24x7 Magazine: Real-World Vulnerability Scenarios for Protecting Medical Devices

While there has been a significant rise in medical device use, the reality is that they are shockingly vulnerable. This is because visibility into vulnerabilities with hardware components (for example, chips, boards, and power supplies) doesn't exist and it puts millions of patients at risk.

Fortunately, new technology from DSS and PFP Cybersecurity can be easily deployed. It is complementary with existing security systems that have been developed, taking advantage of existing security investments, and providing an added layer of visibility and security.

In a recent 24x7 Magazine guest article by Brion Bailey, director of the public sector business development for DSS; and Carlos R. Aguayo Gonzalez, PhD, founder and chief technology officer of DSS partner company PFP Cybersecurity, they highlighted three dynamic use cases that rely on this new innovation.

Here they are:

1. Stopping Threats at the Source - Device Credentialing: Medical devices could be scanned in a warehouse environment before deployment in a patient care environment to match a scan produced by the manufacturer, addressing vulnerabilities or misconfigurations.

   PFP Cybersecurity solutions can evaluate these so-called "side channels" to create a baseline measurement and assess the integrity of the hardware and firmware inside the device.

2. Video Surveillance Cameras - the Onramp for Attackers: Video surveillance internet protocol (IP) cameras were developed without much consideration for security. Hackers can exploit the vulnerabilities in IP cameras as a gateway into segmented networks, moving laterally to access other devices in the network, delivering malware to field and Operation Technology (OT) devices such as programmable logic controllers, or PLCs, even on an isolated network, and then erasing their tracks.

   PFP Cybersecurity solutions can detect deviations in hardware and firmware from approved configurations, such as counterfeits, chips from banned origins, tampered firmware, a Mirai botnet, Trojans, etc.

3. Microelectronic Supply Chain Assurance: According to the Department of Defense (DoD), 22% of Tier 2 and 72% of Tier 3 suppliers of 39 product lines rely on Chinese manufacturing. Most commercial off-the-shelf electronics used in DoD systems are fabricated overseas and could be tampered with to provide unauthorized access. The attacker could access such vulnerabilities later, even without direct network access. Current firmware integrity monitoring systems cannot detect these potential vulnerabilities.

   In 2021, the Department of Veterans Affairs (VA) issued Cybersecurity Directive 6500 about device integrity verification. This directive called for the VA to "employ integrity verification tools to detect unauthorized changes to selected software, firmware, hardware, and information."

   PFP Cybersecurity solutions can make this requirement far easier to accomplish. Out-of-band screening can verify the integrity of electronics from the individual chip level to complex systems at scale. Also, machine learning is used to create baselines and detect tiny changes in both design and behavior.

Medical devices remain a weak link in a world of escalating cyber threats. It's not a question of if a significant breach will occur again, it's when.

Fortunately, DSS and PFP Cybersecurity can make this new level of security a reality. We stand ready to assist medical facilities with their regulatory compliance, legal liability, and basic patient safety challenges.

For more on our partnership with PFP Security, please click here. To learn more about DSS, Inc., please click here.