Daniel dos Santos Of Forescout Vedere Labs On Why the US Government is Getting Serious About Medical Device Cybersecurity

An Interview With David Leichner

Devices used with a default configuration are easily exploitable. Many medical devices have default open ports or credentials when they are configured by a manufacturer, and sometimes these are not changed when deployed in healthcare organizations. In our Access:7 research, we identified medical devices that were shipped with a configuration agent still present and whole product lines sharing hardcoded credentials for remote access.

In an era where technology is revolutionizing healthcare, medical devices — from pacemakers to insulin pumps to hospital imaging machines — are becoming increasingly interconnected. While these advancements offer unprecedented benefits, they also expose healthcare systems and patients to new cybersecurity risks. Cyberattacks on medical devices can result in compromised patient safety, data breaches, and even loss of life. Acknowledging the gravity of the issue, the US Government is ramping up its focus on medical device cybersecurity through regulations, initiatives, and collaborations with industry stakeholders. As a part of this series, we had the pleasure of interviewing Daniel dos Santos.

Daniel dos Santos is the Head of Security Research at Forescout Vedere Labs, where he leads a team of researchers that identifies new vulnerabilities and monitors active threats on medical devices, the internet of things, operational technology, and other connected devices and networks. He holds a PhD in computer science, has published over 35 peer-reviewed papers and several patents on cybersecurity, has found or disclosed hundreds of vulnerabilities and is a frequent speaker at security conferences.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Thank you for inviting me to this interview. Sure, I’m happy to talk about my background. I’m originally from Brazil, where I grew up in the 90’s and 2000’s with a wide variety of interests. I was always very physically active: I swam a lot, was in the Boy Scouts, and I have a black belt in karate. At the same time, I was really into a lot of the more — at the time — “stereotypical geek” activities, such as role playing games, fantasy and sci-fi literature, and, of course, computers. I mostly learned about computers and the basics of programming from my father who is a retired electrical engineer and developed the first computer systems for the local power distribution company. That led me to study computer science in college and then move abroad to continue my education in Europe when I was in my twenties.

Is there a particular story that inspired you to pursue a career in this field? We’d love to hear it.

My general interest in cybersecurity started when I was very young, watching movies like Wargames (1983), Hackers (1995), and The Matrix (1999). However, the one event that really made me want to pursue cybersecurity as a career was when I saw — at a conference — a demonstration of a buffer overflow exploit, which let an attacker send a malicious network packet and take full control of the computer of an unsuspecting victim. In the movies, I used to find the hacks they showed “cool” but could not see how they would work in reality. Seeing a live demonstration, with an explanation of how vulnerabilities and exploits really worked, made me decide to become a penetration tester — someone who exploits computer vulnerabilities professionally and ethically. Later on, I decided to become a security researcher.

Can you share the most interesting story that happened to you since you began this fascinating career?

For me, the most interesting was our first big project that got wide industry recognition: Project Memoria. In that project, my team analyzed several critical software components of IoT devices — including medical devices — called TCP/IP stacks and disclosed almost 100 vulnerabilities. That project was interesting for several reasons but mostly because in the beginning we had no idea how impactful it could become. It led us to collaborate with other security researchers to find new vulnerabilities and work with huge device manufacturers as well as governmental agencies to disclose them. It was often cited in conferences as a motivation for the need for software bills of materials (SBOMs) and automated standards for vulnerability disclosure. Seeing our own work discussed so prominently and used as motivation for the progress of cybersecurity was very rewarding.

Are you working on any exciting new projects now? How do you think that will help people?

My team at Forescout is always searching for new vulnerabilities in connected devices, whether they are medical equipment, operational technology used in critical infrastructure or some specialized appliances that may be connected to business networks. Nowadays, our main challenge is not actually finding the vulnerabilities but deciding where we should look for them. We know that most — if not all — connected devices have vulnerabilities, but deciding what type of device will be interesting for the cybersecurity community and the public to hear about is the challenge. We always hope that our research will immediately help to fix the issues we find; however, more long-term, the goal is to help the people developing new software, protocols, devices etc. avoid the same mistakes we have found. We have been disclosing an average of 40 vulnerabilities per year in the past few years, so there is always something new coming up!

Ok, thank you. Let’s now move on to our main topic. For the uninitiated, can you explain the nature and scope of cybersecurity threats to modern medical devices? How significant is the risk in comparison to other sectors?

As with most other hardware — including cars, domestic appliances, and much in between — medical devices have evolved in the past decades to become much more connected; they are now essentially computers connected, on the one side, to a patient and, on the other side, to a computer network. That means that these medical devices are subject to the same vulnerabilities as most computer equipment. Design and configuration flaws, such as using weak passwords or not encrypting sensitive data; as well as programming flaws, such as crashing when receiving unexpected input.

