Home » knowledge » CNCERT: Medical Device Industry Cybersecurity Analysis Report

CNCERT: Medical Device Industry Cybersecurity Analysis Report

1. Medical devices have huge network security risks

In recent years, with the continuous advancement of the national strategy of precision medicine, medical devices have moved from closed and bulky to open and mobile, and intelligent and cloud-based medical devices have become the future development direction. However, with the rapid development of smart wearable devices and big data medical care, the cybersecurity threats faced by medical devices are also increasing day by day.

As an information entity, medical device includes two parts: medical device field equipment and medical information system. Medical devices include not only wearable medical devices such as insulin pumps, but also large medical devices such as MRI machines. The medical information system includes not only the medical device control system and medical device management system deployed in the hospital, but also the medical device data acquisition and monitoring system deployed in the cloud.

Since medical devices have been in closed and simple application scenarios for a long time, the product design emphasizes the functionality and usability of the device, and does not take security into account. There are widespread security vulnerabilities and difficult upgrades, and communication protocols lack encryption authentication mechanisms and other security risks. Hackers can use the above security risks to attack medical devices, resulting in serious consequences such as medical data leakage, medical malpractice and even paralysis of hospital functions.

1.1 The hidden danger of medical data leakage is prominent

Globally, cybersecurity threats to medical data are becoming more severe. Due to factors such as high data use value, backward security and risk management measures, etc., medical data has become a favorite target for hackers to steal. In recent years, the Electronic medical records, the use of IoT devices and cloud services have been vigorously developed in the medical field. Medical data that originally existed in the hospital intranet tended to be stored in the cloud, but most medical systems and software were not designed at the beginning. With full consideration of the possible security issues in future interconnection, it is extremely vulnerable to hacker attacks.

According to Bitglass, the number of healthcare data breaches in the U.S. grew double-digit in 2020, with breaches increasing by more than 55% compared to 2019 to 599 breaches affecting more than 26.4 million people. The average cost per breached record increased from $429 to $499, and healthcare organizations suffered $13.2 billion in losses.

In April 2020, according to foreign media reports, hackers were selling the experimental data source code of Huiying Medical Technology Company, which relies on advanced AI technology to assist in new coronavirus detection. The hacker’s external sale post claims to have obtained the code of the COVID-19 detection technology, as well as the data of the COVID-19 experiment. The sale price is 4 bitcoins. The main data sold includes: 1.5 MB of user data, 1 GB of technical content, and source code of detection technology, 150 MB of laboratory results of the new coronavirus, etc.

1.2 The results of medical device safety evaluation are not optimistic

The National Internet Emergency Technology Handling Coordination Center refers to the “Guiding Principles for Technical Review of Medical Device Network Security Registration” and the requirements of industry network security standards, targeting 10 well-known domestic and foreign companies for medical diagnostic X-ray imaging equipment, monitoring equipment, physical therapy and rehabilitation equipment. 19 types of equipment produced by medical device manufacturers carry out safety evaluation work. The evaluation items mainly include confidentiality, integrity, availability, security audit, etc. The evaluation found that all kinds of equipment have potential safety hazards, and the evaluation results are shown in Figure 1.

Figure 1 Medical device safety assessment results

In terms of confidentiality, the test items include storage confidentiality, transmission confidentiality and patient privacy data protection. A total of 15 evaluation devices do not encrypt the health data in the medical device workstation, and only some manufacturers use AES256 and other algorithms to encrypt user configuration and other information. The evaluation equipment adopts node authentication or whitelist mechanism, but 11 of them do not use encrypted network transmission protocol to transmit data. All evaluation devices support anonymization of exportable health data.

In terms of integrity, it is mainly tested from the perspective of identity authentication. All devices implement user identity authentication based on operating system passwords, among which 15 devices provide the functions of manual locking and automatic logout without operation.

In terms of availability, the test items include whether authorized users can normally access data and archive health data. All devices have achieved normal access to authorized user data. A total of 11 models provide the function of health data archiving, but do not encrypt the archived data, nor design a corresponding anti-tampering mechanism.

In terms of security audit, the test items mainly include non-repudiation, verifiability and audit control. A total of 10 devices did not adopt sufficient effective mechanisms to achieve non-repudiation of health data, and audit log records could be modified. At the same time, the audit logs are not detailed enough and lack key information.

Other additional tests include physical protection, system hardening. Except for 5 devices, all other manufacturers protect the data security of workstations by setting physical locks. Except for one device, all other devices provide system reinforcement functions to a certain extent, such as firewall, port closure, shortcut key closure, etc.

