Until very recently, firmware was a very rarely discussed security issue. Today, firmware is among the most heavily targeted areas within devices by nation states and other well-funded threat actors.
According to the 2023 State of Cybersecurity for Medical Devices and Healthcare Systems report, compiled by the Health Information Sharing and Analysis Center, as well as cybersecurity vendors Securin and Finite State, vulnerabilities within medical devices, including the firmware with these devices, have increased considerably.
"Our research unveils a disturbing year-over-year increase in firmware vulnerabilities within connected medical products and devices, underscoring an urgent need for robust software supply chain security," said Larry Pesce, director of product security research and analysis at Finite State in a statement.
Firmware attacks can be carried out by exploiting vulnerabilities in the firmware code, much in the same way software flaws are exploited. However, because firmware typically resides under the operating system it’s typically not monitored as closely, if at all. These types of flaws can enable attackers to gain control of the device.
Once firmware is compromised in such ways, it can be difficult to detect and remove the malicious code, as firmware — a type of software that is embedded in hardware devices and is responsible for controlling the device's functionality by interacting with the hardware and operating system — is also not typically updated as frequently as other software components.
Additionally, firmware attacks can be used to gain persistent access to a device, even after the device has been rebooted or reset. This can allow attackers to maintain a foothold in a target network and continue to carry out malicious activities over an extended period of time.
While issuing software patches can be a challenge in traditional software and systems, there are additional hurdles when it comes to securing firmware within healthcare organizations.
“Many of these devices are not easily accessible,” says Christopher Gates, director of product security at Velentium. “Not only are these devices spread about the health delivery organization, but they are not always easily accessible by the IT staff,” he says.
That raises serious issues with healthcare delivery operations and patient safety. Such issues can be mitigated by following a few good practices.
Securing firmware on connected medical devices is crucial to prevent cyberattacks and ensure the safety and reliability of the devices. Here are some best practices experts advise:
Prioritize purchasing devices from manufacturers that take secure design seriously: Healthcare delivery organizations need to, as much as they can, vet the connected medical devices they purchase to ensure the devices are designed to be secure and can be effectively managed, including when it comes to firmware, such as implementing secure boot, secure firmware update mechanisms, and secure communication protocols. Healthcare delivery organizations must adopt a "secure by design" mindset that anticipates and mitigates potential risks throughout the connected medical device lifecycle.
Configure medical devices to be secure: Should firmware, or any other aspect of the device be compromised, having configured the device with granular permission levels to data and device controls will reduce risk. Healthcare organizations should also take care to turn off unnecessary device services, turn on encryption, and maintain good device security and event logs.
Maintain firmware updates: In order to mitigate firmware risks, it’s essential that firmware be readily updateable. For connected medical devices, that typically means over-the-air firmware updates should be turned on in order to make certain medical devices can be regularly updated.
“When it comes to updating healthcare devices, challenges include compatibility issues, device downtime, and potential disruptions to patient care. To overcome these challenges, it is crucial to establish a robust change management process that includes thorough testing and validation of firmware updates before deployment.,” says Harman Singh, director at cybersecurity services firm Cyphere.
Collaboration between healthcare providers, device manufacturers, and IT teams can also play an important role in ensuring a smooth and efficient update process.
Firmware update failure detection and remediation: Healthcare delivery organizations need a way to identify when attempted firmware updates fail and to confirm the subsequent attempt was successful.
Sheikh advises healthcare delivery organizations to look for ways to mitigate the risks of devices that can’t have the firmware updated but must remain connected. One such way is to restrict network traffic to the device through network or firewall configurations, another is to seek ways to isolate the device from the rest of the network until the patch can be applied properly.
Device discovery: Use an inventory manager to discover, monitor, and manage connected medical devices. “Healthcare providers can track the status of firmware versions in their devices through a centralized inventory management system. This system enables them to monitor and keep a record of the firmware versions installed on each device,” says Singh.
Device monitoring: Medical devices come with Manufacturer Disclosure Statements for Medical Device Security (MDS2) documentation. The MDS2 informs healthcare delivery organizations information on the security controls and features of the device. Healthcare delivery organizations should be monitored for any indication that they’re behaving in a way that’s unusual. “Regular scanning and assessment of devices can also help identify any outdated or vulnerable firmware,” adds Singh.
“I recommend healthcare providers to prioritize regular firmware updates, establish strong partnerships with device manufacturers, and invest in robust cybersecurity measures to protect their devices and patient data. By following these best practices, healthcare providers can enhance the security and resilience of their devices in the constantly evolving threat landscape,” says Singh.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.