Q&A: Creating a New Definition of Medical Device Security
Earlier this year, DSS announced that it had added security solutions developed by PFP Cybersecurity (PFP) to its suite of solutions. The foundation of this partnership is providing visibility into vulnerabilities in medical device hardware components and firmware.
Brion Bailey, director of the public sector business development for DSS, and Carlos R. Aguayo Gonzalez, PhD, the founder and chief technology officer of PFP, recently authored a guest article in 24x7 Magazine about the need for a new definition of medical device security.
In the following Q&A, Brion and Carlos dive further into this topic and highlight key use cases around how PFP’s offerings can help create a new level of medical device security.
The following has been edited for length and clarity.
Q: Before we talk about what DSS and PFP Cybersecurity covered in the recent 24x7 Magazine guest article, can you both outline the challenges when it comes to medical device security?
Brion: Having worked in the medical device industry for more than 25 years, our biggest challenge related to medical device security is the inclusion of “secured by design”, specifically for devices like IV pumps, ventilators, bedside monitors, and C-Arms. I would add that “non-medical” devices that operate within hospital environments also present significant opportunities for attack. IP cameras, for example, are connected to the hospital network and increase the “attack vector” for adversaries. The Inspector General noted some of these concerns in a report published in January 2024 [1] regarding IP cameras manufactured in China.
Medical devices are primarily designed with patient safety and efficacy in mind, not security, Historically, patching firmware and addressing security vulnerabilities have taken a backseat to the initial design and ongoing software updates that enhance patient safety and treatment efficacy. For example, IV pumps are designed to monitor infusions, prioritizing accurate and safe drug delivery over robust security features.
Our challenge is shifting the industry’s focus from solely prioritizing patient safety to incorporating secure design principles. These devices are now commonly connected to hospital networks, so they no longer operate in isolated environments. Clinical engineers and IT (Information Technology) staff are faced with a broader ecosystem of device connectivity, as the critical data generated by these devices is vital to the electronic medical record of the patient.
I believe the priorities for development and sustainment, namely patient and device safety, can coexist. Implementing an integrity assessment for hardware and software validation within the manufacturing and supply chain processes could measurably reduce the “attack vectors” these devices currently present to adversaries. These assessments also provide valuable data on product life cycle management.
One final note: According to an article published in the HIPPA Journal on June 20, 2024: “in 2023, an average of 1.99 healthcare data breaches of 500 or more records were reported each day, and on average, 364,571 healthcare records were breached every day.” Healthcare, as a sector, will continue to see escalation across many of its vulnerable ecosystems.
Carlos: There are a couple of major challenges in cybersecurity for medical devices. First, it’s an incredibly challenging time right now with numerous new disclosures and vulnerabilities emerging. Adversaries are targeting more facilities and individuals, making it a tough environment to navigate.
Medical facilities host many connected devices, many of which are safety-critical and often legacy systems that don’t get updated frequently. The pace of change in the cybersecurity world is rapid, with new exploits and techniques emerging constantly. This makes it difficult to keep up, especially given the asymmetric nature of the threat, where attackers often have the advantage.
Another significant challenge is the greatly expanded attack surface in recent years. Adversaries are now targeting devices and parts of devices that were previously not as commonly attacked. This includes vulnerabilities in the supply chain, where adversaries can exploit weaknesses in the hardware and firmware. Addressing these vulnerabilities is crucial to enhancing the overall security of medical devices.
Q: How do these challenges map back to the need for a new definition of security for medical devices, as highlighted in the article?
Brion: I believe the definition of security for medical devices should be extended to include the supply chain. During the COVID pandemic, it became evident that the supply chain was compromised, particularly with chips and computer components used in medical devices.
Therefore, the definition of security requirements should encompass the authenticity and assessment of the components built into these devices.
It's not just about the ongoing production of medical devices but also about how components are acquired through the supply chain. This calls for a new definition that aligns more closely with many existing standards, such as those from NIST. The FDA is also introducing new standards that have yet to be fully integrated into the healthcare sector for medical devices.
Moreover, it's crucial that the definition includes some level of authentication for how manufacturers acquire the components to build these devices. Medical devices like laptops rely on parts from hundreds of manufacturers for chips, firmware, BIOS, and power supplies.
Manufacturers often don't have a single source for these components and need backups in case of shutdowns or backorders. Including non-traditional manufacturers in the supply chain can increase vulnerabilities, making it essential to ensure the authenticity and security of all components.
Carlos: Staying ahead of adversaries requires a more proactive approach, particularly given the expanded attack surface and vulnerabilities in the supply chain.
