Hackers are opportunists. Not long after the first case of COVID-19, possibly as early as November 17, 2019, hackers, bad actors and cyberpunks sensed an opportunity. They could be heard echoing the battle cry to never let a crisis go to waste! Long before you heard of Coronavirus, there were plans being formulated to leverage the FUD (Fear, Uncertainty and Doubt) that would inevitably follow. Since the initial outbreaks of COVID-19 in January 2020 over 16,000 new coronavirus-related domains have been registered, about 10 times the average number of new domains over the same time period pre-coronavirus. No doubt, some percentage of these domains have been registered for legitimate business activity, but close to 20% were already deemed to be suspicious or malicious. 1 In this article, we will take a look at COVID-19 impact on the healthcare industry.
Given the general increase in nefarious activity, and the fact that the healthcare industry is currently distracted with this COVID-19 global pandemic, it’s not surprising that hospitals are seeing more suspicious activity, such as phishing emails. By leveraging the urge to act quickly, particularly during a crisis, hackers are counting on human mistakes to enable the spread of misinformation or for a foothold on the hospital network through the inadvertent downloading of malware. Once lodged inside the hospital network, malware can quickly spread, either through additional responses to the phishing attempts or through self-propagation, without additional human interaction.
One of the best defenses against the onslaught of security attacks is system patching. Unfortunately, the lack of system patching, has been implicated in some of the largest data breaches ever recorded. But, to be fair, system patching is difficult to keep up with. Software developers like Microsoft, release software patches in a steady torrent, and IT resources are stretched to stay current. This means that some systems won’t get patched immediately, and some don’t get patched at all. In most healthcare industry, IT staff are at capacity during normal operations, and during a crisis like COVID-19 are dangerously overburdened. Worse than the lack of bandwidth, however, is the lack of visibility.
Medical devices deployed in hospitals are black boxes. In other words, the devices are closed and, for the most part, can’t be modified by the end user. This is for good reason, given the obvious patient safety concerns and regulations. The problem with a closed system that is running software from various manufacturers is that vulnerabilities in any of the installed software components are not easily identified. If you don’t know what software you’re running, you don’t know if you’re vulnerable.
The good news is that this lack of visibility is changing. FDA is working on an update to their Premarket guidance (Content of Premarket Submissions for Management of Cybersecurity in Medical Devices – Docket Number – FDA-2018-D-3443), which introduces the concept of a medical device bill of materials. FDA refers to this security document as Cybersecurity Bill of Materials (CBOM), however, the nomenclature is currently shifting to SBOM (Software Bill of Materials) as FDA, and others, have de-prioritized device hardware components in favor of a focus on the software components.
For the most part, the SBOM is being widely accepted as a good step forward for medical device cybersecurity but will require medical device manufacturers to apply resources to generate and maintain. In addition, the continuous monitoring of vulnerabilities in installed software components, especially for a device manufacturer with multiple products and multiple versions of each, can be challenging.
Nonetheless, an updated SBOM enables medical device manufacturers to take a more proactive approach to security patches. By tracking and monitoring the installed software components and associated vulnerabilities, device manufacturers can more quickly prioritize patches and updates. Quicker identification leads to quicker remediation supporting improved release cycles. Automated SBOM solutions enable these more efficient software development lifecycles, which support stronger security profiles of deployed medical devices at hospitals.
In crisis situations, like we are all facing now with COVID-19, having a solid cybersecurity risk mitigation plan, including automated generation, maintenance and sharing of SBOMs, provides much needed peace of mind. So, instead of worrying about the security of their hospital’s medical devices, those on the front lines can focus their energy on treating patients.
CEO, Vigilant Ops
Former Head of Medical Device Cybersecurity, Bayer
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.