities. During the development process, it can be easy to find many classes of vulnerabilities through SAST, but certain vulnerabilities can be difficult to identify. Finding logic flaws and vulnerabilities that come from intended functionality and misconfigurations is difficult without comprehensive, hands-on testing.

Blue Goat Cyber specializes in assisting with medical device submissions and performing security testing at every step of the process. Our team can work with you to go through the FDA submission process and get your device to market with confidence that your product is safe from attacks.

Check out our medical device cybersecurity FDA compliance package.

Blog Search

Social Media