We need a broader view of device integrity that goes beyond traditional software-centric approaches. While these approaches were effective against software attacks, they are insufficient when adversaries can compromise hardware and firmware. Traditional methods lack the capability to address threats at these lower levels.
To ensure the integrity of the entire device, we must start with the hardware and firmware bill of materials. This comprehensive view is critical to protect devices from intrusions, counterfeit parts, and other malicious modifications that can harm patients and compromise data.
In addition to screening devices to secure the supply chain, real-time assessment and continuous monitoring are essential. This monitoring can detect if devices begin to act abnormally due to component tampering or cyberattacks occurring later in the device's lifecycle.
There is a significant blind spot regarding visibility into lower-level components. Therefore, the definition of security for medical devices must be expanded to cover these areas comprehensively.
Q: Please tell us how DSS and PFP Cybersecurity are creating this new definition by providing a new technology that can analyze medical device integrity without compromising device operation or connectivity?
Carlos: Absolutely. We are providing the critical tools that enable this new definition of security. PFP technology is an integrity assessment approach that evaluates device integrity without compromising device operation or connectivity.
PFP works by monitoring unintended analog emissions, or side channels, from the devices. It doesn't analyze system calls or network traffic but focuses on emanations directly from the devices during operation. These emissions are fed into machine learning algorithms to establish normal patterns and identify deviations from expected operations.
If an adversary disrupts the device at the hardware or firmware level, these modifications will be reflected in the unintended analog emissions. PFP can detect these disruptions immediately. Essentially, PFP acts like a biometric for devices, ensuring they are what they claim to be and perform only their intended functions.
PFP can be deployed completely air-gapped from the devices, introducing no additional processing overhead or latency and without disrupting device operation. It allows us to assess the integrity of network-connected devices and their components, even down to the chip level. Additionally, PFP can be used for continuous monitoring of devices, detecting anomalous behavior in real-time as they operate.
Brion: I believe there's a compelling case for redefining device cybersecurity. Integrity assessments that combine hardware and software verification should be foundational in any systematic definition of cybersecurity. Secured by design, as stated by CISA, should be a core business requirement, not a technical feature. This new definition will evolve as adversaries continue to maneuver with new attack vectors.
As Carlos noted, there's a significant gap in authenticating various levels of hardware, from the chip level up to the final device component build. Today's opportunity lies in filling these gaps within the current cybersecurity framework, which predominantly emphasizes software.
Regarding the creation of a new definition, many CIOs, CTOs, and CISOs across various sectors—including healthcare—have robust visibility into software vulnerabilities but lack visibility into hardware specifics such as firmware and chipset. This lack of insight means they cannot verify if devices operate according to a defined signature aligned with a “gold” database or specific device standards as defined by the OEM.
Expanding the definition of cybersecurity to incorporate hardware authentication and continuous monitoring is crucial. This evolution enhances security measures and prepares us to detect and mitigate potential device failures proactively.
Q: How does this innovation allow medical facilities and leaders to evaluate the risk profile of their networks?
Carlos: PFP offers stakeholders visibility into traditionally opaque areas, significantly enhancing their system awareness with rapid notifications if issues arise. This visibility provides a comprehensive overview of their device landscape, highlighting any anomalies that need immediate attention. This targeted approach allows efficient resource allocation, prioritizing devices showing abnormal behavior without the need for wholesale replacement, which is often impractical for facilities.
Moreover, PFP enables continuous monitoring of safety-critical devices without requiring recertification, even in air-gapped environments. It delivers instantaneous alerts upon detecting deviations from expected performance, thereby bolstering supply chain risk management and overall cyber resilience. This capability extends to detecting sophisticated attacks, supply chain vulnerabilities, and advanced persistent threats—areas where traditional solutions typically lack insight.
Importantly, PFP achieves this without disrupting system operations, ensuring ease-of-use and scalability. It empowers organizations to swiftly detect, mitigate, and remediate potential threats, reinforcing their cybersecurity posture effectively.
Brion: From a risk profile perspective, there are three critical areas to consider.
First, financially, hospitals and medical facilities face the challenge of monitoring thousands of connected devices without overwhelming their resources. For instance, a major federal healthcare agency manages over 450,000 medical devices with limited daily performance visibility and ongoing human resource limitations. Our solution provides enterprise visibility that is currently impractical to achieve financially without scaling up their workforce with a credentialing level of expertise that doesn’t exist in the marketplace. It also allows them to monitor device performance effectively, crucial for maintaining operational integrity and avoiding potential financial implications from device malfunctions.
