Our Response to FBI Warnings of Unpatched and Vulnerable Medical Devices

Our Response to FBI Warnings of Unpatched and Vulnerable Medical Devices

FBI PIN (Private Industry Notification) calls for integrity verification protection for IoMT.

DAVE STUART

November 8, 2022

The recently-released FBI Private Industry Notification (PIN # 20220912-001) addresses new cybersecurity threats to IoMT devices, and ultimately to patient safety, due to antiquated (or completely absent) security solutions.

The paper, entitled “Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities”, cites three statistics that spotlight the challenge facing medical device manufacturers (MDMs) and healthcare security operators:

  • 53% of connected medical devices and other internet of medical things (IoMT) devices in hospitals had known critical vulnerabilities.
  • 33% of healthcare IoT devices have an identified critical risk potentially implicating technical
    operation and functions of medical devices. 
  • 40% of medical devices at the end-of-life stage offer little to no security patches or upgrades.

To allay the risks the FBI makes recommendations in four primary areas—Endpoint Protection, Identity and Access Management, Asset Management, and Vulnerability Management.  Below I`ll discuss how Sternum uniquely satisfies these recommendations below.  The PIN also makes Training recommendations which are not discussed here.

Specific Recommendation for Integrity Verification Solution

The very first recommendation the FBI makes is to provide  “...integrity verification whenever the device is disconnected for service and before it is reconnected to the IT network.” They also recommend that, where the device can support, to “Utilize endpoint detection and response (EDR) and eXtended Detection and Response (XDR) solutions...”.  The problem is, given their longevity, few IoMT devices can support these newer technologies.

Sternum’s patented EIV™ (Embedded Integrity Verification) solution provides agentless runtime protection for connected and isolated devices, with just 1-3% overhead - essentially acting as an on-device/XDR-like solution for IoT, that specifically relies on integrity verification technology.  

This enables Stermum to address the core recommendation in the latest FBI paper and deliver continuous exploit prevention of both known and even unknown vulnerabilities,  hardening the device from within to repel attacks - even when it is off the network.  This also has the byproduct of alleviating patchwork and scanning necessity, acting as a cost saving mechanism for IoMT manufacturers.   


Additional FBI Recommendations

The FBI paper details several other specific recommendations. Below I take a deep dive into these, and explore how Sternum addresses these in detail:

Endpoint Protection


FBI Recommendation
“If supported by the medical device, use antivirus software on an endpoint. If not supported, providing integrity verification whenever the device is disconnected for service and before it is reconnected to the IT network.”

Sternum Response
Sternum delivers embedded integrity verification that provides runtime exploit prevention for both new and legacy devices. It is agentless technology that becomes part of the device build (firmware) to instrument binaries, including 3rd party libraries.  The solution is self-correcting and provides continuous protection regardless of connection status (even with isolated devices!).


FBI Recommendation
“Encrypt medical device data while in transit and at rest.“

Sternum Response
All communication between devices and the Sternum Cloud is TLS-encrypted while data is in transit to ensure integrity.


FBI Recommendation
Utilize endpoint detection and response (EDR) and Extended Detection and Response (XDR) solutions, which provides visibility on medical devices and offers protection.”

Sternum Response
Sternum provides an EDR/XDR-like alternative purpose-built for IoT devices. Sternum’s patented lightweight, agentless design allows it to uniquely work with low resource IoT devices and with low overhead. Sternum facilitates deep device-level observability, including custom device-specific trace capability, across entire fleets.

Identify and Access Management


FBI Recommendation
“Ensure default passwords are changed to secure and complex passwords specific for each medical device. If supported by medical device, limit the number of login attempts per user.”

Sternum Response
Sternum will alert on excess or brute-force login attempts. Sternum also detects unusual behavior and pattern violations such as, for example, reordering the flow of a login process.

Asset Management


FBI Recommendation
Maintain an electronic inventory management system for all medical devices and associated software, including vendor-developed software components, operating systems, version and model numbers.”

Sternum Response
Sternum enables operators to maintain a fleet-wide inventory along with detailed device profile information including ID, firmware/software/OS version, alert and deploy status, ‘last seen’ time stamp, location, connectivity status, etc. It also dynamically keeps track of everything running on your devices, including third-party components.


FBI Recommendation
“Use inventory results to identify critical medical devices, operational properties, and maintenance timeframes.”

Sternum Response
Sternum goes beyond the recommendation by providing a continuous live, device-level view of your entire fleet inventory. This enables real-time awareness and proactive response to all security and operational issues - allowing resolution before they impact the device, the end user or the deployment environment.


FBI Recommendation
“Consider replacement options for affected medical devices as part of purchasing process; if replacing the medical device is not feasible, take other mitigation precautions, such as isolating the device from network or auditing the device’s network activities.”

Sternum Response
Sternum allows organizations to safely prolong the life of legacy medical devices, with integrity verification security that can be deployed on every device with low overhead (1-3%) and very small  (~25K) footprint.  This works even on isolated devices, enabling them to operate securely and minimizing the need for replacement options.

Vulnerability Management


FBI Recommendation
Work with manufacturers to help mitigate vulnerabilities on operational medical devices.”

Sternum Response
Sternum continuously profiles the code on the devices on which it resides to identify vulnerable weak spots and corruption attempts. By doing so it not only protects the device but also provides valuable in-field information that can be delivered to manufacturers to close security gaps.


FBI Recommendation
“Monitor and review medical devices’ software vulnerabilities disclosures by vendors and conduct independent vulnerability assessments.”

Sternum Response
Sternum endorses these best practice recommendations.


FBI Recommendation
“Implement a routine vulnerability scan before installing any new medical device onto the operating IT network.”

Sternum Response
Sternum endorses this best practice, and further provides runtime protection on the device which acts like a pseudo continual vulnerability scan/defend mechanism.  A Sternum-protected device does not introduce new risks as it is already hardened to attack and exploit, even if entering a compromised network.

What you don’t know can hurt you

While device autonomous security is crucial, so is visibility into the ongoing health, operation, and performance of devices involved in the delivery of healthcare.  Going without can have serious patient safety ramifications. 

For instance, an insulin pump may need to operate within a specific temperature range for proper effectiveness.  A faltering pump may exceed that safe range and put the patient at risk.  Continuous monitoring of that key parameter, combined with instant alerting to variances, is critically important to taking quick remedial action. 

Having in-device security, augmented with device-specific analytics, such as operating temperature, user interaction (e.g., buttons pushed), anomalous behaviors, security attack attempts, etc. helps to inform an operator so they can get to the root cause quickly.  They can use this learning proactively to be on the lookout for similar symptoms across their entire fleet of devices.

With Sternum, IoMT engineers and operators are no longer in the dark with respect to their devices, and can have confidence in their security and ability to deliver reliable healthcare solutions.

Interested to learn more about Sternum? Schedule a demo and see our platform in action: https://www.sternumiot.com/request-demo

Better Performance with Autonomous Observability

Gain complete visibility by monitoring and analyzing events in your device or across an entire fleet, from the first line of code and until post-deployment maintenance.

Diagnose software bugs and vulnerabilities by using instrumentation, to pinpoint flaws, gain dynamic profiling and analysis of the software, including third-party code.

Learn about Sternum observability >>