Keeping Your Medical Device Security Compliant with Live Patching

Today, the security of medical devices is becoming extremely important to assure customers and patients who interact with your devices that their health and personal information is taken seriously. Globally, regulators are increasingly requiring and verifying that devices are as secure as possible before and after product release. To continually address cybersecurity risks to keep patients safe and better protect public health, medical device manufacturers must comply with federal regulations. 

In the United States, the Food and Drug Administration (FDA) has published guidance that outlines requirements for medical devices that mandate a number of facets of device development and maintenance. Part of those regulations, called quality system regulations (QSRs), requires that medical device manufacturers address all risks, including cybersecurity risk. Medical device manufacturers can always update a medical device for cybersecurity. But it becomes a challenging task when it comes to millions of wearable devices. IoT devices running on the Linux kernel need their security to be watertight. All of them should be updatable. And just as importantly, organizations need to be able to patch them as fast as possible.

Contents:

1. The Problem: Patching Embedded Linux Medical Devices
2. Healthcare IoT Hacks Threaten Patient Lives 
3. Ways to Protect IoT Devices
4. Timely Patching to Stay Compliant
5. Conclusion

The Problem: Patching Embedded Linux Medical Devices

IoT and other embedded Linux systems have their own unique cybersecurity challenges. The device is “always connected,” but there is no user interface that prompts users to download and install firmware updates and patches. It’s a struggle for manufacturers to continue patching their products after factory release, and this leaves medical devices open to the latest vulnerabilities. The FDA requires reasonable assurance that the benefits of medical devices to patients outweigh the risks, but unpatched devices fall out of compliance and don’t offer the protections necessary to safeguard patient data.

Just like Linux servers, indiscriminate rebooting of the system causes downtime and user interruptions. Unlike Linux servers, no user interface or prompts are shown to the user, so patching must be automatic and done seamlessly without interruption. Medical devices can collect data continuously throughout the day, so finding the right time is also essential for developers.

Unfinished downloads and partial updates are also an issue for device manufacturers. Any issues with patching could render the device unusable and must be factory reset. For healthcare professionals and patients, this issue can threaten the health of the user by missing essential vital signs or corrupting data.

Overall, cybersecurity of medical devices is a delicate process that must be done within a reasonable time to stay compliant but performed without interruptions to the device’s service. Reboots can cause numerous issues such as data corruption, interruption to data collection, and incorrect vitals feedback. The rise of attacks on these systems make them a target for cyber-criminals, so patching is essential to protect patients.

Healthcare IoT Hacks Threaten Patient Lives

Even with reboot hurdles, it’s still imperative that developers patch IoT firmware. Unpatched medical devices can be vulnerable to numerous attacks, and IoT in the medical field has a much higher impact on consumer safety. With the right malware, a device can malfunction and provide incorrect information putting a patient’s life at risk. Patient data can be collected and used in identity theft. 

In addition to threats to patients, unpatched Linux systems pose a threat to the Internet at large. Malware such as Mirai give cyber-criminals control of the device and use it in a botnet to launch global distributed denial-of-service (DDoS) attacks. One of the biggest DDoS attacks that took down DNS infrastructure at Dyn used hacked IoT devices to interrupt service.

Most developers are familiar with ransomware, but IoT ransomware brings its own level of threats to consumers and infrastructure. Instead of holding data ransom, IoT ransomware gives cyber-criminals control over the targeted device. Attackers can turn off devices, stop production lines, and manipulate data. In a medical setting, this could mean manipulation of user information and lead to misdiagnosis and faulty functionality. Again, this can lead to life-threatening implications for patients. 

Threats to patients aren’t the only issue in IoT cybersecurity. Shadow IT is an issue for administrators who must protect infrastructure from attackers. Medical IoT devices connect to the cloud, but first they must obtain an IP on the network and access local resources. Attackers that gain access to the device can laterally move across the network and potentially escalate privileges to other resources. In a sophisticated attack, cyber-criminals could obtain root or administrative access to the network to compromise additional infrastructure.

Ways to Protect IoT Devices

Compliance requires device manufacturers and healthcare practitioners to take reasonable precautions that protect patient data. Reasonable protection can be done in a number of ways, but here are a few practical ways medical devices can be protected:

1. Access Control: Placing controls on devices is the responsibility of the developers, but healthcare professionals who use the devices must configure them correctly. The device should take measures to require credentials to access patient data, especially if it’s transferred to the cloud. Administrators should take precautions to authorize specific devices before they can connect to the local network, which blocks shadow IT issues that could potentially affect infrastructure.
2. Encryption: Initially, encryption wasn’t even used for IoT, and it’s been the centre of debate for years. By nature of their small, lightweight computing power, any device programming overhead should be carefully considered due to limited resources, but encryption is necessary when transferring data to the cloud. For extremely sensitive data, local storage should also use cryptographically secure encryption to protect from data breaches after physical theft.
3. Hardware security assistance: Most users don’t have the training necessary to properly configure security controls. Hardware security assistance helps users configure their device. An assistance program shows users how to safeguard their data, apply the right access controls, and determine where to safely store data.
4. Physical security: For home users with medical devices, one strategy is to create a separate network segment where IoT devices connect. In a healthcare setting, administrators should store sensitive data such as images and patient vital information on a separate network segment. Should an attacker gain access to one network segment, they still can’t access other segments of the network provided it’s properly configured.
5. Patch devices: Patching is essential to protect devices from the latest vulnerabilities. Administrators often put patching on hold until a scheduled date, which leaves the system vulnerable to exploits and puts devices out of compliance.

Timely Patching to Stay Compliant

Without a patching strategy, devices are not properly secured and open to publicly known vulnerabilities, especially if patching is delayed for a scheduled date. For administrators with hundreds of devices connected to the network, patching must be automated and timely. Rebootless live patching keeps the organization FDA compliant while still maintaining uptime on critical medical devices.

You can follow all best practices for IoT security, but you still need a way to patch the system. If users can take the device home, then any on-premise security will not apply once the user connects it to their home network. Manufacturers can ensure that devices are protected by implementing a live patching solution.

Finally, ensuring that IoT devices stay patched with the latest security updates isn’t just for FDA compliance. Several other regulatory standards require patching systems to stay compliant including HIPAA, PCI-DSS, SOX, SOC-2, FedRAMP and various others. 

Conclusion

Keeping medical IoT devices compliant takes several strategies, but live patching with KernelCare takes away much of the overhead with other patching automation systems. It supports several Linux distributions including Raspberry Pi, Yocto, Ubuntu and AWS and several others, and supports ARM Neoverse, ARM SecurCore, AWS Graviton2, and NXP chipsets. Although live patching isn’t the only security tool that should be used to protect medical devices, it can stop exploits and vulnerabilities that affect unpatched Linux systems.