These types of vulnerabilities can be leveraged by threat actors that have three main goals: financial gain, such as ransomware gangs and cybercriminals; espionage, such as state-sponsored groups; or destruction, such as hacktivists.

The main difference between medical devices and most other connected devices is that the former are used for critical life-supporting, diagnosis, and treatment functions, so any attack crashing or taking unauthorized control of a medical device can have very serious consequences, such as delaying or preventing life-saving healthcare.

Cybersecurity risk is often measured as the likelihood of bad events happening multiplied by the impact of those bad events. The bad events in this case lead to potential loss of human life, so the risk is significant even if the likelihood is smaller than an attack on an IT workstation, for instance — which happens millions of times a day.

In 2022, the FBI released an industry notification that centered around a growing number of vulnerabilities in medical devices that can be exploited by threat actors to “impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity.” This notification came after the discovery of significant vulnerabilities affecting medical devices, such as infusion pumps, medication dispensing systems and electrocardiographs. We also saw a wave of ransomware attacks targeting healthcare organizations before, during and after the COVID-19 pandemic, some of which have rendered medical devices unusable. The notification highlighted some of the main challenges for medical device cybersecurity, which are often a consequence of specialized software and firmware, including: a long lifespan that allows threat actors to find vulnerabilities, devices requiring special upgrading procedures and devices not designed with security in mind.

Could you highlight some key regulations or initiatives that the US Government has introduced or proposed specifically targeting medical device cybersecurity? How have these been received by industry stakeholders?

The main agency responsible for enforcing cybersecurity regulations for medical devices in the United States is the Food and Drug Administration (FDA), especially via its pre-market approval process.

For any medical device to be sold in the U.S., its vendor — also called a medical device manufacturer (MDM) — must obtain pre-approval from the FDA, which nowadays includes evidence of a device’s cybersecurity posture. Recent governmental initiatives to improve medical device cybersecurity have happened by updating the FDA’s guidelines and requirements to grant this approval.

The FDA has been producing cybersecurity guidance documents since at least 2005, but the most recent was just published in September and titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” This document outlines how cybersecurity is part of medical device safety and how a secure product development framework (SPDF) helps to meet the required quality regulation. This SPDF encompasses aspects such as threat modeling, risk assessment, interoperability, third-party software components, security architecture and security testing. Interoperability and third-party components, for instance, are new aspects that MDM must consider in their submissions.

The FDA also maintains a guidance document — which was latest updated in 2016 — on “post-market management of cybersecurity in medical devices.” This document mostly discusses how to handle vulnerabilities found on a product after it has been introduced to the market, which includes an evaluation of risk for patient harm, as well as guidelines on remediation, patching and compensating controls.

Besides these US government initiatives, MDMs follow a myriad of other regulations, guidelines and standards from international bodies, such as the International Standards Organization (ISO13485), the International Electrotechnical Commission (IEC62304, IEC 82304), the International Medical Device Regulators Forum (IMRDF) and many others.

Overall, industry stakeholders understand the need for cybersecurity and safety regulations to evolve in a critical industry such as connected medical devices. However, there are always concerns with the time to adapt to new requirements.

From a manufacturer and healthcare provider perspective, what are the most pressing challenges in adapting to and complying with these cybersecurity regulations? Are there any unforeseen hurdles they’ve had to navigate?

There should not be “unforeseen hurdles” per se, since these regulations follow existing discussions in the cybersecurity and device manufacturer communities. I believe some of the most pressing challenges for the MDMs now are dealing with the new items in the guidelines, which include the parts about interoperability, how a medical device interfaces with other devices, computer and network infrastructure; as well as “plans for how third-party software components could be updated or replaced if support ends or other software issues arise in premarket submissions.”

With regulations becoming more stringent, do you think this might impede or slow down the innovation of medical devices? How are manufacturers ensuring both security and the continuous advancement of medical technology?

I do not believe that regulations will slow down innovation in medical devices. The constant need for better healthcare will ensure that manufacturers continue to innovate. Regulation can always have unintended side effects and it certainly may delay some specific products being approved to enter the market; however, that is not “delaying innovation.” It is ensuring that devices are safer for everyone to use. In critical sectors such as aviation and medical devices, this is an absolute necessity. It is preferable for everyone, including the manufacturers, that medical devices take a bit longer to be approved but have fewer vulnerabilities that can be exploited in the future.

Medical device manufacturers, just like manufacturers of other types of connected devices, have been adopting new cybersecurity tools and techniques such as improved software development lifecycles, use of software bills of materials and automated testing to ensure that they can continue to innovate while complying with new requirements.

What are your “5 Things Everyone Should Know About Medical Device Cybersecurity?”

