Cybersecurity has been on the minds of health care executives for some time now. However, news that security vulnerabilities were found in Becton Dickinson and Co.'s (BD) Alaris Tiva syringe pump and the Capsule datacaptor terminal server (DTS) from Qualcomm Life Inc. has again put cybersecurity in the spotlight. That is where Cybermdx can help.
The New York-based company offers a solution that provides visibility and risk management, along with threat prevention and detection functionality for medical devices and other Internet of medical things. The timing is critical as the world becomes increasingly connected and digitization rises. Hospitals are realizing that off-the-shelf solutions and anti-virus software may not be enough.
"Cybermdx brings together digital health, medical devices and cybersecurity into a solution that addresses a unique challenge hospitals face today by protecting their connected medical devices," Amir Magner, CEO and co-founder of the company, told BioWorld MedTech earlier this summer. At the time, the company just had reported a $10 million series A financing in a round led by Pitango Venture Capital, with participation from Ourcrowd Qure. The company noted that the funds were earmarked for growth and expansion. (See BioWorld MedTech, July 18, 2018.)
"We have customers who are health care providers, and in addition to supplying them our security solution, we choose several specific medical devices and have our own deeper research," explained Elad Luz, head of research at Cybermdx, to BioWorld MedTech. To that end, the company has a dedicated team that does security research. "We truly believe we can make positive change in the cybersecurity of health care. That's the differentiator here," he added.
The Cybermdx research team discovered the vulnerabilities in the BD and Qualcomm products and alerted the vendors. The threats were disclosed by Industrial Control Systems Computer Emergency Response Teams (ICS-CERT) advisories. Specifically, the team discovered that a malicious actor can gain access to a hospital's network, and if the BD Alaris Tiva syringe pump with software version 2.3.6 or below is connected to a terminal server, the attacker can perform hacks without any prior knowledge of IP addresses or location of the pump. The affected pumps are sold and used outside the U.S.
The DTS is a medical gateway device used by hospitals to connect their medical devices to the network. The gateway is used to connect bedside devices such as monitors, respirators, anesthesia and infusion pumps. The Cybermdx research team found that interacting with the web management using the "Misfortune Cookie" vulnerability, which has been publicly known for four years, resulted in an arbitrary write to its memory. Successful exploitation could permit an attacker to execute unauthorized code to obtain administrator-level privileges on the device. The Allegro Rompager embedded web server versions 4.01 through 4.34 included in Capsule DTS, were all affected. Cybermdx has advised users to update the DTS devices immediately to their latest firmware version.
"Both vendors that we contacted for those vulnerabilities responded quickly and professionally," Luz said, adding that their follow-up actions represented how companies should react to cyber challenges. "We worked closely with them and other relevant bodies for this advisory," he said. The FDA was informed and took part in handling the situation, specifically with BD, he added.
"These products are the weakest links in the critical networks. They're connected to the network, and they are a critical part of the workflow in the hospital. And yet they lack several very basic things in [terms] of security," responded Luz when asked about what advice he would give to hospitals on protecting their assets. In particular, they lack visibility, a fundamental aspect of security. "Most hospitals don't have visibility solutions for medical devices," Luz explained, adding that procedures for security engineers to locate and tag the hundreds of devices on the network are not sophisticated. "When they do try to locate them, they do it manually by a list of connected devices."
A second crucial step is that hospitals must conduct a risk assessment on all connected devices, as some may be more critical than others. He suggested that facilities could apply some microsegmentation based on device type and level of criticality.
A third aspect is detection. "When you have a medical device connected [to] your network, and it communicates, you need to have some tools that are able to detect if that communication is valid or not," he stressed. Many solutions can identify attacks on PCs or Windows, but may not be suitable for the health care industry. "In order to do that, you need to have an understanding of medical protocols, and you need to have something that understands the medical protocols inside your network and then can decide whether the current communication of the medical device is valid or not."
For its part, the FDA has looked to help health care facilities and device developers address cybersecurity challenges. In June 2013, the agency issued a safety communication in which it advised manufacturers and health care facilities take steps to ensure that appropriate safeguards are in place to reduce the risk of device failure due to cyberattack.
In October 2014, the agency issued final guidance titled Content of Premarket Submissions for Management of Cybersecurity in Medical Devices. It advised manufacturers on cybersecurity management and information that should be included in a premarket submission.
In addition, in December 2016, the FDA issued final guidance titled Postmarket Management of Cybersecurity in Medical Devices. The document provided FDA recommendations for structured and comprehensive management of postmarket cybersecurity vulnerabilities for devices throughout the product life cycle.