Beyond Patching: Securing Medical Devices Postmarket

The following is a guest article by Joseph M. Saunders, Founder and CEO at RunSafe Security

Modern healthcare settings are full of devices that use software to manage and improve patient care, from MRI machines to CT scanners to infusion pumps. Healthcare providers rely on medical device manufacturers to deliver secure and effective software upfront, but securing software once these devices are already in the field is another challenge altogether.

Just last year, the FDA released new guidance on cybersecurity for medical devices, including requirements for securing medical devices postmarket. The FDA’s primary guidance is that manufacturers have a plan for the “rapid testing, evaluation, and patching of devices deployed in the field.”

Patching, however, takes significant time and resources and is difficult to accomplish for Class II and Class III medical devices. With the risk of a cyberattack on the medical device software supply chain so high, both healthcare providers and medical device manufacturers are taking a closer look at opportunities to better address cybersecurity vulnerabilities throughout the device lifecycle.

The Challenges of Patching Medical Devices

Patching medical devices is challenging for many reasons. Vulnerability research and analysis, patch creation, and testing require significant engineering resources. Once a patch is developed medical device manufacturers then need to work with healthcare providers to manage the logistics of pushing updates to devices, including those that may not be easily accessible. Different healthcare environments also have complex deployment scenarios and manufacturers need to be able to maintain support for multiple software versions.

The most stressful scenario for manufacturers and healthcare providers is dealing with zero-day vulnerabilities in deployed devices. These situations create crisis conditions where manufacturers need to respond quickly, develop and test patches under extreme time pressure, coordinate emergency updates with healthcare providers, and manage potential risks to patient care. 

The longer the gap between when a vulnerability is identified and a patch is available, the bigger the window for attackers to successfully exploit a device.

Exploit Prevention in Medical Device Software

Though patching is an essential part of medical device security, healthcare systems need more proactive security solutions that give defenders a leg up over attackers. One promising solution is runtime exploit prevention, a technology that acts as a self-defense mechanism built directly into a device’s software.

Runtime protections allow fielded devices to defend against sophisticated malware, unauthorized code execution, hidden backdoors, unknown vulnerabilities, and attacks targeting system memory.

If an attacker were to target a vulnerability in a medical device with runtime exploit prevention deployed, the device would be able to defend itself and prevent the attack, even before a patch becomes available.

Although this technology doesn’t eliminate the fundamental need for security patches, it serves as a crucial safeguard in the medical environment where immediate updates aren’t always feasible. Runtime protections significantly decrease the risk posed by vulnerabilities to critical medical devices, effectively buying valuable time until a comprehensive update can be safely deployed.

What’s Next?

In addition to making devices more resilient against attack, proactive security solutions also make it easier to meet FDA guidance and make patching more efficient.

FDA guidance requires manufacturers to submit a cybersecurity management plan as part of their premarket submission, including how they will address postmarket security vulnerabilities. By deploying solutions like runtime exploit prevention, manufacturers can strengthen their premarket submissions by demonstrating how they are lowering risk and the future exploitation of vulnerabilities.

Proactive security measures also help to transform the typical patch management process, bridging the security gap between vulnerability discovery and patch deployment. Because devices are already protected, manufacturers can assess vulnerabilities more strategically and coordinate updates based on actual risk levels rather than rushing emergency fixes.

An attack against a medical device can quickly spread to affect entire healthcare systems. Prioritizing proactive security measures rather than relying on reactive patching alone will go a long way toward building the resilience of critical systems while protecting patients.

About Joseph M. Saunders

Joseph M. Saunders is the Founder and CEO at RunSafe Security, a pioneer of cyberhardening technology for embedded systems deployed across critical infrastructure. He leads a team of former U.S. government cybersecurity specialists who know how attackers think about problems, how they weaponize attacks and how they choose targets.

A 25-year veteran of many leadership roles, Joe is on a personal mission to transform cybersecurity by challenging outdated assumptions and disrupting the economics that motivate hackers to attack.