Читать книгу Do No Harm - Matthew Webster - Страница 41

A few might argue that recent legislation may have solved the problems related to vulnerabilities found within connected medical devices. While improvements have been made, there are still enormous challenges related to securing these devices. Legacy systems pose tremendous risks for organizations. With IoMT devices providing more value, especially in the time of COVID-19, the problems are only going to grow over time.

Figure 2-1: The interconnection of IoMT technologies

On January 23, 2020, the FDA released a warning on GE Healthcare's Central Stations and Telemetry Servers—essentially medical equipment that monitors patients.³⁹ Just the day before on January 22, 2020, GE posted the list of devices that are much broader. They listed six vulnerabilities that can allow an attacker to:

“Make changes at the operating system level of the device with effects such as rendering the device unusable, otherwise interfere with the function of the device, and/or

Make certain changes to alarm settings on connected patient monitors, and/or

Utilize services used for remote viewing and control of multiple devices on the network to access the clinical user interface and make changes to device settings and alarm limits, which could result in missed or unnecessary alarms or silencing of some alarms.” ⁴⁰

In this case machines used to monitor blood pressure, heart rate, temperature, and patient status had a flaw that could allow a person to tamper with the devices and interfere with the standard operations of the device. Examples include, but are not limited to, creating false alarms and silencing alarms.

At the time of this writing, in 2020 alone, GE has had eight critical vulnerabilities released. These are easily explorable on their website, so I will not list each one. I can also look at a host of other competitors and show the disclosures they have on their website. The reality is that vulnerabilities are part and parcel of any type of system that has a programming component. If we expand the search beyond internet-connected devices into the realm of just devices, the problem is even greater. Connected medical devices just have extra considerations because they can be accessed remotely as part of a greater ecosystem, whereas before they were a disconnected box.

Some of this stems from the continuous software development process. IoMT manufacturers are continually making improvements and upgrades to their devices—even adding new features. If a device is certified at a specific point in time, even if it is perfectly secure, there is no guarantee that the device will be secure after one or more updates. Over a few years the original software can vary greatly—especially if you consider a life span that may be up to 15 years.

Another reality facing manufacturers is stiff competition. The timing of the release of a device (often any product) is absolutely critical. Security is a known way of slowing down the release of a product because it takes time and money to make sure that things are evaluated in a mature way—not to mention the resolution time to remediate any findings security assessments may find. If you are a CEO and are dealing with the pains of the market versus the pains around a device, sometimes a cost benefit analysis means things may not be perfect—especially if patches can fix the problems later. From an advertising perspective, sometimes the negative press is also seen as a positive—especially for non–life critical systems.