Why Do A Medical Device Assessment, Part 1: “It’s Not a Good Situation”

Device Assessment

Why Do A Medical Device Assessment, Part 1: “It’s Not a Good Situation”


Relevant to this series, Owl’s Device Inspection and Analysis Lab focuses on security analysis of all sorts of devices, ranging from laptops, servers, and mobile devices; to securing operating systems and system components; to mass storage devices and embedded systems.

I want to take you on a journey into a patient monitor, assessing it for potential compromise routes, cyber design, and remediation. The main goal is to show you our approach towards medical device assessment, and aspects of our process.

Keep in mind, this particular journey is not a deep dive into hardware inspection and analysis. The intention is not to thoroughly hack the device or to reveal anything to shame the manufacturer. Indeed, this is just a test machine we have, not related to any customer request. Also, if we had found any vulnerabilities, we would have spoken with the manufacturer first.

In summary, we are using this particular patient monitor as an example, to show you the things we do, to help explain what we offer in a device inspection.

I have broken out this journey into a series of posts. By the end of the series, we will have:

  • Assessed the current state of medical device cybersecurity
  • Explored the inside of a patient monitor
  • Laid out what takes place in a comprehensive device cybersecurity assessment
  • Considered the challenges in securing medical devices

Cybersecurity in Healthcare

In the past few years, there has been a significant increase in cyber-attacks on healthcare delivery organizations. Take a look at these recent stats from the U.S. Department of Health and Human Services (HHS):


from: Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients (PDF)

Healthcare related organizations not only face some of the highest rates of cyber-attack, but also represent some of the richest, most valuable, and least protected targets for bad actors.

In short, it’s not a good situation.

In response, healthcare specific guidelines have been published in the past year or so from the HHS, FDA, and others. As the HHS points out, of the top five threats to healthcare delivery orgs, medical device risk is number five.

Proliferating Medical Devices

The compounding issues with medical devices is that:

  1. They are now absolutely everywhere, and
  2. They are increasingly connected or have ways to digitally download or upload data (say via a USB stick)

This leads to increased risk, which can severely impact patient safety. This notion is reflected in reports from the field and from regulators that point to the challenges in securing medical devices. This is not just for new devices, but also for legacy devices.

For example last year, 11 vulnerabilities were found in a very popular embedded OS, affecting not just medical devices, but network hardware and spacecraft.

Why Do We Do These Inspections?

There are plenty of suggestions we can bring back to the manufacturer to improve security, but if a customer is evaluating potential purchase, we have to think a little more practically. There’s usually a way to secure a device without overly restricting the capabilities of the device. Say, one could segment them on their own network, isolate them with network hardware, or set up network filtering for content or protocols they might be allowed to receive or send.

Therefore, the most important reason to do a device analysis is to make sense of the device security profile. Once you understand how it works, you can better manage what you put onto your network and best identify and craft security risk controls.

A device analysis will also help you interpret things like the MDS2 (Manufacturers Disclosure Statement for Medical Device Security) and SBOM (Software Bill of Materials) and translate those into practical actions.

After our analysis we then compile a report with insights and recommendations for the client. In our report to customers of our device inspections, we’re not necessarily looking for flaws just to find flaws. The goal of the inspection, and what is part of the report, is to establish the risk protocol and come up with practical and actionable things our client can do to protect their devices, within the context of their network and their security goals.

What You’ve Been Waiting For

OK, enough of that, let’s see the guts of a medical device!

In our upcoming posts, we’ll talk more about our mindset when inspecting devices, and start the analysis of our target device.

See you then.

Medical Devices
Charlie Schick Healthcare Consultant

Addressing Medical Device Vulnerabilities

Medical Device Security All Day, Every Day While Owl does great work creating hardened network security devices, such as data diodes, and we’re even looking forward to miniature, embed...
March 5, 2020
Bioreactor Demo
Charlie Schick Pharma and Healthcare Consultant

Total Geekery: Data Diode Bioreactor Demo

This post will be on the light side, describing a demo I had fun making and about which my co-workers are tired of hearing me speak. Nonetheless, despite the geekiness of the demo, it was...
November 21, 2019
Charlie Schick Healthcare Consultant

Medical Device Cybersecurity: Risk, Patching & Plutonium

This February I was at HIMMS Global Conference and Exhibition, one of the largest healthcare IT conferences in the US. My focus there was to see the latest on cyber in healthcare, particu...
March 19, 2019