1 . Medical devices are computers and subject to vulnerabilities. Between January and October 2023, CISA has disclosed 22 new vulnerabilities affecting medical devices, an average of more than two per month. This is by no means unexpected. Recent research by the Health-ISAC, an organization promoting cybersecurity in the healthcare industry, found the number of vulnerabilities present in medical devices in hospitals grew 60% since 2022. Another recent research, published in Nature Scientific Reports revealed more than 600 vulnerabilities on devices purchased by national health systems of 36 countries. These vulnerabilities affect devices such as imaging equipment, infusion pumps, patient monitors and others.

2. Many medical devices were not designed with security in mind. Many of the network protocols running on medical devices do not include basic security controls such as authentication and encryption. We have demonstrated in past research how insecure protocols in healthcare allow attackers to leak patient data, tamper with diagnostic results, disconnect a patient monitor and even change a patient’s vital readings on the network. Many of these devices are still active because they have a long lifespan, usually between 10 and 30 years, which unfortunately also means that threat actors have a lot of time to find and exploit vulnerabilities.

3 . Medical devices use third-party components, including open-source software, that can also be vulnerable. Most devices these days combine software components developed in-house by the manufacturer with a lot of components sourced from third parties, such as real-time operating systems, TCP/IP stacks and implementations of other protocols. Some of these components are even open-source, developed and maintained by an open community instead of a single organization. That means that when a vulnerability is found in a third-party component, a patch must be produced by the developer of that component and then make its way to the device manufacturer, who needs to integrate it with their other software components and produce a patch that will reach the end users of the device. This delays the patching procedure and introduces uncertainties when a component is no longer supported by the original developer. For instance, in our NUCLEUS:13 research, we found vulnerabilities on a software component used in medical devices since 1993.

4 . One reason for the persistent insecurity of medical devices is the belief that they are not exposed to cyberattacks because they can only be accessed from inside a hospital’s privileged network. The fact that many remote ransomware attacks have spilled over to medical devices and related information systems is proof enough this assumption is no longer true. Beyond reported attacks, there are persistent segmentation issues in healthcare organizations where several unrelated types of devices with very different criticality levels are present in the same network segments, providing a path for attackers to reach medical devices. The truth is that medical devices often are not connected directly to the internet, but they communicate with information systems that are exposed online. For instance, imaging modalities, such as CT scanners, communicate with picture archiving and communication systems (PACS), which in turn communicate with radiology information systems (RIS). Although CT scanners are not found online, many PACS and some RIS are, and thus may provide a path for attackers to reach the most sensitive devices.

5 . Devices used with a default configuration are easily exploitable. Many medical devices have default open ports or credentials when they are configured by a manufacturer, and sometimes these are not changed when deployed in healthcare organizations. In our Access:7 research, we identified medical devices that were shipped with a configuration agent still present and whole product lines sharing hardcoded credentials for remote access.

Let’s talk about the future. Considering the pace of technological advancements and the growing emphasis on cybersecurity, where do you see the future of medical device security in the next 5–10 years? Are there emerging technologies or methods that hold particular promise in safeguarding patient health and data?

The number and types of connected medical devices are only going to grow as medicine itself evolves and as new use cases are unlocked by greater connectivity. Simultaneously, the number and types of cyberattacks will follow the same trend since threat actors also keep up with technological developments.

Unfortunately, attackers only need to find one flaw, while defenders must protect a network from every type of attack on every device, which means that attackers often have the advantage in this game of cat and mouse.

Hopefully, the new wave of generative artificial intelligence that is ongoing will help developers to detect vulnerabilities earlier and fix them, as well as help network defenders to understand how medical devices may be exploited on healthcare networks and how attackers may be exfiltrating sensitive data. We are already seeing many security products starting to integrate AI features that promise to help cybersecurity professionals work better and more efficiently, both when designing or developing products and also when defending them against attacks on their organizations.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

I really believe that education has the power to change our world for the better. Both increasing access to education and increasing the quality of education worldwide are what I think can bring the most amount of good.

We are living through a period of very fast technological advancement and societal change, both of which are only going to happen faster in the future. In the answer to the first question in this interview, I mentioned I grew up reading science fiction literature. One of my favorite subgenres of sci fi is cyberpunk, which is also known as “high tech, low life” because cyberpunk works depict a future with very advanced technology where the vast majority of people live a terrible life in a world dominated by the very few.

To avoid ending up in this kind of dystopian future, we need to make sure that everyone is educated enough to understand how the world works, how it is changing and to be able to contribute to these changes in a positive and meaningful way.

How can our readers further follow your work online?

You can check all our vulnerability and threat research at https://www.forescout.com/research-labs/. I’m also active on LinkedIn.

This was very inspiring and informative. Thank you so much for the time you spent on this interview!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is a member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.