The future history of medical device cybersecurity

In 1555, Nostradamus published his famous Les Prophéties containing obfuscated prophecies for the world to come. Some believe that one of these predictions pertains to the year 2020 and it reads, in part: “The false trumpet concealing madness / will cause Byzantium to change its laws.” Yeah… I have no idea what that means either!

In 1966 the late Arthur C. Clarke, a famous science fiction writer, predicted that we would have flying houses and be able to relocate on a whim by 2001. Well, we missed that one!

I reference these earlier works of failed prognostication in an effort to set the bar low for my own predictions of changes to medical device cybersecurity in the coming year, 2021.

The predictions

There are some easy predictions:

• The FDA plans to release the second draft of its mandatory guidance, “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” I predict the security tiering system that appears in the current draft will be removed. I also foresee an enhanced description of the Software Bill of Materials (SBOM) requirements, including human and machine readable SBOM formats.
• I further predict that there will be many medical device manufacturers who will be surprised that their medical devices need to be secure before they can be marketed. For some reason, this message never seems to reach a surprisingly high percentage of manufacturers, no matter how often it is repeated.
• Finally, I predict that Senator Mark Warner will continue his efforts to unite this country’s highly fractured privacy laws. As to his ultimate success, we will have to wait until after the Georgia runoff elections are complete.

The big cybersecurity revelation of 2021

I probably don’t need to tell anyone who is reading this article that ransomware is big. Really big.

The days of a disaffected teenager sitting alone in his basement handcrafting “agents of encryption” are long gone. As reported by EMSISOFT Malware Lab, in 2020 the global revenue generated by ransomware attacks was estimated at between 6 and 25 billion dollars!

Ransomware is big business, and it is run like a big business. Ransomware-wielding criminals are only interested in maximizing profits by increasing their return on the initial investment.

This business has evolved and grown to accomplish this financial goal:

• Simple agents that encrypt your files until you pay a ransom, evolved to…
• RaaS (Ransomware as a Service), where several major groups would be paid to attack specific targets, evolved to…
• Extracting company data from the victims and asking for an additional ransom to avoid shaming or IP loss through public disclosure of these files, evolved to…
• RaaS providers merging into a single, highly sophisticated organization targeting specific industries, evolved to…
• Auctioning the extracted company files off to the highest bidder! Plus…
• Cold calling the victims directly to demand ransom payments.

But businesses (aka “potential victims”) are also evolving to address the risks presented by ransomware, including more comprehensive backups, restoration, stronger authentication, detection, and training.

With the ransomware vendor’s viable attack surface shrinking due to their would-be victims’ mitigation efforts competing with their desire to increase profits year over year, what will the ransomware industry evolve into next?

I think I know. But I’m really, really hoping my prediction turns out to be just as inaccurate as Nostradamus’ and Arthur C. Clark’s. Here it is:

What industry has 10 to 15 million connected devices (in the US alone), has deep financial pockets, absolutely cannot have these devices unavailable for use, has tried to maximize profits by continuing to use old legacy devices for 15 to 20 years, cannot perform backups of these devices, does not have a time-effective means of updating a majority of the devices in the field, and cannot easily restore the essential performance of these devices if they are corrupted?

The answer is: the healthcare delivery industry. Everything I just described are characteristics of medical devices.

What has (probably) previously prevented this from happening is the sheer number of proprietary devices that, to all appearances, had little to no vulnerabilities in common with one another (unlike, for example, devices and systems using Windows-based PCs). But as we discover more vulnerabilities in commonly utilized third-party software components (TPSCs, aka SOUP – Software of Unknown Provenance), this will change. Think: Ripple/20, Amnesia:33, etc.

Similarly, discovering zero-day vulnerabilities in improperly secured medical devices is not nearly as difficult as discovering zero-day vulnerabilities on a PC. Typically, it only takes a couple of days of investigation by a security expert to uncover device vulnerabilities.

If a ransomware attacker can compromise multiple types of medical devices in a healthcare delivery organization (HDO), the attack could potentially take down all operations in that facility/organization.

Couple this with 2020’s rush by manufacturers to enable remote communications to medical devices for use on COVID-19 victims. How many of these remote-control systems were designed and implemented securely?

I think the hardest part of this is going to be how the HDO is ever going to completely recover from such an attack. Even in the scenario where the ransom is paid and the captured data and devices are restored by the attackers, how can any level of trust in the affected devices ever be re-established?

We are seeing something similar to this currently with the SolarWinds / SUNBURST attack: most recommendations for recovery are to wipe and re-create the infrastructure, including anything touched by SolarWinds Orion! Are hospitals prepared to take such an action? Are medical device manufacturers prepared to support them?

Fortunately, after 2017’s devastating WannaCry attack, HDOs started to demand more and better security for their infrastructures and the devices they purchase. Regulators worldwide are working to close the healthcare vulnerability gap. And medical device manufacturers are waking up and responding positively to these emerging market pressures.

As we work to secure future medical devices, my hope is that we can also retire and replace legacy devices that can’t be secured before another ransomware catastrophe occurs in healthcare. The resources medical device manufacturers need – information, training, best practices, expert guidance – are available. The question is: will they seek out and take advantage of those resources in time?

I sincerely hope so. Let’s make 2021 the year we proved my disaster prediction wrong, reversed the trends and mistakes of the past, and successfully secured the future of healthcare.