Cybersecurity attacks have morphed in recent years, exponentially increasing the risk of patient data exposure through lab equipment and other edge medical devices. Threat actors who once exclusively targeted the application layer have turned their attention to the physical layer targeting hardware, firmware, BMC vulnerabilities and other means of physical exploitation. After gaining a foothold, these attackers can pivot to spread within the network, doing even more harm and making damage mitigation much more difficult.
With this shift in attack vectors, firmware has proved to be the most commonly exploited vulnerability of edge device security. One reason is that firmware updates are not automatic like software patches, but instead require a multi-step manual process that can include flashing the BIOS as well as a system reboot. These types of tasks frequently fall to the bottom of the list of IT team responsibilities, creating patching delays that increase risk exposure and offer more time for firmware vulnerability to be exploited.
Mitigating the damage from an attack can be difficult and costly while also causing reputational damage. We know of one device manufacturer that spent four months and nearly half a million dollars to resolve patching a critical vulnerability caused by outdated firmware.
Yet timely firmware updates are only one part of the hardware-related security equation. Whether it’s a hematology analyzer, CT scanner or any other networked medical device, the ability to withstand as well as recover from a malicious attack begins with the contract manufacturer that builds the embedded system.
Here are five questions to ask your hardware integrator to be sure that your devices are equipped with maximum protection both before and after delivery.
1. What measures does the builder take to authenticate and identify system firmware?
Does the integrator verify the authenticity of the firmware to ensure that the component supplier has not shipped third-party or black-market goods? Do they use components from trusted vendors that provide timely firmware updates, have an in-house engineering team that tracks those updates, and alert customers when critical firmware patches become available?
Equally important, does the builder maintain a digital fingerprint of the firmware flashed onto every system so that you can see which systems in the field need to be updated? Choosing an integrator that offers point-and-click serial traceability to firmware ensures that you will be able to quickly identify devices in urgent need of patching.
2. Does the integrator perform hardening checks and lock down the validated software and firmware configurations?
A device manufacturer’s hardware integrator can help protect devices from cyberattacks by performing comprehensive pre-deployment testing and verification. That includes looking for known vulnerabilities and other security threats on both the firmware and the software image, and confirming that all available patches have been applied. They can also offer deeper level system penetration testing with reporting and OS hardening.
Once these checks are complete and a ‘golden copy’ is available, the final configuration should be locked down to help mitigate the risk of future attacks. The lockdown process should include actions such as OS updates/patches, changing any default passwords to complex passwords, applying the least privilege principle, configuring firewall and/or antivirus settings, disabling unnecessary services, encrypting data, adding physical security such as tamper proof seals or physical locks, and finalizing chain-of-custody documentation.
3. Are inventory scans conducted before deployment for quality and security assurance?
Once the build is complete, the integrator should perform an inventory check to verify that each system includes the validated firmware, the right revision of the hardened software image, and other approved components to ensure the consistency of the build as well as minimization of the attack surface.
When the device has left the manufacturer and arrives at its destination, the golden image can be verified through hash during deployment to ensure that the right revision of the hardened software image is being deployed. This also serves as another verification check that there was no tampering through physical access while in transit.
4. Does the builder provide a user-friendly traceability system to track each build at the component level as well as to prevent unauthorized engineering changes?
Does your contract manufacturer offer a portal for easy access to information on firmware revisions (see question 1 above) as well as serial numbers, MAC addresses, bill of materials, engineering changes and other details enabling you to quickly identify devices affected by a security breach?
Does the builder also have a method of preventing engineering changes without your approval, including tracking authorization of change orders within the portal for easy traceability? Even a seemingly minor change can undermine all the other checks and balances, so it is critical for the manufacturer to both control and document the process without burying each change in spreadsheets, emails or third-party applications.
5. What post-delivery support does the builder provide?
Security vulnerabilities are an eventuality that will need to be dealt with, so it’s imperative to have plans in place before a problem arises. In the case of medical devices that are unable to receive over-the-air updates, the contract manufacturer should be willing and able to collaborate with you to create a plan for handling security updates in the end user’s environment.
In addition, for devices that can receive over-the-air updates, some integrators have developed technology that allows them to remotely update software and firmware with critical vulnerabilities without requiring that embedded systems be shipped back to their manufacturing facility. Partnering with a builder with the ability to patch vulnerabilities onsite or at staging locations dramatically reduces the cost and lead time involved in helping prevent a cyberattack on these systems.
Threat actors will always be with us, discovering and exploiting new vulnerabilities. Even the most prominent chipmakers have repeatedly found themselves in the crosshairs. Your best defense against an attack is to ensure that your contract manufacturer provides robust controls that can protect against known attack vectors, trace every component on every system with a click, and expedite recovery when hackers strike. As always, an ounce of prevention is worth a pound of cure.