and human logic flaws are discovered. While tools are used, there is a human aspect to the assessment process.
Sadly, not all companies have the time or resources to have a mature secure SDLC that includes all of the right tools being used in the right way. In cybersecurity there is a phrase called “Separation of Duties” (SoD). In this specific context, it is important to have some SoD between the software developers and the cybersecurity team signing off that the software is ready for production. If a software developer checks the software, they may or may not adhere to the requirements depending on the person or context. They may or may not ensure that what goes onto the market does meet FDA security requirements.
Software development has shifted considerably over the years. What is common now is an iterative approach to software development known as scrum. Many years ago, software was only created in versions. The first version was 1.0. Bug fixes could take it to 1.01. while minor revisions could take the software to 1.1. Larger revisions would go to 2.0. While versioning is still common and highly practiced, when it comes to the cloud aspects of development, an iterative model is much more common. Iterative means the product continually improves as part of the Software-as-a-Service. It is also a good business practice to ensure you continually evolve to meet the client's needs. The challenge here is for that development to be continually secure—assuming the software was secure to begin with. It takes time to perform the aforementioned penetration tests. Given that updates can now occur multiple times a day, it is a challenge for security to keep up.
Wireless
There are multiple types of wireless connections for medical devices. The full range of wireless connectivity includes Wi-Fi, near-field communications (NFC), cellular, Bluetooth, and occasionally RFID. All have their strengths and weaknesses—especially when you consider the potential 20-year life span.
Wi-Fi is particularly attractive for many of the remote monitoring capabilities built into connected medical devices. There is an easy bridge to the internet, which means the system can be monitored in the cloud (more on the cloud in a while). From there, hospitals, doctors, and patients can be alerted in a moment's notice if there are any issues. As a result of COVID-19, the wireless technologies are gaining in popularity—especially as they relate to telemedicine. They are also important for some hospitals that have rooms that block cellular service (as a byproduct of blocking other systems).
Over Wi-Fi's comparatively long history there have been a great number of improvements, not only from the functional standpoint, but also with regard to security. The precursor to Wi-Fi, Wavenet, was created back in 1991—just after the dawn of the internet. Wireless signals were not encrypted back then. It would not be until 1997 that Wire Equivalent Privacy (WEP) was created and included with Wi-Fi devices. It had a 10- or 26-digit key written in hexadecimal, but with modern technology WEP can be hacked in under a second. What replaced WEP is Wi-Fi Protected Access or WPA. This was back in 2003. Now WPA has had several different iterations—WPA, WPA2, and WPA3. WPA3 was most recently included in modern Wi-Fi devices in 2018. The upgrades in encryption are substantial between the versions, but each one was replaced partially because vulnerabilities were discovered in the system.
Vulnerabilities are not the only problem with Wi-Fi. Configuration is also a huge problem. Many systems are configured to be encrypted. This is important because anyone in range can sniff the traffic over that connection. Having performed many Wi-Fi assessments myself, I know it is a very common problem. Interestingly enough I was just reading about a case where the FBI warned against using hotel Wi-Fi for work purposes because of the often-lax security standards in Wi-Fi configurations.21 Not every company gets Wi-Fi security right. Combine this with hospitals using IoMT systems for extended periods of times, and old insecure protocols in Wi-Fi are required to support older devices.
But let us switch to cellular systems. Right now, we are seeing the shift from 4G cellular technology to 5G technology. For many devices switching from one technology to another is not a huge challenge—often, but not always, it is a feature that can be plugged into a motherboard that can be easily replaced. But, as you may have guessed, cellular technologies are not without their vulnerabilities that can be easily exploited. One of the black market accessible devices are “Stingrays,” which are also known as International Mobile Subscriber Identity “(IMSI) catchers.”22 They are capable of interfering with cellular communications. From a hospital's perspective this is extraordinarily dangerous because some of their systems are dependent on cellular communications. In security shorthand, this is an attack on availability.
Another weakness in cellular technology is something referred to as SS7 and the IP version of the protocol known as SIGTRAN—protocols designed more than a decade ago. They were designed without considerations to modern security. No one had envisioned the widespread use of wireless technology. The current 4G protocol is based on Diameter. Diameter, without getting too technical, is a protocol that enables validation of technology, and sometimes users, over a network. Now it is built on the internet protocol, but is essentially only marginally better. But what is worse, in early 2019, a new flaw was discovered that allows attackers to intercept calls and track phone locations. This is true for both 4G and 5G cellular service,23 despite the newer protection in 5G.24
Several more pages could be devoted to exploring the intricacies of vulnerabilities in cellular service, but the point here is that cellular technologies also have vulnerabilities as a key aspect of the technology. But let us turn our attention to short-distance wireless communication—with exceptions, this typically means Bluetooth. Bluetooth development was initiated in 1989 by Ericsson Mobile in Sweden. The purpose of Bluetooth was essentially for wireless headphones. Of course, the uses for Bluetooth have expanded well beyond that (yes, including medical devices) to the point where it is almost ubiquitous around the world. What is unique about Bluetooth compared to other technologies is that it is easy to trick users into allowing a connection to a device. This process is so common that it has a name—BlueSnarfing. This brings the fallible human element to the security of systems in the environment. But what is more alarming is the sheer number of vulnerabilities that have appeared over the years. At the moment of writing this, in 2020 alone there have been 49 vulnerabilities found in Bluetooth. Many of the vulnerabilities allow for access to the full system. Four of them are from the applications designed to help with COVID.25
If you extend the timeline back to 2002 when the MITRE corporation was publicly tracking the vulnerabilities, at the time of this writing, there were 388 vulnerabilities. As fantastic as MITRE is, this is far from a complete list. For example, on March 3, 2020, the FDA released a warning about a set of vulnerabilities known as “SweynTooth.” SweynTooth affected certain medical devices that utilized Bluetooth Low Energy—in particular, pacemakers, glucose monitors, ultrasound devices, electrocardiograms, and monitors. This was not listed by MITRE.26 In a worst-case scenario the vulnerability can stop a device from working, or allow an attacker to access the device functionality, which is usually available only to authorized users.27 While the attack would have to be within a few feet, the Homeland scenario of stopping a pacemaker does not seem so farfetched.
The SweynTooth family of vulnerabilities was linked in part to manufacturers of microchips. Think of a microchip as a tiny part of a motherboard. This means that the fault may not be with the makers of the motherboards, but with some of companies that help with subcomponents of the motherboards. The challenges from a security standpoint are widespread to say the least.
NFC has a very short range—roughly
