Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
December 11, 2020 - TuxCare expert team
Today, the security of medical devices is becoming extremely important to assure customers and patients who interact with your devices that their health and personal information is taken seriously. Globally, regulators are increasingly requiring and verifying that devices are as secure as possible before and after product release. To continually address cybersecurity risks to keep patients safe and better protect public health, medical device manufacturers must comply with federal regulations.
In the United States, the Food and Drug Administration (FDA) has published guidance that outlines requirements for medical devices that mandate a number of facets of device development and maintenance. Part of those regulations, called quality system regulations (QSRs), requires that medical device manufacturers address all risks, including cybersecurity risk. Medical device manufacturers can always update a medical device for cybersecurity. But it becomes a challenging task when it comes to millions of wearable devices. IoT devices running on the Linux kernel need their security to be watertight. All of them should be updatable. And just as importantly, organizations need to be able to patch them as fast as possible.
IoT and other embedded Linux systems have their own unique cybersecurity challenges. The device is “always connected,” but there is no user interface that prompts users to download and install firmware updates and patches. It’s a struggle for manufacturers to continue patching their products after factory release, and this leaves medical devices open to the latest vulnerabilities. The FDA requires reasonable assurance that the benefits of medical devices to patients outweigh the risks, but unpatched devices fall out of compliance and don’t offer the protections necessary to safeguard patient data.
Just like Linux servers, indiscriminate rebooting of the system causes downtime and user interruptions. Unlike Linux servers, no user interface or prompts are shown to the user, so patching must be automatic and done seamlessly without interruption. Medical devices can collect data continuously throughout the day, so finding the right time is also essential for developers.
Unfinished downloads and partial updates are also an issue for device manufacturers. Any issues with patching could render the device unusable and must be factory reset. For healthcare professionals and patients, this issue can threaten the health of the user by missing essential vital signs or corrupting data.
Overall, cybersecurity of medical devices is a delicate process that must be done within a reasonable time to stay compliant but performed without interruptions to the device’s service. Reboots can cause numerous issues such as data corruption, interruption to data collection, and incorrect vitals feedback. The rise of attacks on these systems make them a target for cyber-criminals, so patching is essential to protect patients.
Even with reboot hurdles, it’s still imperative that developers patch IoT firmware. Unpatched medical devices can be vulnerable to numerous attacks, and IoT in the medical field has a much higher impact on consumer safety. With the right malware, a device can malfunction and provide incorrect information putting a patient’s life at risk. Patient data can be collected and used in identity theft.
In addition to threats to patients, unpatched Linux systems pose a threat to the Internet at large. Malware such as Mirai give cyber-criminals control of the device and use it in a botnet to launch global distributed denial-of-service (DDoS) attacks. One of the biggest DDoS attacks that took down DNS infrastructure at Dyn used hacked IoT devices to interrupt service.
Most developers are familiar with ransomware, but IoT ransomware brings its own level of threats to consumers and infrastructure. Instead of holding data ransom, IoT ransomware gives cyber-criminals control over the targeted device. Attackers can turn off devices, stop production lines, and manipulate data. In a medical setting, this could mean manipulation of user information and lead to misdiagnosis and faulty functionality. Again, this can lead to life-threatening implications for patients.
Threats to patients aren’t the only issue in IoT cybersecurity. Shadow IT is an issue for administrators who must protect infrastructure from attackers. Medical IoT devices connect to the cloud, but first they must obtain an IP on the network and access local resources. Attackers that gain access to the device can laterally move across the network and potentially escalate privileges to other resources. In a sophisticated attack, cyber-criminals could obtain root or administrative access to the network to compromise additional infrastructure.
Compliance requires device manufacturers and healthcare practitioners to take reasonable precautions that protect patient data. Reasonable protection can be done in a number of ways, but here are a few practical ways medical devices can be protected:
Without a patching strategy, devices are not properly secured and open to publicly known vulnerabilities, especially if patching is delayed for a scheduled date. For administrators with hundreds of devices connected to the network, patching must be automated and timely. Rebootless live patching keeps the organization FDA compliant while still maintaining uptime on critical medical devices.
You can follow all best practices for IoT security, but you still need a way to patch the system. If users can take the device home, then any on-premise security will not apply once the user connects it to their home network. Manufacturers can ensure that devices are protected by implementing a live patching solution.
Finally, ensuring that IoT devices stay patched with the latest security updates isn’t just for FDA compliance. Several other regulatory standards require patching systems to stay compliant including HIPAA, PCI-DSS, SOX, SOC-2, FedRAMP and various others.
Keeping medical IoT devices compliant takes several strategies, but live patching with KernelCare takes away much of the overhead with other patching automation systems. It supports several Linux distributions including Raspberry Pi, Yocto, Ubuntu and AWS and several others, and supports ARM Neoverse, ARM SecurCore, AWS Graviton2, and NXP chipsets. Although live patching isn’t the only security tool that should be used to protect medical devices, it can stop exploits and vulnerabilities that affect unpatched Linux systems.
Learn About Live Patching with TuxCare
End-of-life software is just a fact of our fast-paced technology...
Look, everyone knows that it’s a tough act. Thousands of...
The public sector, including state and federal agencies, are at...
If your organization deploys IoT solutions, you know that development...
We continue to look at the code issues that cause...
Catastrophic risks such as natural disasters and indeed cyberattacks require...