1.3 The risk of hospital paralysis cannot be ignored

Hospital Information System (HIS) is a complex information platform in which management information systems, clinical medical information systems (CIS) and advanced application systems are run. The management information system is mainly for hospital management, including registration, charging, pharmacy, hospitalization, medical records and other functions. The clinical medical information system (CIS) is oriented to the clinical medical process, including functions such as outpatient service, inspection report, doctor’s order processing, imaging diagnosis, and medical device operation. Advanced application systems include real-time transmission and query of medical images, archiving system (PACS), patient medical record system (CPR) and other important support systems.

The clinical medical process is highly dependent on these information systems. If these systems are attacked, it can cause partial or complete paralysis of hospital functions, resulting in vicious incidents that seriously affect public safety and social stability. There are two main cyber-attack threats facing hospital information systems: malicious code infection and ransomware attacks.

1.3.1 Malicious code infection emerges endlessly

Many hospital information systems and medical equipment consoles run older versions of Windows operating systems such as Windows 2000 or Windows XP. Vendors generally do not provide security updates or operating system upgrades, and hospitals have no incentive to upgrade systems. However, the hospital information system maintenance department lacks enough network security experts to effectively prevent and deal with the ravages of malicious codes.

During the COVID-19 outbreak in 2020, the medical system is facing unprecedented challenges. The network communications of hospitals at all levels across the country are on high alert, with a sharp increase in traffic and cyber attacks. During the period, the National Internet Emergency Technology Handling Coordination Center monitored and found that a tertiary hospital in Beijing was continuously attacked by cyber hackers due to loopholes in its information system, and some servers were implanted with Trojan horse programs. The sample was named “XX Diagnosed Novel Pneumonia Virus”. The attacker implants the Trojan horse by inducing the victim to click on the sample. After the implantation is successful, the controlled machine uses the EternalBlue vulnerability to scan the specified IP segment. If there is a vulnerability in the intranet machine, the implantation will spread “XX Diagnosed with New Pneumonia Virus”. samples, facing serious cybersecurity risks.

1.3.2 Ransomware attacks intensify

Concerns about the paralysis of hospital functions are not unfounded. These information systems were not designed with network attacks in mind, and their security is mainly based on intranet isolation. However, with the continuous advancement of Internet medical care, these systems have begun to be exposed to the Internet and are subject to more and more cyber-attack threats. Extortion attacks in which hackers control hospital information systems through network security loopholes and then demand ransom from hospitals are becoming a major security hazard.

Hackensack Merdian Health, the largest medical institution in New Jersey, USA, was hacked on its network at the end of 2019, causing a certain number of computers to be infected with ransomware. Paralyzed by an attack on the system, medical staff can only work without the assistance of any computer equipment, and some operations have been postponed. To regain control of the system, the court had to pay the hackers a ransom to unlock the files.

Second, the network security work of the medical device industry should be accelerated

Faced with the current situation of medical device cybersecurity, my country has issued the “Guidelines for Technical Review of Medical Device Cybersecurity Registration”, and is currently accelerating the work of cybersecurity assurance for the entire life cycle of medical devices. Network security must be considered at every stage. Specific recommendations are as follows:

2.1 Strengthen top-level design and promote the construction of regulations and standards

In view of the outstanding problems of medical device network and data security, actively promote the process of establishing regulations and standards for medical device network security. Focusing on the “Network Security Law”, “Data Security Law” and “Personal Information Protection Law”, accelerate the establishment of a medical device network security management system with the simultaneous development of special regulations and national standards.

Effectively strengthen the protection of network data and user information, strengthen the protection policies of data resources in the collection, storage, transmission, application and opening, etc., and implement the requirements for personal information and important data to be stored domestically and provided externally in accordance with laws and regulations. Security assessment and other requirements; User personal information protection, effectively reduce the leakage, damage and illegal use of user personal information.

2.2 Actively promote medical device network security testing and certification

Accelerate the implementation of the “Guiding Principles for Technical Review of Medical Device Cybersecurity Registration”, establish detailed and operational testing standards for the three information entities of medical equipment, supporting software, and remote data collection servers, and entrust professional qualifications for equipment testing before medical device listing approval. institutions to conduct assessments.

2.3 Establish a personnel training system and cultivate a team of medical device network security talents

Pay attention to the training of on-the-job personnel, and form a training model for medical device practitioners to update their cybersecurity knowledge and continuously improve their capabilities. Regularly organize network security training to improve the overall security awareness and technical level of government staff, hospital leaders at all levels, information technology engineers, and medical device engineers.

The Links:   LQ104V1DG51 LM150X06 IGBTMODULE