Discussing best practices for patching legacy medical technology, and the unique challenges of smaller devices

by Gus Iversen, Editor in Chief | May 01, 2020
Sagar Patel
From the April 2020 issue of HealthCare Business News magazine

As devices age, their software becomes increasingly vulnerable to cybersecurity threats. Patching these vulnerabilities is critical, but it isn’t always easy. For example, smaller and lower-power medical devices are often not compatible with conventional IT strategies.

HealthCare Business News sat down with Sagar Patel, cybersecurity software engineer at Battelle Memorial Institute, to discuss these challenges and what HTM departments can do to keep themselves protected.

HCB News: It seems that every year we see a greater emphasis on medical technology software cybersecurity. In what ways does an aging technology fleet create vulnerabilities?
Sagar Patel: There are multiple factors that come into play when considering vulnerabilities associated with an aging technology fleet.

One is legacy software. A major chunk of devices that have been in market for more than 5 to 10 years do not have software update capabilities, and if they do, the updates are rarely made. These devices have been running old and vulnerable code, which may include both proprietary code and third-party dependency code.

Another is lack of end-of-life guidance. Traditionally, medical device manufacturers have not dictated an end of life for their specific products. In such scenarios, the customers keep on using the devices many years beyond when they should have been retired due to lack of updates or security issues. The landscape here is changing, and more and more manufacturers are providing end of life guidance with their devices when they are sold.

Proprietary protocols / security by obscurity are additional factors. Historically, a lot of medical device manufacturers relied heavily on proprietary communication protocols or proprietary authentication schemas, which hadn’t been verified to be secure. This sort of security can be relatively easily reverse engineered to find security vulnerabilities within them.

A major chunk of software running within any medical device relies on third-party libraries. Oftentimes these libraries become deprecated or aren’t updated to protect against emerging security vulnerabilities. Hence the medical devices inherit the vulnerabilities from the third-party code they are using. Lack of regular software patches adds to this issue and exacerbates it.

Finally, lack of regular updatability has been a security weak spot. Until now, a lot of medical devices have been designed without keeping regular updatability in consideration. This has led to irregular updates, if any, and allows for medical devices to become hotbeds for security vulnerabilities, and could be misused as a pivot to target the network they are connected to.

You Must Be Logged In To Post A Comment