Second, operationally, the sheer scale of devices—from IP cameras to IV pumps—across regional or enterprise networks presents a daunting challenge. PFP enables rapid assessment of device risk profiles within specific hospital settings, identifying and addressing abnormal operations in real-time. This capability enhances operational decision-making compared to retrospective forensic approaches following security incidents.
Third, clinically, healthcare providers prioritize patient care over device security monitoring. Intrusions into medical devices may go unnoticed, posing risks to patient safety. Our solution helps evaluate risks across these pillars—financially, operationally, and clinically—ensuring devices perform securely while clinicians focus on patient well-being. I just attended a conference where one of the leading government Cyber strategists included the following statement “Cybersecurity = Patient Safety”. I couldn’t agree more!
Overall, PFP supports healthcare facilities in managing device security risks comprehensively, addressing financial, operational, and clinical concerns effectively to safeguard patient care and operational continuity.
Q: Can you share some use cases of this technology in action?
Brion: Yes, several ongoing use cases already demonstrate the effectiveness of this technology. It's currently deployed within the Department of Defense, which is known for its stringent security standards. .
Our focus, Carlos’s and the team’s, has been on introducing non-intrusive use cases into clinical environments. For instance, we see potential in deploying this technology with IP cameras and in warehouses that handle parts and components before they reach hospitals or healthcare facilities.
Imagine a scenario where warehouses receive chips, boards, and components for medical devices, which are then shipped to hospitals. There's a strong case for credentialing these components in the warehouse environment, assigning unique identifiers in the software. This preemptive step allows hospitals to scan and credential items upon receipt, ensuring no compromise in the supply chain—a critical area vulnerable to potentially fraudulent activity.
Regarding IP cameras, the GSA report cited earlier highlighted that 70% of their components come from countries like China, posing security risks. Our technology can effectively manage credentialing and identify abnormal device behaviors, whether due to firmware issues or other factors, without necessarily indicating fraud or counterfeit components.
These use cases clearly demonstrate our technology's value proposition. While the primary focus remains on medical devices, achieving widespread adoption will require pragmatic steps. Medical device manufacturers need to integrate these solutions into their builds over time. In the interim, our technology fills an immediate gap, benefiting both medical and non-medical devices within healthcare facilities.
Carlos: Yes, we've collaborated heavily with the Department of Defense on various projects. These include monitoring IoT devices and industrial controllers, detecting attacks on PLCs, and ensuring the integrity of network infrastructure by identifying counterfeit parts and firmware changes.
Our work extends to UAVs, where we focus on security in unmanned aerial vehicles, and recently, we've emphasized microelectronics supply chain assurance, specifically in detecting tampering at the chip level.
Additionally, we've conducted inspections for server supply chains and ground vehicle components, aligning with our commitment to ensuring integrity and security across diverse technologies. At forums like the SIA GovSummit Conference, we've presented insights from this work, highlighting our approach to inspecting cameras for unintended analog emissions using Power over Ethernet (PoE) connections with PFP monitors. This process feeds data into machine learning algorithms to detect anomalies in device behavior.
Our work spans various use cases, emphasizing the integrity and visibility that PFP technology brings. This capability is crucial for enhancing cybersecurity and resilience, particularly in sensitive environments like medical facilities.
As a parting shot, I would like to add that the current threat landscape is increasingly sophisticated, demanding a comprehensive security approach that covers not only software but also hardware and firmware.
These lower-level components must be secured with the same rigor as software to mitigate evolving threats effectively. Our technology enables thorough inspection of devices at these levels, making it imperative for medical facilities to adopt these measures to meet regulatory compliance and ensure patient safety. This holistic approach to security is essential in safeguarding against today's advanced adversaries.
Brion: I’d also like to add that the healthcare sector faces a difficult dilemma. Organizations are reluctant to invest in cybersecurity until after experiencing a breach, which often proves too late and costly.
It's a challenging environment where automation plays a crucial role. We emphasize maintaining a patient-centric approach while bolstering IT-centric solutions that provide scalable visibility. This approach contrasts with simply adding more personnel, a strategy many hospitals find financially challenging to justify until they experience a breach.
We would like to thank both Brion and Carlos for sharing their insights with us! To learn more about the DSS and PFP offering for enhancing medical device security, please click here.
[1] U.S. General Services Administration, January 23, 2024, “GSA Purchased Chinese-Manufactured Videoconference Cameras and Justified It Using Misleading Market Research,” https://www.gsaig.gov/sites/default/files/audit-reports/A220070-2%20Final%20Report.pdf