Blue Goat Cyber understands that often the key objective of testing medical devices is to assist with meeting FDA cybersecurity requirements, such as the Premarket Notification 510(k) and Postmarket Submissions. Our methodologies for medical device cybersecurity assessments and penetration testing are designed to follow the guidelines detailed in industry-accepted standards, including NIST, ISO, Center for Internet Security, etc. Specific to the requirements of the FDA, Our test framework references the following standards:
Based on our FDA medical device cybersecurity compliance experience, our cybersecurity assessment protocol consists of the following activities:
For optimal outcomes, Blue Goat Cyber proposes a two Assessment Evolution, test/retest approach. Within each Evolution, in addition to the actual testing component, we dedicate access to our cybersecurity team for report clarification and knowledge exchange, assisting in your understanding of the test findings and the remediation strategies.
Post-remediation of Evolution 1, we will again conduct the cybersecurity assessment and penetration test to assess the efficacy of addressing identified vulnerabilities. This second set of reporting demonstrates a more robust security posture and, therefore, a more impactful Letter of Attestation.
1. Preparation (Offsite). Before we travel to your facility in we will prepare for the onsite visit. Our preparation will consist of document reviews and discussions with your team. The intent is for us to get familiar with your product and formulate a plan of action ahead of our onsite visit. This allows us to optimize our time onsite.
2. Testing (Onsite or at Blue Goat’s facility). We will travel to your facility to perform the cybersecurity assessment and penetration test against your product. Testing can also be performed at Blue Goat’s facility if you ship the equipment to us. Our testing will consist of identifying all entry points into the system, such as Ethernet, Fiber, WiFi, USB, Serial, HDMI, (and will look for others), vulnerabilities associated with each entry point, and exploitation of initial and subsequent vulnerabilities. Any critical findings discovered will immediately be brought to your attention. In addition, due to the nature of this engagement, we can share with you our test results on a daily-basis as an end-of-day update.
3. Reporting (Offsite). At the end of testing, we will generate a penetration test report that rank orders our findings based on criticality. The report will include exploitation steps, step-by-step, described with screenshots. The report also includes remediation guidance for each finding.
4. Report Presentation (Offsite). Once the report is completed, we will send it to you and review it via a Zoom session.
Between Evolution 1 and Evolution 2, you will work on fixing issues identified in Evolution 1.
When you are ready for us to retest the medical device, we will repeat the applicable steps of Evolution 1 in Evolution 2. This will be completed onsite at Blue Goat or at your facility.
At the end of Evolution 2, we will generate a Letter of Attestation that summarizes the scope, findings, and overall risk rating for the medical device. The Letter of Attestation is intended to be shared with clients, auditors, regulators, etc.
Over the past few years, the Internet of Things (IoT), coupled with the ubiquitous nature of Information Technology, has resulted in an ever-expanding attack surface where rapid solution development and enhanced functionality routinely prevail over security. For example, attackers once disrupted the majority of U.S. internet activity by using 61 default IoT usernames and passwords. Consumers failed to change them before activating their devices, effectively turning our gadgets into culprits responsible for one of the largest Distributed Denial of Service (DDoS) in the world’s history.
The Healthcare Industry is rapidly adopting IoT devices (often referred to as the Internet of Medical Things (IoMT)) to enhance patient safety and enhance how healthcare workers deliver treatment. From medication administration to remote sensor monitoring, embedded medical devices are improving the quality of care and increasing interaction with their providers. While this technology was most certainly created with good intentions, the lack of security in product design phases is a major concern – a concern that will likely materialize into malicious action with grave consequences.
The consequences became clear in 2017 as researchers were able to acquire equipment (from $15 – $3,000) and intercept the radio frequencies from cardiac devices. With this capability, they were able to reprogram the devices to modify the patient’s heartbeat and even drain the internal battery. As a result, the FDA recalled almost 500,000 pacemakers and enforced in-person firmware updates. Researchers have also demonstrated similar capabilities on infusion pumps and MRI systems.
Non-networked medical devices may be operating at a higher level of risk. Ease of access and the availability of RFID cloners contribute to a relatively weak physical security posture. In 2018, researchers demonstrated the capability to emulate and alter a patient’s vital signs in real-time using an electrocardiogram simulator that they found on eBay for $100.
In late 2018, the Department of Health and Human Services Office of the Inspector General (IG) critiqued FDA procedures in assessing post-market cybersecurity risk to medical devices. To fortify the FDA core mission “to ensure there is a reasonable assurance that medical devices legally marketed in the United States are safe and effective for their intended uses,” they outlined their ongoing efforts in enhancing medical device security.
According to the FDA, “Healthcare Delivery Organizations (HDOs) are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks. Recognizing that changes require a risk assessment, the FDA recommends working closely with medical device manufacturers to communicate changes that are necessary.”
Blue Goat can help HDOs transfer that risk by evaluating the cybersecurity posture on your wired or wireless medical devices.
Contact us today and inquire about our full-range penetration testing. Together, we can significantly increase your patient’s safety while reducing your organization’s risk.
The number of cybersecurity incidents continues to climb. The variety of attacks continues to grow. It is no longer a question of if you will have a cyber event.